California State University, Chico. Information Security Incident Management Plan

Transcription

1 Information Security Incident Management Plan Version 0.8 January 5, 2009

2 Table of Contents Introduction... 3 Scope... 3 Objectives... 3 Incident Management Procedures... 4 Roles and Responsibilities... 5 Training and Implementation... 5 Appendix A Definitions... 6 Appendix B Incident Types... 7 Information Security Office 2 05/19/14

3 Introduction Effective information security management involves a combination of prevention, detection, and reaction. In addition to deploying strong security protection, the university should be able to respond to incidents and invoke proper procedures if an information security incident occurs. Security event and incident management is vital to the information security management process. The purpose of this document is to outline the procedures for management an information security event or incident. Such events or incidents may take the form of a virus, worm or Trojan attack, a denial of service (DoS) or other intrusion, or misuse of information resources by an individual, machine, or site. Scope These procedures and guidelines are for management, administration, and other technical and operational staff to prepare for, detect, and respond to information security incidents. Because security events and incidents involving different computer systems will lead to different consequences, departments should customize the security event and incident management procedures according to their specific needs. Objectives A well defined security event and incident management plan is vital to the effective operation of a computer system, in addition to the information security operation as a whole. The major objectives of security event and incident management include Ensure the required resources are available, including manpower, technology, etc. Ensure that all the responsible parties have a clear understanding of the tasks they should perform following predefined procedures Ensure that the response is systematic and efficient and that there is prompt recovery for the compromised system Ensure that the response activities are coordinated Minimize the possible impact of information leakage, corruption, and system disruption, etc. Share experience in incident response within and among departments Prevent further attacks and damages Handle related legal issues Information Security Office 3 05/19/14

4 Incident Management Procedures All information security incident management procedures are located in the Information Security Knowledge Base on the wiki at Security Incident Response The Security Incident Response Procedure defines the steps to be followed when an incident occurs. The procedure aims at minimizing damage, eradicating the cause of the incident, and restoring the system to normal operation etc., in accordance with predefined goals and priorities. The procedure is broadly categorized into five stages: identification, containment, eradication, recovery and follow-up. Although the procedure is written generally with intrusions in mind, it is meant to serve as a guideline and as such the same basic steps apply to other types of incidents. A system administrator or system manager may establish additional security incident response procedures, checklists, and best practices to guide teams. These procedures should be provided to all employees including management personnel for their reference and compliance. They should be clear, straightforward, and easily understood so all personnel understand what they need to do. Notification The Security Incident Notification Procedure defines the process to notify management and relevant parties of the incident to ensure that important decisions are promptly made. It sets out the points of contact (both internal and external) at various levels for notification based on the type and severity of the incident. Notification procedures and contact lists may vary for different kinds of incidents and for different systems regarding contact points and follow-up actions. Information about incidents should be disclosed only on a need-to-know basis, and only the Information Security Officer has the authority to share or authorize others to share information about security incidents with others not directly involved. Reporting and Tracking The Security Incident Reporting and Tracking Procedure defines the means of reporting and tracking suspicious activities so all parties involved are notified in a timely manner and all required information is documented. In addition, the procedure deals with how all parties involved will know to whom they should report, and in what way, and what they should not report. A Post-Incident Report is also prepared to maintain consistency and ensure completeness of the information collected during security incident reporting. To facilitate an effective reporting and tracking procedure all involved staff should be familiar with the reporting procedure and capable of reporting security incidents quickly. In addition, a security incident reporting form should be created to standardize the information to be collected, and if necessary, draw up a separate procedure for non-office-hour reporting. Information Security Office 4 05/19/14

5 Roles and Responsibilities Information Security Office The Information Security Office (ISEC) is responsible for working with the campus community to secure systems and network resources, and protect the confidentiality of student, faculty and staff information. Related to incident management the Information Security Office is responsible to: Consult with campus users and departments to investigate security issues. Ensure incident response procedures are developed, implemented and followed Respond to and recover from disruptive and destructive information security events Incident Management Team (IMT) The Incident Management Team is responsible for implementation of the Incident Management Plan, including the facilitation of all incident management procedures (security incident response, notification and reporting and tracking). Their tasks include but are not limited to: Assessing, responding, and resolving information security incidents in partnership with campus technical staff, University Police, Public Affairs, etc. Notifying appropriate units of possible security infringements Reporting any security breach Disseminating guidelines related to security to departmental data managers and system administrators System Administrators and Department/System Managers All campus system administrators and department/system managers are responsible for following the incident management procedures outlined in the plan. A system administrator or department manager may establish additional security incident response procedures, checklists, and best practices, as well as system/department-specific contact lists. Training and Implementation Management, administration, and technical and operational staff need to have a thorough understanding of these procedures in order to work together to effectively respond to information security incidents. The Incident Management Team conduct a variety of training sessions to review and discuss the procedures so all parties are prepared in the event an incident occurs. Once the detailed Security Incident Response procedure has been covered in training, it is not expected that technical and operational staff will refer to it at each stage during an incident. Instead, a checklist is available to speed response and ensure steps are not missed. Department-and computer system-specific incident management procedures will not be covered in these training sessions yet need to be understood by appropriate staff. Information Security Office 5 05/19/14

6 Appendix A Definitions The term incident refers to an adverse event in an information system and/or network, or the threat of such occurrence. Examples of incidents include unauthorized use of another user s account, unauthorized use of system privileges, and execution of malicious code that destroys data. Incident implies harm or the attempt to harm. An event is any observable occurrence in a system and/or network. Examples of events include the system boot sequence, a system crash, and packet flooding within a network. These observable events recorded on Incident Management Forms, along with the evidence collected, provide the bulk of your organization s case if the perpetrator of an incident is caught and prosecuted. The term security incident refers to any incident related to information security. It refers to an adverse event in an information system and/or network which pose a threat to computer or network security in respect of availability, integrity, and confidentiality. Examples of security incidents include malicious code attacks, unauthorized access, unauthorized utilization of services, denial of resources, disruption of services, compromise of protected data/program/network system privileges, malicious destruction or modification of data/information, penetration and intrusion, misuse of system resources, viruses and hoaxes, and malformed codes or scripts affecting networked systems. Information Security Office 6 05/19/14

7 Appendix B Incident Types Type Malicious code attacks Denial of service (DoS) Unauthorized access or utilization of services/hacks Description Malicious code attacks include attacks by programs such as viruses, Trojans, and worms used by hackers to gain privileges, capture passwords, and/or modify audit logs. Hackers and malicious code can disrupt/deny network and computing services in many ways, including erasing a critical program, mail spamming (flooding a user account or mail system), and altering system functionality by installing a Trojan. Unauthorized access ranges from improperly logging into a user's account to unauthorized access to data stored on a system. Unauthorized access could also entail access to network data by installing a sniffer program or device to capture all packets traversing the network at a particular point. Examples of unauthorized utilization of services include using the network file system (NFS) to mount the file system of a remote server machine, the VMS file access listener to transfer files without authorization, or inter-domain access mechanisms in Windows NT to access files and directories in another organization's domain. Misuse Threats Misuse occurs when someone uses a computing system for purposes prohibited by the Policy on the Use of Computing and Communications Services (EM 97-18). Threats express the intention to inflict harm or indicate impending danger or harm. They are often received via , but could also be communicated via other electronic means. Information Security Office 7 05/19/14