UBC Incident Response Plan V1.5

Transcription

1 UBC Incident Respnse Plan V1.5 Cntents 1. Ratinale Objective Applicatin Reprting a Cmputer Security Incident Managing the Security Incident All Incidents Medium and Severe Incidents Severe Incidents Additinal Prcedures fr Merchant Incidents Clsing the Incident Summary f Incident Respnse Plan Glssary Cardhlder Data Envirnment (CDE) Cmputer Security Incident Types f Incidents Incident Severity Cmputer Security Incident Respnse Team (CSIRT) CSIRT Crdinatr Merchant Security Centre Operatins Respnse (SCOR)

2 1. Ratinale Centralised ntificatin and cntrl f security incident investigatin is necessary t ensure that immediate attentin and apprpriate resurces are applied t cntrl, eliminate and determine the rt cause f events that culd ptentially disrupt the peratin f the university r cmprmise university data. 2. Objective The gal f this plan is t: Identify accuntability fr respnding t cmputer security incidents Ensure apprpriate escalatin Ensure effective administrative respnse t cmputer security incidents Streamline the respnse prcess Secure and prtect data in rder t minimise the rganisatinal impact f a cmputer security incident 3. Applicatin This plan applies t cmputer security incidents that affect UBC s infrmatin technlgy facilities, infrastructure r data assets, including but nt limited t servers, wrkstatins, merchant systems, firewalls, ruters, and switches. 4. Reprting a Cmputer Security Incident All suspected cmputer security incidents must be reprted immediately t UBC IT via the IT Service Centre (ITSC) at security@ubc.ca r Members f the university cmmunity must reprt a suspected cmputer security incident accrding t nrmal practice within their unit. This culd be t their supervisr, t the IT service team fr their unit r directly t the ITSC. Where the cmputer security incident invlves physical security issues in additin t cmputer security issues the incident must be reprted t Campus Security wh will in turn alert the ITSC. 5. Managing the Security Incident 5.1. All Incidents The ITSC will: 2

3 Create an incident file Escalate t the CSIRT Crdinatr The CSIRT Crdinatr will: Crdinate the incident with the ITSC staff and/r any ther relevant persnnel Escalate as required t SCOR and/r the Assciate Directr f Infrmatin Security Management (AD ISM) Ensure that relevant infrmatin is captured in the incident file; regardless f the technical resurces assigned t wrk the incident. These resurces may include SCOR, the ITSC, University IT Supprt Staff r ther persnnel as required Clse the incident file SCOR will: Investigate t determine if a breach has ccurred: Until cnfirmed it is t be classified as an incident; and If a breach is cnfirmed, then declare the severity f the breach. Identify the scpe and type f prblem, including classificatin as minr, medium r severe Ntify apprpriate rganizatins internal and external t UBC (including relevant plice agencies) Take crrective actin as described in the Securing and Preserving Electrnic Evidence guideline Reprt, as needed, t the apprpriate UBC department fr further actin; in sme cases this may include discipline. Nte: The type f infrmatin invlved may dictate mandatry reprting requirements 5.2. Medium and Severe Incidents This sectin cvers additinal prcedures fr incidents classified as Medium r Severe, which must be fllwed in additin t the prcedures fr All Incidents. The AD ISM will: Frm a CSIRT t include the relevant wner(s) f the data r issue The CSIRT Crdinatr will: Prvide regular briefings t the CSIRT by at least nce a day and mre ften at the utset - even if there has been n change Write a clsing incident reprt that is shared with the CSIRT 3

4 5.3. Severe Incidents This sectin cvers additinal prcedures fr incidents classified as Severe, which must be fllwed in additin t the prcedures fr Medium and Severe Incidents. The AD ISM will: Escalate the incident t the CIO Ensure that the CSIRT includes the CIO and the relevant wner(s) f the data r services affected The CIO will: Brief the Prvst and any ther relevant UBC Executives Ensure risk is managed in cnsultatin with the Prvst and any ther relevant UBC Executives Activate UBC s Disaster Respnse Plan (DRP) if the situatin requires, based n the impact n persns, prperty, and the envirnment Prvide a clsing incident reprt t the Prvst and the ther UBC Executives that assisted in the management f the incident 5.4. Additinal Prcedures fr Merchant Incidents This sectin cvers additinal prcedures fr Merchant (Payment Card Industry) incidents, which must be fllwed in additin t the prcedures fr All Incidents. The ITSC will: Merchant incidents are any where the fllwing examples f Merchant prcessing systems are included in the reprt: PIN pad tampering Rgue wireless access pint detected Any incident invlving credit card prcessing such as Visa, Mastercard, Amex, etc. Any incident where PCI r merchant prcessing are reprted Acquirer references such as TD, Chase, Mneris, Beanstream, etc. Merchant website cmprmise Escalate the incident t the Financial Analyst - UBC PCI Cmpliance ; If n respnse frm r if the Financial Analyst - UBC PCI Cmpliance is away, cntact: Manager, Revenue Accunting Directr, Financial Reprting The Financial Analyst UBC PCI Cmpliance will: 4

5 Cntact the merchant t crdinate the incident Crdinate with the CSIRT Crdinatr Crdinate with PCI Wrking Cmmittee as required Crdinate any cntact with Acquirer/Card cmpanies 6. Clsing the Incident A clsing incident reprt shall be prepared by the CSIRT Crdinatr fr medium and severe incidents. The reprt shall include: Chrnlgy f the incident and actins taken Scpe f risk the university faced during the incident e.g. number f recrds, degree f expsure Descriptin f actin taken t mitigate and reslve the issue Cmmunicatins that were taken Brief explanatin f basis fr key decisins Evaluatin f whether respnse plan was fllwed Identificatin f internal imprvements t infrastructure, systems, the incident respnse plan, and any ther actins that are recmmended 5

6 7. Summary f Incident Respnse Plan Reprt Incident Manage Incident Clse Incident User r Supervisr Credit Card Prcessing Merchant Campus Security Managed by CSIRT Crdinatr AD ISM assembles CSIRT fr medium and severe incidents AD ISM escalates severe incidents t CIO. CIO briefs UBC executives Create clsing incident reprt fr medium and severe incidents Share reprt with CSIRT fr medium incidents Share reprt with CIO fr severe incidents 6

7 8. Glssary 9.1. Cardhlder Data Envirnment (CDE) A CDE is defined as the cmputer envirnment wherein cardhlder data is transferred, prcessed, r stred, and any netwrks r devices directly cnnected t that envirnment Cmputer Security Incident A cmputer security incident, fr the purpses f this plan, includes events where there is suspicin that: Cnfidentiality, integrity r availability f UBC data has been cmprmised Cmputer systems r infrastructure has been attacked r is vulnerable t attack Types f Incidents Security incident types include but are nt limited t: 7

8 Malicius cde attacks - attacks by prgrams such as viruses, trjan hrse prgrams, wrms, rtkits, and scripts t gain privileges, capture passwrds, and/r mdify audit lgs t hide unauthrised activity. Unauthrised access - includes unauthrised users lgging int a legitimate accunt, unauthrised access t files and directries, unauthrised peratin f sniffer devices r ruge wireless access pints. Disruptin f services - includes erasing f prgrams r data, mail spamming, denial f service attacks r altering system functinality. Misuse - invlves the utilizatin f cmputer resurces fr ther than fficial purpses. Espinage - stealing infrmatin t subvert the interests f a crpratin r gvernment entity. Haxes - generally an warning f a nnexistent virus. Unusual Events includes erratic and persistent unusual system behaviur n desktps, servers r the UBC netwrk. Inexplicable lck ut f user accunts r the existence f a strange prcess running and accumulating a lt f CPU time Incident Severity Incidents will be classified by the CSIRT Crdinatr based n the perceived impact n university resurces: Minr -incidents fr which there are rutine slutins. Sensitive infrmatin has nt been expsed r accessed by unauthrised parties. Medium - incidents that d nt have rutine slutins but are limited in scpe and cnsequences. Severe - incidents that invlve significant persnal data leakage, cmprmised institutinal data, r that impacts a significant number f users, all f which has significant cnsequences 9.3. Cmputer Security Incident Respnse Team (CSIRT) A CSIRT is assembled by the AD ISM, and is drawn as apprpriate, frm SCOR and the fllwing grups (r their delegates): Campus Security Enrlment Services Finance Human Resurces Infrmatin Technlgy Internal Audit 8

9 Public Affairs Research Risk Management Services Treasury Unit/Department where incident ccurred University Cunsel 9.4. CSIRT Crdinatr The CSIRT Crdinatr is the Access and Identity Analyst, wh is part f the SCOR grup, and is charged with managing an incident Merchant Any University unit that accepts payment cards bearing the lgs f any f the five members f the PCI- DSS (American Express, Discver, JCB, MasterCard r VISA) Security Centre Operatins Respnse (SCOR) The SCOR grup, led by the Assciate Directr f Infrmatin Security Management (AD ISM), reprts t the Directr f Infrastructure, and has respnsibility fr the IT security infrastructure n campus. 9