ICT Security Incident Policy ITD

Transcription

1 ICT Security Incident Policy ITD

2 Published by the Information Technology Division Department of Education and Early Childhood Development Melbourne September 2011 State of Victoria (Department of Education and Early Childhood Development) 2011 The copyright in this document is owned by the State of Victoria (Department of Education and Early Childhood Development), or in the case of some materials, by third parties (third party materials). part may be reproduced by any process except in accordance with the provisions of the Copyright Act 1968 the National Education Access Licence for Schools (NEALS) (see below) or with permission. NEALS is an educational institution situated in Australia which is not conducted for profit, or a body responsible for administering such an institution may copy and communicate the materials, other than third party materials, for the educational purposes of the institution. This document is available at:

3

4 Contents ICT Security Incident Policy Purpose Scope Definitions Policy Statement Reporting Legislative/Business Context Privacy and Human Rights Related Documents Accountabilities Contact Review Approving Authority... 8

5 ICT Security Incident Policy 1. Purpose 1.1 This document outlines the Department s policy for identifying and reporting ICT security incidents which have the potential to cause significant harm to the Department s ICT resources. It describes: the definition of an ICT security incident (Section 2.2) the immediate escalation steps and contact points for these incidents. 1.2 A flowchart can be found in Appendix 1 of this policy. 2. Scope 2.1 This policy applies to anyone who becomes aware of an ICT security incident for the Department s internally and externally hosted ICT Resources. This includes: central and regional corporate staff (including contractors) school staff (principals, teachers and administration staff) Specialist Technicians in schools, ICT coordinators and local technicians staff of third party providers supporting or hosting an ICT resource of the Department. 2.2 This policy specifically relates to the following types of ICT security incident: Malicious software installed on Departmental computers, devices or ICT systems that can t be detected, removed or quarantined by anti-virus or anti-spyware products An attempt to disrupt the availability of a Departmental ICT resource(s) Criminal activity launched from internal or external networks that is directed at the Department s ICT resources or users An attack from the internet on the Department s electronic communication networks Defacement of Departmental websites, including schools A serious breach of the Department s ICT Security Policy Theft, loss or unauthorised transfer of business-sensitive or personally identifiable information from Departmental ICT resources. 2.3 Types of incidents not within the scope of this policy include: Access issues affecting Departmental users, such as locked accounts Cyber bullying or harassment Operational incidents such as software or hardware failure. ICT Security Incident Policy, ITD

6 2.3.4 Activity on external websites (i.e. not owned by the Department) such as YouTube, Facebook and Twitter Users receiving spam This policy does not describe actions required to resolve ICT security incidents. 3. Definitions Table 3.1: Definitions Term EMT FOI ICT ICT Resource ICT Security Incident ISMD ITD ST Definition ITD Executive Management Team Freedom Of Information Information and communication technology ICT application, infrastructure, device or service One of a number of events affecting the Department s internally and externally hosted ICT resources as defined in Section 2.2 Information Strategy & Management Division Information Technology Division Specialist technician engaged through the Technical Support to Schools Program. 4. Policy Statement 4.1 This policy governs the escalation process for ICT security incidents. 5. Reporting All individuals covered by this policy should: 5.1 Report all ICT security incidents that occur in: central offices regional offices schools non-government sites hosting Department applications. 5.2 Report non-urgent ICT security incidents to the ITD Service Desk via the online Service Gateway to ensure centralised logging, tracking and management of the incident. The ITD Service Desk will then assign a priority and escalate to Risk Management if within scope of this policy. If the incident relates to a serious breach of the ICT Security Policy, your incident report should not identify the individuals involved. Risk Management will contact you to obtain details. 5.3 Contact the ITD Service Desk by telephone in the following circumstances: the incident requires urgent attention computer access is not available to the online Service Gateway. 6 ICT Security Incident Policy, ITD

7 ITD Risk Management will: 5.4 Review the priority rating of each reported ICT security incident and inform the ITD Service Desk if the priority should be changed. 5.5 tify the appropriate senior management including: The General Manager, ITD and the Assistant General Manager, IT Services, ITD for ICT security incidents rated as Priority 1 or 2. Government Services Division, Department of Treasury and Finance if the incident is likely to impact other government departments or agencies. Privacy Advisor, FOI and Privacy Unit, if the incident relates to theft, loss or unauthorised transfer of business-sensitive or personally identifiable information The General Manager, Conduct and Ethics, if the incident relates to a serious breach of policy by a Department staff member. 5.6 Perform the following actions to manage incident resolution and closure: Monitor resolution of the ICT security incident. For priority 1 and 2 incidents, convene a post incident review meeting to identify the root cause and the ICT vulnerabilities which enabled the incident to occur, and to make recommendations that will reduce the likelihood of the incident re-occurring. For priority 1 and 2 incidents, submit an incident management report to EMT and ISMD. tify the ITD Service Desk that the incident can be closed. 6. Legislative/Business Context 6.1 This policy is to be read in conjunction with the WoVG Security Standard 06 Information security - Incident management at the URL below Privacy and Human Rights 7.1 This policy complies with the Victorian Charter of Human Rights and Responsibilities and is consistent with the Information Privacy Act Related Documents 8.1 This policy is to be read in conjunction with the Department s ICT Security Policy and Acceptable Use Policy for ICT Resources located at the URL below. ICT Security Incident Policy, ITD

8 9. Accountabilities 9.1 General Manager, ITD. Informs the Deputy Secretary, Office for Resources and Infrastructure of a Priority 1 ICT security incident. Decides whether to shut down a critical ICT service. 9.2 Manager, Risk Management, ITD. 10. Contact Validate the reported incident is an ICT security incident in consultation with the appropriate technical experts. Validate the priority assigned to the security incident. Communicate to key stakeholders. Monitor and review (and develop strategies to avoid similar incidents) Queries regarding this policy are to be directed to Manager, Risk Management (ITD) via the ITD Service Desk 11. Review 11.1 This policy will be reviewed every 12 months or earlier if necessary. 12. Approving Authority 12.1 Changes to this policy may not be invoked without prior approval by the General Manager, ITD. 8 ICT Security Incident Policy, ITD

9 Appendix 1 Process for anyone to escalate an ICT security incident Malicious software? Report ICT security incident to ITD Service Desk via online Service Gateway; by telephone if urgent ITD Service Desk assigns incident to Risk Management Attempt to disrupt ICT availability? Risk Management (RM) validates incident and priority Criminal attack on network? Valid incident? Both valid? RM requests ITD Service Desk to change priority RM notifies GM,ITD and AGM,ITSB if priority 1 or 2 Internet attack on network? RM notifies GSD/DTF if incident is risk to WoVG DEECD website defacement? RM notifies DEECD Privacy Advisor if incident relates to loss of sensitive/personal data RM notifies GM, Conduct & Ethics if incident relates to serious breach of policy Serious breach ICT security policy? ITD follows resolution/recovery procedure applicable for this ICT security incident Loss of sensitive / personal data? RM monitors resolution to completion ITD post Incident review - Identify root cause and the vulnerabilities exploited, and make recommendations Priority 1 & 2 incidents Incident not covered by this policy Incident not covered by this policy. RM notifies ITD Service Desk to reassign incident RM submits an incident report to EMT and ISMD Close the incident Priority 1 & 2 incidents ICT Security Incident Policy, ITD