Tips for Streamlining RFP process : Benefit from Quick Incident Investigation

What do you think of the idea of engaging empaneled forensics or incident investigation vendors immediately after a cyber security incident? It is a well-known fact in the industry that the process of hiring a consultant to perform cyber forensic investigation takes lot of time, sometimes as much as 45 days or even more. The time span from issuing Request For Proposal(RFP) to finalizing a vendor often makes it difficult for the vendor to do justice in the investigation process, as there is not much relevance to the investigation due to the possible data corruption which would have already occurred by then on the client systems. Lack of expertise among bank personnel and engaging their in-house IT team to handle the investigation till a vendor is hired could result in serious consequences. Physical damages of systems, contamination of electronic evidences, non-identification of the root-cause of the problem and vulnerabilities of the system makes it prone to attacks again through the same modus operandi. As the industry grapples with this challenge, it would be worthwhile to evolve a process to visualize threats before-hand, empanel vendors and engage them immediately when an incident occurs through the Request for Quotation (RFQ) process. The RFQ process is simpler and can help to get quick responses from the empaneled vendors thereby cutting down the time frame to react to an incident. When an incident occurs, the RFQ process should be initiated with the empanelled vendors only. The scope of work or incident type should be clearly defined, along with the desired response and the time frame in which it should be achieved and the typical skillsets required from the investigator. Empaneled vendors should be selected on the basis of responses to the above-mentioned criterion and RQF bids.

This approach requires identification of solutions and tools, typically expected to be used by the vendors, in case of an incident. Adopting a proactive strategy can help you plan damage-control effectively and minimize monetary and reputation losses. RFPs should not contain critical IT infrastructural or security information. If it is absolutely necessary to define the scope of the job, it should only be shared with potential vendors and trustworthy technology partners who have signed Non-Disclosure Agreements (NDAs) & have been vetted against minimum eligibility criteria to bid.

RFP should be generic in nature. A minimum eligibility criteria for vendors to bid in the process could be used. The evaluation process should identify vendors based on their domain expertise, skills and capabilities of their technical resources, HR process for background and criminal verifications, tools (commercial / open source) used, licensing strategy for the same, their response TAT, industry standard practices followed by them and most importantly the quality of their forensics investigation labs.

Having a world class forensics lab with access to state of the art tools and software solutions, adequate physical segregation of work areas, proper labelling and storage of the evidences, data retention & disposal strategies are important aspects of the evaluation exercise.

In addition to tools and solutions, the scope of work and timelines should be defined clearly in the RFP. The priorities should be defined by internal experts who are well- versed with the severity of the incident. An empaneled vendor who is selected for an investigation process should be able to start the investigation within four hours in case the incident’s severity is critical, eight hours in case the incident’s severity is medium and forty eight hours in case the incident’s severity is low. Such swift response to critical incident or incidents will definitely help in speedy resolution, strengthen the infrastructural weakness or other vulnerabilities identified in root-cause analysis, produce documentary evidence and authenticated proofs against the cyber-criminals in law enforcement agencies. Banks will also be well-prepared to handle similar threats in the future. It is a sure way to restore customer confidence in the most threatening business critical situations.

What are your organisation’s best practices in this area? What are the changes required in the banking industry for this process? Share your views at communications@rebit.org.in