Add to collection(s) Add to saved
  1. Social Science
  2. Law

Incident Response Policy Executive Summary Computer security

advertisement 
Incident Response Policy
Executive Summary
Computer security incidents are any actions that are unlawful, unauthorized, or unacceptable by
company policy and/or standards that involve a computer system or a computer network. These
actions include but are not limited to theft of trade secrets, email spam or harassment,
unauthorized and/or unlawful intrusions into computing systems, embezzlement, possession or
dissemination of pornography, denial-of-service (DoS) attacks, interference with or impedance
of electronic business activities, extortion, or any other action deemed unlawful by city, state, or
federal governments when the action was carried out using GENERIC INC.'s electronic
resources or evidence of the unlawful action is stored on GENERIC INC.'s computing systems.
Purpose
The goal of this policy is create a set of standards that should be followed whenever a computer
incident occurs. These actions should minimize impact to GENERIC INC. and its daily
operations while also considering the requirements of law enforcement agencies when incidents
that are criminal in nature have occurred. More specifically, this policy aims to provide rapid
detection and containment of incidents, confirm whether an incident has occurred, prevent a
disjointed response, promote the collection of accurate information, establish proper evidence
collection and handling procedures, protect privacy rights of patients, employees, and business
partners as required by law and GENERIC INC. policy, minimize disruption to business and
network operations, allow for criminal or civil action to be taken against perpetrators, provide
accurate reports and useful recommendations, minimize exposure of proprietary data, protect
GENERIC INC.'s reputation and assets, educate senior management on the incident handling
process, and promote rapid detection and/or prevention of future incidents.
Regulation Reference
Federal Rules of Evidence
Related Documents
NIST 800-61: Computer Security Incident Handling Guide
Pre-Incident Preparation
Incident response is a reactive process, but several proactive steps can be taken to reduce the
number of incidents that occur and to educate users on how to recognize and properly report
incidents.
Prepare GENERIC INC.

Implement host-based security measures such as anti-virus programs and firewalls.





Implement network-based security measures such as firewalls and Intrusion Detection
Systems.
Educate all users on GENERIC INC.'s Information Security policies so they are aware of
what actions are appropriate under the Acceptable Use Policy.
Implement a strong access control system.
Perform routine security audits and penetration tests on all GENERIC INC. systems.
Perform data backups on a regular basis as outlined in the Backup Policy. This will allow
for a quick recovery from incidents that seek to manipulate or destroy data stored on
GENERIC INC.'s systems. Backups may also contain evidence of the incident that have
been removed from the active system, whether through standard operating procedure or
an attempt to conceal an incident.
Prepare the CSIRT



Obtain all hardware and software needed to investigate an incident and keep it stored in a
secure location.
Maintain a series of forms and report templates that will be used to document incidents,
the procedures used to investigate the incident, and the subsequent findings.
Select a group of employees to serve on the CSIRT. The CSIRT should contain experts
from all technical areas supported by GENERIC INC. (network, telecommunications,
desktop support, server administration, etc.) so the team is prepared to respond to any
computer incident. Members of the CSIRT will only need to respond to incidents that
pertain to their body of knowledge. However, one member of the CSIRT shall be
designated as the lead investigator and will be responsible for organizing and managing
the CSIRT whenever an incident occurs. All members of the CSIRT shall receive
periodic training on how to properly respond to an incident.
Detection of Incidents




All users are responsible for reporting incidents and violations of policy using the
appropriate reporting procedures. Failure to report an incident will lead to disciplinary
action against the user(s) who witnessed or detected the incident.
Internal incidents shall be reported by contacting the Help Desk or the Chief Information
Security Officer (CISO). For all incidents reported to the Help Desk, the technician
receiving the call shall gather information on the nature of the incident as detailed in the
Incident Notification form and immediately notify the CISO of the incident. The Help
Desk technician shall not discuss the incident with anyone else unless instructed to do so
by the CISO.
Incident reports originating from sources outside GENERIC INC. shall be taken seriously
and investigated for validity. Discoveries from the resulting investigation shall be
handled using the established policies.
For incidents reported to GENERIC INC. by a law enforcement agency, the CISO shall
notify management before proceeding with the investigation. The CISO or lead
investigator will be responsible for keeping management abreast of all updates in the
investigation. Management shall be responsible for interfacing with law enforcement.
Initial Response
Before starting an investigation, the CSIRT needs to verify that an incident has actually occurred.
The following actions shall be taken by the CSIRT to provide them with enough information to
make this decision.



Review the Incident Notification form filled out by the Help Desk technician or the
CISO. The incident reporter should be contacted if further information or clarification is
needed.
Review relevant system logs to identify data that would support the belief an incident has
occurred.
Interview GENERIC INC. personnel (non-IT) that may be able to provide a context for
the incident.
Note that all steps may not be required for certain types of incidents. Discretion should always be
used when acquiring system logs and questioning employees who are not aware of the incident.
At the end of this phase, the CSIRT should know whether or not an incident occurred and if so
what type of incident occurred, which systems are affected, and the potential impact to
GENERIC INC. The investigation shall not proceed until all of the previous questions can be
answered by the CSIRT.
Formulate Response Strategy
Before determining a response strategy, all political, technical, legal, and business factors
surrounding an incident shall be examined to determine the best course of action. The following
questions shall be used as a guideline by the CSIRT for determining the course of action that is
best suited to the incident and that is within GENERIC INC.'s response posture.









How critical are the affected systems?
How sensitive is the compromised or stolen information?
Who are the potential perpetrators?
Is the incident known to the public?
What is the level of unauthorized access attained by the attacker?
What is the apparent skill of the attacker?
How much system and user downtime is involved? Is there an impact to operations?
What is the overall dollar loss?
What impact would public disclosure of the incident have on GENERIC INC. and its
reputation?
For any incident that is potentially actionable, refer to the Litigation Hold Policy and consult the
legal team to determine if further steps need to be taken.
Investigate the Incident
Data Collection




Electronic data must be collected in a forensically sound manner. Whenever possible, a
forensics toolkit such as EnCase or FTK must be used. For evidence that is not collected
via a forensics toolkit, the investigator(s) must take detailed notes of how the data was
collected.
md5 sums shall be taken of all collected data immediately following evidence
acquisition.
All electronic evidence must be copied to removable storage and placed in a locked
evidence cabinet or safe to which only the CISO and the lead member of the CSIRT have
access. Every piece of evidence will have an accompanying evidence tag and Chain of
Custody form.
For incidents requiring non-electronic evidence (e.g., personnel files and interviews with
employees and/or witnesses), all information gathered must be immediately documented
and stored in a confidential location. Personal employee data learned through these
inquiries by an investigator shall not be shared with anyone outside of the CSIRT.
Forensic Analysis


Before analyzing any evidence, the CSIRT shall make a forensic copy of the evidence.
Bit-by-bit forensic duplication should be performed whenever identical hardware can be
obtained. Otherwise, a qualified forensics duplicate must be made of the hardware.
Following duplication, the original evidence shall be returned to the evidence cabinet. All
forensics analysis will be performed on the duplicate.
During the analysis process, the investigator(s) shall take step by step notes of all actions
that were taken to collect the data. These notes shall be detailed and clearly written such
that they could be understood and repeated by a third-party investigator.
Reporting
Incident reports should accurately describe the details of an event and should be written in
language that is understandable to readers without a technical background.





All reports shall be written using the existing template for the incident type.
All investigative steps and conclusions shall be documented as they occur.
Reports shall be written concisely and clearly.
All incident reports shall be reviewed by the CISO, and by management for incidents
involving law enforcement, before the investigation is considered completed.
All reports and evidence pertaining to an incident shall be retained for a period of at least
10 years.
Resolution



The CSIRT shall work with the appropriate members of IT to restore any systems
affected or compromised by the incident.
The CSIRT will determine if there are underlying causes of the incident that need to be
addressed. The CSIRT lead investigator shall work with the CISO and management to
address what actions need to be taken to prevent future incidents of the same nature. The
lead investigator will be responsible for verifying that the necessary actions have been
completed.
As computer security incidents evolve, the CSIRT and CISO shall work with
management to update GENERIC INC.'s policies and procedures as needed.
Sustainability

This policy should be reviewed annually to ensure it accurately reflects current
organizational policies and equipment. Additionally, this policy should be reviewed after
any computer security incident to ensure the policies applicability to prevent evolving
incidents.
References
1. Barman (2002). Writing Information Security Policies, New Riders.
2. Mandia, Prosise, and Pepe (2003). Incident Response & Computer Forensics, Second
Edition, McGraw-Hill/Osborne.
3. NIST 800-61: Computer Security Incident Handling Guide
Related documents
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
IRB: Incident Report
IRB: Incident Report
Washburn Incident Report Form
Washburn Incident Report Form
Near Miss Incident Reporting and Investigation
Near Miss Incident Reporting and Investigation
ACADEMIC INTEGRITY VIOLATION FORM
ACADEMIC INTEGRITY VIOLATION FORM
Incident Reporting Form
Incident Reporting Form
Slides
Slides
first_2014_-_westphal-_kristy_-_don
first_2014_-_westphal-_kristy_-_don
PN Incident Powerpt
PN Incident Powerpt
Nippon Computer Security Incident Response Team Association
Nippon Computer Security Incident Response Team Association
Download
advertisement