Lost or Stolen Laptop Response Playbook

Preparation

Note: Preparation steps should primarily be completed prior to an event or incident.

1. Determine the members of the Cybersecurity Incident Response Team (CSIRT).
   1. The core CSIRT members should be comprised of individuals responsible for cybersecurity only.
      1. This may include some members of Information Technology roles, depending on the organization size.
      2. The limited size of the core CSIRT is to assist with confidentiality and efficiency.
      3. The core CSIRT may be activated often to investigate security events that may or may not result in an incident.
   2. Assign roles and responsibilities to each member.
2. Determine extended CSIRT members.
   1. This will often be Legal, Compliance, Public Relations, and Executive Leadership.
3. Define escalation paths.
   1. Incidents may start as events, or as a lower impact/severity and then increase as more information is gathered. Establishing an escalation path is critical to success.
4. Determine controls for lost or stolen devices.
   1. Remote wipe capabilities.
   2. At-rest encryption.
   3. Multi-Factor Authentication.

Identification

1. Identify the nature of the device that has been lost or stolen.
   1. Laptop?
   2. Phone?
   3. Tablet?
   4. Other device such as desktop, server, other equipment, etc.
2. Assess the criticality of data or accounts that may be present on the device.
3. Interview the user to understand the conditions around the lost or stolen device.
   1. Was it misplaced?
   2. Can you confirm that it was stolen?
   3. Was the device logged in and active to any accounts?
4. Contact local authorities to report the loss.
   1. Clear this process with legal counsel first.

Containment and Eradication

1. Disable or reset the password for any accounts that may be accessed via the lost or stolen device.
2. Perform remote wipe capabilities to eradicate any sensitive data on the lost or stolen device.
3. If the device is a laptop or other computer:
   1. Disable any active directory accounts for the device.
   2. Create alerts for any time the device contacts the network.
   3. Disable any remote access associated with the device.
      1. i.e. VPN accounts and certificates, Microsoft InTune, Exchange ActiveSync, JAMF, etc.
   4. Remind user to disable or reset the password for any personal accounts in use on the device.
4. If the device is a phone, tablet, or other mobile device:
   1. Disable active directory accounts for the device if applicable.
   2. Disable any remote access associated with the device.
      1. i.e. VPN accounts and certificates, Microsoft InTune, Exchange ActiveSync, JAMF, etc.
   3. Create alerts for any time the device attempts to check-in or contact the network.
   4. Contact the cellular provider to notify them that the device has been lost or stolen and any associated hardware addresses should be blocked from access.
   5. Remind user to disable or reset the password for any personal accounts in use on the device.

Recovery

1. Restore user work functionality with a trusted device.
2. Create alerts for any abnormal activity from the user accounts involved.

Lessons Learned

1. Conduct a meeting after the incident to discuss the following:
   1. What things went well during the investigation?
   2. What things did not go well during the investigation?
   3. What vulnerabilities or gaps in the organization’s security status were identified?
      1. How will these be remediated?
   4. What further steps or actions would have been helpful in preventing the incident?
   5. Do modifications need to be made to any of the following:
      1. Remote management capabilities
      2. Application security
      3. Employee, IT, or CSIRT training
      4. Encryption capabilities
      5. Access rights to sensitive information
2. Create and distribute an incident report to relevant parties.
   1. A primary, and more technical, report should be completed for the CSIRT.
   2. An executive summary should be completed and presented to the management team.