 Hello and welcome to this session in which we will discuss the US cybersecurity framework that was developed by NIST, the National Institute of Standard and Technology. Specifically, we're going to be discussing one of the five core functions of the framework and of those five core functions we're going to be focusing on one only and that's respond. In the prior session, we looked at identified, protect, and detect function. In this session, we will look at the respond function and under the response function, we're going to have one, two, three, four, five categories and we're going to look at the sub categories of these categories. And what we have to know is in the prior session, we looked at the identified, this is the function and these are the categories. We look at the protect function and categories, detect function and categories. In this session, we would look at respond. So overall, what is the respond function? From the word respond is how are we dealing? How do we deal with cybersecurity incidents once they have been detected? So notice the respond function comes after the detect function. So you're not going to respond to something until you detect that something. Once you detect it, you would respond. What would it include? It would include what action do you take? Do you have any action plan? How do you communicate the cybersecurity to the stakeholders, to the people involved? How do you mitigate this incident and minimize its impact? And most importantly, what did you learn from this? And how are you going to update your plan for future, for future attack? Because in every attack, you're going to have to learn and improve the process. Before we proceed any further, I have a public announcement about my company, farhatlectures.com. Farhat accounting lectures is a supplemental educational tool that's going to help you with your CPA exam preparation, as well as your accounting courses. My CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true false questions, as well as exercises. Go ahead, start your free trial today. No obligation, no credit card required. So the first category under the respond function is respond planning. And what is respond planning? What to do after you detect the incident? The respond planning category focuses on developing and implementing an incident response. And we just mentioned to address and detect cybersecurity effectively. Simply put, under the respond planning, do you have policies and procedures? Do you know what needs to be done in case of an incident? This is what respond planning. Are you planning? Are you preparing yourself for that to happen? And if so, how are you planning? Do you have a plan to respond? That's the first thing you have to have. So the subcategory will be response plan is developed and executed during or after an incident. You are ready. You know what's going to happen when what happens, you are ready to follow instruction. Not instruction, you know what to do. Ensuring that the organizational preparedness for dealing with the cybersecurity event. This is what response planning. It's a, it's a category under respond. Communicating. Well, who do you talk to? Whether they are internally or externally, do you know who do you need to talk to? This includes coordination with internal and external stakeholders, employees, customers, partners, law enforcement, and other relevant organization. So some subcategories under communication is personnel, know the roles and order of operation when response is needed. Do you know who should you talk to and who should be talking to who? Do you have this policy in place? Two, events are reported consistently as required by law regulation or organizational policy. You have clear instruction on who needs to be informed under what circumstances, whether that that's required by law regulation or the company itself. Three, information is shared among appropriate stakeholders. You're sharing the information to make sure everyone is aware of the situational of the of the attack of the situational awareness. Four, you need to coordinate with stakeholders, including public relation management and legal council involvement if needed, if you need to get a lawyer involved. So we know what we need to discuss what we cannot discuss and public relation management to let our customers, vendors, our image is affected. How do we deal with this? This is in the communication part of the cyber attack analysis. That's important. We need to take a closer look of what happened. Why? And how did we respond to that incident? Because it could happen again. The analysis focuses on understanding the cybersecurity incident, its impact, what is its impact on us and identify appropriate mitigation strategies. What can be done if we are not aware of it? Now we're aware of it. It includes investigating the incident, of course, determining its scope. What is it? What is it affecting and the potential consequences? What are the consequences from this incident and identifying the most important the root causes? Why? Because you want to learn so it doesn't happen again. You want to close the vulnerability. Some subcategories will be notification from detection system are investigated. Did they tell us enough that, remember, we have a detect function before response? Did the detect function help us, help us, help us detect this incident early on? The impact of the incident, do we understand the impact of it and its scope and the scope of it? What is it affecting? Do we understand what areas it's affecting about our business? Forensics analysis again, to do what? To determine the incident root cause. That's the most important and preserve evidence because evidence that's going to help you in future attack. Incident response activities are reviewed now when you're reviewing and changes are made to the organization processes as necessary. Now you know what happened. You know what we have. Now what do we need to do? Review and make changes as appropriate to avoid or mitigate the second, the next attack. Recovery plans are updated based on the lessons learned of the incident. Of course, that's always a good idea. You learn, you learn from your analysis, update your plan, whether you need to update the identified, the protect, the detect function, you need to upgrade everything. You go ahead and do that based on the analysis mitigation. Well, what are you doing to mitigate, to minimize the impact of the, of the situation? This category focuses on containing and minimizing the impact of the cybersecurity incident. What does it involve? Well, take an action to prevent the expansion of an incident. Limit the incident. That's it. Stop it. Don't let it spread anymore. Mitigate its effect and resolve the incident in a controlled manner, whatever that control manner means. Here, incidents are contained and eradicated promptly. This is the subcategories to minimize their impact to newly identified vulnerabilities because now you learn if you're mitigating something, you know, you know, if the water is leaking, you know where the leak is coming from. And you need to document, document this as an, as accepted risk or you need to deal with that risk mitigated somehow. The organization response to incident is improved by applying lessons learned from past transaction and use in the knowledge to update response strategies. In the mitigation process, that's important. This is what you are acting to stop, minimize, learn and update your whole strategy. And most importantly, and the response is improvement. And from the word improvement is what it's using the lessons that you learned from this incident to do what when you learn, you improve. Okay, so there's a saying, you don't lose anything if you learn from it. Okay, so every time you learn from a lesson, it's not really a loss, not losing. It's not a loss if you learn from something because you gain something, that additional knowledge. So the improvement categories focuses on using lessons learned. I know we were under a cybersecurity attack. That's fine. But I would rather be under the cybersecurity attack now, rather than in the future, maybe in the future, my company is bigger, the impact will be higher. So I want to learn from it now what lessons that I learned and response activities that I implemented and update those response activities needed for the organization. This includes continuous updating response plan processes strategies based on the experience and evolving threats subcategories to be more specific response planning, our plans are updated and maintained to incorporate lessons learned. Basically, this is the summary of what we just said. Response process are continuously improved through feedback loop incorporating lesson learned and best practices. And three, efforts are made to share information about the incidents, threat and vulnerabilities with relevant stakeholders, employees, vendors, cybersecurity team, IT, so on and so forth, contributing to collective social cybersecurity, not social security, cybersecurity knowledge and defense and fostering a collaborative defense approach. What am I doing to learn from these events? Share this information with everyone in the company so we can all coordinate a response. Once again, what we just did in this session is cover the response, respond function. So what we have left is the last function is the recover function and under the recover function, we have three categories and would look at their subcategories. What should you do now? Go to far hat lectures and look at additional resources, MCQs that's going to help you understand this concept. Whether you are a CPA, CMA, accounting students studying for some sort of a professional certification, answering multiple choice questions will help reinforce the topic that you just learned. Invest in yourself, invest in your career and stay safe.