Information Security Incident Response Plan

Transcription

1 Infrmatin Security Incident Respnse Plan Agency: Date: Cntact: 1

2 TABLE OF CONTENTS Intrductin... 3 Authrity... 4 Terms and Definitins... 4 Rles and Respnsibilities... 5 Prgram... 6 Educatin and Awareness... 9 Cmmunicatins... 9 Cmpliance Implementatin Apprval

3 Intrductin Nte t agencies The purpse f an infrmatin security incident respnse prgram is t ensure the effective respnse and handling f security incidents that affect the availability, integrity, r cnfidentiality f agency infrmatin assets. In additin, an incident respnse prgram will ensure infrmatin security events, incidents and vulnerabilities assciated with infrmatin assets and infrmatin systems are cmmunicated in a manner enabling timely crrective actin. This template is intended t be a guide t assist in the develpment f an agency incident respnse plan, ne cmpnent f an incident respnse prgram. Agencies may have varius capacities and business needs affecting the implementatin f these guidelines. This infrmatin security incident respnse plan template was created t align with the statewide Infrmatin Security Incident Respnse Plicy xxx. ORS requires agencies t develp the capacity t respnd t incidents that invlve the security f infrmatin. Agencies must implement frensic techniques and remedies, and cnsider lessns learned. The statute als requires reprting incidents and plans t the Enterprise Security Office. The Oregn Cnsumer Identity Theft Prtectin Act (ORS 646A.600) requires agencies t take specific actins in cases where cmprmise f persnally identifiable infrmatin has ccurred. This plan addresses these requirements. The <agency> has develped this Infrmatin Security Incident Respnse Plan t implement its incident-respnse prcesses and prcedures effectively, and t ensure that <agency> emplyees understand them. The intent f this dcument is t: describe the prcess f respnding t an incident, educate emplyees, and build awareness f security requirements. An incident respnse plan brings tgether and rganizes the resurces fr dealing with any event that harms r threatens the security f infrmatin assets. Such an event may be a malicius cde attack, an unauthrized access t infrmatin r systems, the unauthrized use f services, a denial f service attack, r a hax. The gal is t facilitate quick and efficient respnse t incidents, and t limit their impact while prtecting the state s infrmatin assets. The plan defines rles and respnsibilities, dcuments the steps necessary fr effectively and efficiently managing an infrmatin security incident, and defines channels f cmmunicatin. The plan als prescribes the educatin needed t achieve these bjectives. 3

4 Authrity Statewide infrmatin security plicies: Plicy Number Plicy Title Effective Date Infrmatin Asset Classificatin 1/31/ Cntrlling Prtable and Remvable Strage Devices 7/30/ Infrmatin Security 7/30/ Emplyee Security 7/30/ Transprting Infrmatin Assets 1/31/ Acceptable Use f State Infrmatin Assets 10/16/ xxx Infrmatin Security Incident Respnse draft <agency> infrmatin security plicies: Plicy Number Plicy Title Effective Date Terms and Definitins Nte t agencies Agencies shuld adjust definitins as necessary t best meet their business envirnment. Asset: Anything that has value t the agency Cntrl: Means f managing risk, including plicies, prcedures, guidelines, practices r rganizatinal structures, which can be f administrative, technical, management, r legal nature Incident: A single r a series f unwanted r unexpected infrmatin security events (see definitin f "infrmatin security event") that result in harm, r pse a significant threat f harm t infrmatin assets and require nn-rutine preventative r crrective actin. Incident Respnse Plan: managing incidents. Written dcument that states the apprach t addressing and Incident Respnse Plicy: Written dcument that defines rganizatinal structure fr incident respnse, defines rles and respnsibilities, and lists the requirements fr respnding t and reprting incidents. 4

5 Incident Respnse Prcedures: Written dcument(s) f the series f steps taken when respnding t incidents. Incident Respnse Prgram: Cmbinatin f incident respnse plicy, plan, and prcedures. Infrmatin: Any knwledge that can be cmmunicated r dcumentary material, regardless f its physical frm r characteristics, including electrnic, paper and verbal cmmunicatin. Infrmatin Security: Preservatin f cnfidentiality, integrity and availability f infrmatin; in additin, ther prperties, such as authenticity, accuntability, nn-repudiatin, and reliability can als be invlved. Infrmatin Security Event: An bservable, measurable ccurrence in respect t an infrmatin asset that is a deviatin frm nrmal peratins. Threat: A ptential cause f an unwanted incident, which may result in harm t a system r the agency Rles and Respnsibilities Nte t agencies These rle descriptins cme frm the statewide infrmatin security plicies and are presented here simply as an example. Agencies shuld adjust these descriptins as necessary t best meet their business envirnment and include any additinal rles that have been identified in the agency that apply such as Security Officer, Privacy Officer, etc. Agencies need t identify rles, respnsibilities and identify wh is respnsible fr incident respnse preparatin and planning, discvery, reprting, respnse, investigatin, recvery, fllw-up and lessns learned. Staffing will be dependent n agency capabilities. The same persn may fulfill ne r mre f these rles prvided there is sufficient backup cverage. The fllwing are suggested rles and respnsibilities an agency shuld cnsider: incident respnse team members, incident cmmander, and agency pint f cntact t interface with the State Incident Respnse Team (required by statewide plicy). Agency Directr Incident Respnse Pint f Cntact Infrmatin Owner Respnsible fr infrmatin security in the agency, fr reducing risk expsure, and fr ensuring the agency s activities d nt intrduce undue risk t the enterprise. The directr als is respnsible fr ensuring cmpliance with state enterprise security plicies, standards, and security initiatives, and with state and federal regulatins. Respnsible fr cmmunicating with State Incident Respnse Team (SIRT)and crdinating agency actins with SIRT in respnse t an infrmatin security incident. Respnsible fr creating initial infrmatin classificatin, apprving decisins regarding cntrls and access privileges, perfrming peridic reclassificatin, and ensuring regular reviews fr value and updates t manage changes t risk. 5

6 User Respnsible fr cmplying with the prvisins f plicies, prcedures and practices. Prgram <detail n agency gvernance structure identify wh is respnsible fr managing infrmatin security incident respnse fr the agency, wh is respnsible fr develping plicy, wh is respnsible fr develping prcedures, wh is respnsible fr awareness, identificatin f any gverning bdies such as management cmmittees and wrk grups, etc. Include what infrmatin security incident respnse capabilities the agency has r identify utside resurce and their capabilities. Include hw agency will test plan and frequency. Include ther related prgram areas such as business cntinuity planning, risk management, and privacy as they relate t incident respnse. > Nte t agencies Prcedures may in include Incident Reprting Prcedures fr staff, management, infrmatin technlgy, and Pint f Cntact. The Incident Respnse Prgram is cmpsed f this plan in cnjunctin with plicy and prcedures. The fllwing dcuments shuld be reviewed fr a cmplete understanding f the prgram: 1. <agency> Infrmatin Security Incident Respnse, Plicy Number XXX-XX, lcated in Appendix <insert appendix number> at the end f this dcument. 2. <agency> Prcedure: Infrmatin Security Incident Respnse, lcated in Appendix <insert appendix number> at the end f this dcument. The related flwchart fr this prcedure is fund in Appendix <insert appendix number> at the end f this dcument. Infrmatin security incidents will be cmmunicated in a manner allwing timely crrective actin t be taken. This plan shws hw the <agency> will handle respnse t an incident, incident cmmunicatin, incident respnse plan testing, training fr respnse resurces and awareness training The Infrmatin Security Incident Respnse Plicy, Plan, and prcedures will be reviewed <insert interval here, i.e. annually> r if significant changes ccur t ensure their cntinuing adequacy and effectiveness. Each will have an wner wh has apprved management respnsibility fr its develpment, review, and evaluatin. Reviews will include assessing pprtunities fr imprvement and apprach t managing infrmatin security incident respnse in regards t integrating lessns learned, t changes t <agency s> envirnment, new threats and risks, business circumstances, legal and plicy implicatins, and technical envirnment. Identificatin Identificatin f an incident is the prcess f analyzing an event and determining if that event is nrmal r if it is an incident. An incident is an adverse event and it usually implies either harm, r the attempt t harm the <agency>. Events ccur rutinely and will be examined fr impact. Thse shwing either harm r intent t harm may be escalated t an incident. The term incident refers t an adverse event impacting ne r mre <agency> s infrmatin assets r t the threat f such an event Examples include but are nt limited t the fllwing: Unauthrized use Denial f Service 6

7 Malicius cde Netwrk system failures (widespread) Applicatin system failures (widespread) Unauthrized disclsure r lss f infrmatin Infrmatin Security Breach Other Incidents can result frm any f the fllwing: Intentinal and unintentinal acts Actins f state emplyees Actins f vendrs r cnstituents Actins f third parties External r internal acts Credit card fraud Ptential vilatins f Statewide r <agency> s Plicies Natural disasters and pwer failures Acts related t vilence, warfare r terrrism Serius wrngding Other Incident Classificatin Once an event is determined t be an incident, several methds exist fr classifying incidents. The fllwing factrs are cnsidered when evaluating incidents: Triage Criticality f systems that are (r culd be) made unavailable Value f the infrmatin cmprmised (if any) Number f peple r functins impacted Business cnsideratins Public relatins Enterprise impact Multi-agency scpe The bjective f the triage prcess is t gather infrmatin, assess the nature f an incident and begin making decisins abut hw t respnd t it. It is critical t ensure when an incident is discvered and assessed the situatin des nt becme mre severe. 7

8 What type f incident has ccurred Wh is invlved What is the scpe What is the urgency What is the impact thus far What is the prjected impact What can be dne t cntain the incident Are there ther vulnerable r affected systems What are the effects f the incident What actins have been taken Recmmendatins fr prceeding May perfrm analysis t identify the rt cause f the incident Evidence Preservatin Carefully balancing the need t restre peratins against the need t preserve evidence is a critical part f incident respnse. Gathering evidence and preserving it are essential fr prper identificatin f an incident, and fr business recvery. Fllw-up activities, such as persnnel actins r criminal prsecutin, als rely n gathering and preserving evidence. Frensics Nte t agencies in cases invlving ptential expsure f persnally identifiable infrmatin it is recmmended that technical analysis be perfrmed. In infrmatin security incidents invlving cmputers, when necessary <agency> will technically analyze cmputing devices t identify the cause f an incident r t analyze and preserve evidence. <agency> will practice the fllwing general frensic guidelines: Keep gd recrds f bservatins and actins taken. Make frensically-sund images f systems and retain them in a secure place. Establish chain f custdy fr evidence. Prvide basic frensic training t incident respnse staff, especially in preservatin f evidence Threat/Vulnerability Eradicatin After an incident, effrts will fcus n identifying, remving and repairing the vulnerability that led t the incident and thrughly clean the system. T d this, the vulnerability(s) needs t be clearly identified s the incident isn't repeated. The gal is t prepare fr the resumptin f nrmal peratins with cnfidence that the initial prblem has been fixed. 8

9 Cnfirm that Threat/Vulnerability has been Eliminated After the cause f an incident has been remved r eradicated and data r related infrmatin is restred, it is critical t cnfirm all threats and vulnerabilities have been successfully mitigated and that new threats r vulnerabilities have nt been intrduced. Resumptin f Operatins Resuming peratins is a business decisin, but it is imprtant t cnduct the preceding steps t ensure it is safe t d s. Pst-incident Activities An after-actin analysis will be perfrmed fr all incidents. The analysis may cnsist f ne r mre meetings and/r reprts. The purpse f the analysis is t give participants an pprtunity t share and dcument details abut the incident and t facilitate lessns learned. The meetings shuld be held within ne week f clsing the incident. Educatin and Awareness <agency> shall ensure that incident respnse is addressed in educatin and awareness prgrams. The prgrams shall address: <Discuss training prgrams, cycle/schedule, etc. Identify incident respnse awareness and training elements tpics t be cvered, wh will be trained, hw much training is required.> <detail training fr designated respnse resurces> Nte t agencies DAS has develped a suite f web-based user awareness mdules. Additinal mdules are planned and currently Incident Respnse is targeted fr early They are currently available t all state emplyees by accessing the state intranet and als are resident n the enterprise Learning Management System. Cmmunicatins Nte t agencies - Cmmunicatin is vital t incident respnse. Therefre, it is imprtant t cntrl cmmunicatin surrunding an incident s cmmunicatins is apprpriate and effective. Agencies shuld cnsider the fllwing aspects f incident cmmunicatin: Define circumstances when emplyees, custmers and partners may r may nt be infrmed f the issue Disclsure f incident infrmatin shuld be limited t a need t knw basis Establish prcedures fr cntrlling cmmunicatin with the media Establish prcedure fr cmmunicating securely during an incident Have cntact infrmatin fr the SIRT, vendrs cntracted t help during a security emergency, as well as relevant technlgy prviders 9

10 Have cntact infrmatin fr custmers and clients in the event they are affected by an incident Because f the sensitive and cnfidential nature f infrmatin and cmmunicatin surrunding an incident, all cmmunicatin must be thrugh secure channels. <detail prcedures fr internal and external cmmunicatins > <detail hw t securely cmmunicatin, what is an acceptable methd> <detail wh is respnsible fr cmmunicatins and wh is nt authrized t discuss incidents> Cmpliance <agency> is respnsible fr implementing and ensuring cmpliance with all applicable laws, rules, plicies, and regulatins. <detail agency cmpliance bjectives and initiatives> <list plicies (statewide and agency, see authrity sectin f plan), federal and state regulatins), statutes, administrative rules that apply, etc.> <All agencies are subject t the Identity Theft Preventin Act. Breaches as defined in the Identity Theft Preventin Act are nly ne type f an incident. If yur agency is subject t the regulatins list belw fr example, yu shuld cnsider the fllwing: The Payment Card Industry-Data Security Standards requires entities t develp an Incident Respnse Plan, require rganizatins t be prepared t respnd immediately t a breach by fllwing a previusly develped incident respnse plan that addresses business recvery and cntinuity prcedures, data backup prcesses, and cmmunicatin and cntact strategies HIPAA requires entities t implement plicies and prcedures t address security incidents, requires the creatin f a security incident respnse team r anther reasnable and apprpriate respnse and reprting mechanism. Agencies subject t HIPAA shuld have bth an incident respnse plan and an Incident respnse team, as well as a methd t classify security incidents> Specific t the Identity Theft Preventin Act agency plans shuld cver the fllwing: Cnsider ptential cmmunicatin channels fr different circumstances, e.g., yur plan may be different fr an emplyee as ppsed t a custmer data breach. Yur human resurces ffice Agency Public Infrmatin Officer (PIO) DAS Directr s Office DAS Office Cmmunicatin Manager State Chief Infrmatin Security Officer Department f Justice Oregn State Plice (ask fr the Criminal Lieutenant) 10

11 Other agencies that may be affected If security breach affects mre than 1,000 cnsumers, cntact all majr cnsumerreprting agencies that cmpile and maintain reprts n cnsumers n a natinwide basis; infrm them f the timing, distributin and cntent f the ntificatin given t the cnsumers. Cntact the credit mnitring bureaus in advance if directing ptential victims t call them Equifax Experian TransUnin <agency> maintains persnal infrmatin f cnsumers and will ntify custmers if persnal infrmatin has been subject t a security breach in accrdance with the Oregn Revised Statute 646A Identity Theft Prtectin Act. The ntificatin will be dne as sn as pssible, in ne f the fllwing manners: Written ntificatin Electrnic, if this is the custmary means f cmmunicatin between yu and yur custmer, r Telephne ntice prvided that yu can directly cntact yur custmer. Ntificatin may be delayed if a law enfrcement agency determines that it will impede a criminal investigatin. If an investigatin int the breach r cnsultatin with a federal, state r lcal law enfrcement agency determines there is n reasnable likelihd f harm t cnsumers, r if the persnal infrmatin was encrypted r made unreadable, ntificatin is nt required. Substitute ntice If the cst f ntifying custmers wuld exceed $250,000, that the number f thse wh need t be cntacted is mre than 350,000, r if there isn t means t sufficiently cntact cnsumers, substitute ntice will be given. Substitute ntice cnsists f: Cnspicuus psting f the ntice r a link t the ntice n yur Web site if ne is maintained, and Ntificatin t majr statewide Oregn televisin and newspaper media. Ntifying credit-reprting agencies If the security breach affects mre than 1,000 cnsumers <agency> will reprt t all natinwide credit-reprting agencies, withut reasnable delay, the timing, distributin, and the cntent f the ntice given t the affected cnsumers. <The regulatins listed abve are prvided as examples f cmpliance requirements and are nt intended t be a cmplete listing.> Implementatin <summary f initiatives, plans t develp tactical prjects initiatives t meet plan cmpnents, including timelines, perfrmance measures, auditing/mnitring requirements fr cmpliance, etc.> 11

12 Apprval <apprval sign ff by agency decisin makers, i.e. agency administratr, security fficer, CIO, etc.> By: Name, title Date By: Name, title Date 12