RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1

Transcription

1 RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version Revised and effective from 1st April 2012

2 Document Control Organisation Title Author Filename Owner Subject Protective Marking Review date ICT Services Information Security Incident Management Policy Steve Carter \\adrctcictnas2\gcsx\gcsx-project\policies and Procedures\Information Security Incident Management Policy Head of ICT/SIRO Security Incident Management Unclassified The Information Management & Security Forum will formally review the Information Security Policy annually Revision History Revision Revisor Previous Description of Revision Date Version 01/07/09 E. Pritchard 0.1 Highlighted (other than yellow) - removed 20/07/09 E. Pritchard 0.3 Amends from HR, ICT & Internal Audit 22/02/12 S. Carter 2.0 Updates around Paper based Incidents and Reporting 1/04/2012 S. Carter 2.0 Review - Minor Amendments Document Approvals This document requires the following approvals: Sponsor Approval Name Date Information Management & Phil Derham (Finance) Security Forum Andrew Hopkins (Internal 01/03/2012 Audit) Rhianydd Davies (HR) Jeanette Howells (ESG) Josie Rhisart (Education) Sally Churchill (CCS) Andy Wilkins (Legal) Louise Evans (ICT) Head Of ICT Tim Jones 19/03/2012 SIRO Leigh Gripton 21/03/2012 Document Distribution This document will be distributed to: Name Job Title Address All employees, members, contractors, third party suppliers Page 2 of 11

3 Contents Section Page 1 Policy Statement 4 2 Purpose 4 3 Scope 4 4 Definition 4 5 Risks 5 6 Applying the Policy 5 7 Policy Compliance 5 8 Policy Governance 6 9 Review and Revision 6 Appendices Section Page 10 Reporting Information Security Incident Procedure 7 11 Examples of Information Security Incidents Process Flow; Reporting an Information Security Event or 11 Weakness Page 3 of 11

4 1 Policy Statement Protecting Rhondda Cynon Taff County Borough Council s computers, systems, electronic and paper based data from unauthorised use is of paramount importance with the management of system security and our response to breaches playing an important role in this process. All employees and personnel that have access to the Authority s information assets must adhere to the policy defined below in order to protect the security of the network, protect computer systems and protect data integrity and confidentiality. 2 Purpose The purpose of this policy is to mandate a standard for the management of Information Security Incidents or weaknesses. A consistent approach to dealing with all security events must be maintained across the Council. The events must be analysed to establish when security events become escalated to an incident. The incident response procedure must be a seamless continuation of the event reporting process and must include contingency plans to advise the Council on continuing operation during the incident. 3 Scope This policy applies to employees, members, contractors, third party suppliers or anyone with access to electronic or paper based information systems and or output from such systems. 4 Definition This policy needs to be applied as soon as information systems or data are suspected to be, or are actually affected by an adverse event which is likely to lead to a security incident. The definition of an information management security incident ( Information Security Incident in the remainder of this policy and procedure) is an adverse event that has caused or has the potential to cause damage to an organisation s information assets, reputation and / or personnel. Incident management is concerned with intrusion, compromise and misuse of information and information resources, and the continuity of critical information systems and processes. An Information Security Incident includes, but is not restricted to, the following: The loss or theft of data or information. The transfer of data or information to those who are not entitled to receive that information. Attempts (either failed or successful) to gain unauthorised access to data or information storage or a computer system. Page 4 of 11

5 Changes to information or data or system hardware, firmware, or software characteristics without the Council's knowledge, instruction, or consent. Unwanted disruption or denial of service to a system. The unauthorised use of a system for the processing or storage of data by any person. Examples of some of the more common forms of Information Security Incidents have been provided in Appendix 2. 5 Risks The Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business. This policy aims to mitigate the following risks: To reduce the impact of information security breaches by ensuring incidents are responded to consistently, efficiently and effectively. To help identify areas for improvement to decrease the risk and impact of future incidents. Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers. 6 Applying the Policy Events and weaknesses need to be reported at the earliest possible stage as they need to be assessed by an Information Management Officer. The Information Management Officer enables the Service to identify when a series of events or weaknesses have escalated to become an incident. It is vital for ICT Services to gain as much information as possible from the business users to identify if an incident is occurring. For full details of the procedure for incident handling please refer to Appendix 3. 7 Policy Compliance Any breach of this policy may warrant further investigation that may lead to the Council s disciplinary procedures being invoked and in certain circumstances, may necessitate the involvement of the Police. Specifically in relation to third party suppliers or contractors, non conformance will result in the immediate removal of access to Council systems. If damage or compromise of Council systems results, the Council may consider legal proceedings Page 5 of 11

6 8 Policy Governance The following table identifies who within the council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply: Responsible the person(s) responsible for developing and implementing the policy. Accountable the person who has ultimate accountability and authority for the policy. Consulted the person(s) or groups to be consulted prior to final policy implementation or amendment. Informed the person(s) or groups to be informed after policy implementation or amendment. Responsible Accountable Consulted Informed All Group Directors, Service Directors and Heads of Service Head of Service for ICT Human Resources, Internal Audit, ICT Information Management Group All users of Council Systems 9 Review and Revision The Information Management Group will review the Information Security Policy and its supporting policies every six months and reissue it annually, drawing attention to any changes that may have been made. Page 6 of 11

7 10 Appendix 1 - Procedure for Incident Handling 10.1 Reporting Information Security Events or Weaknesses The following sections detail how all users must report information security events or weaknesses. Appendix 3 provides a process flow diagram illustrating the process to be followed when reporting information security events or weaknesses Reporting Information Security Events for all Employees All suspected security events should be reported immediately to the user s Line Manager and the ICT Service Desk on The ICT Service Desk will require you to supply further information, the nature of which will depend upon the nature of the incident. However, the following information must be supplied: Contact name and number of person reporting the incident. E mail address of person reporting the incident. Department and Directorate of person reporting the incident. The type of data, information or equipment involved. Whether the loss of the data puts any person or other data at risk. Location of the incident. Inventory numbers of any equipment affected. Date and time the security incident occurred. Location of data or equipment affected. Type and circumstances of the incident. Security events, for example a virus infection, could quickly spread and cause data loss across the organisation. All users must understand, and be able to identify that any unexpected or unusual behaviour on the workstation could potentially be a software malfunction. If an event is detected users must: Note the symptoms and any error messages on screen. Disconnect the workstation from the network if an infection is suspected (with assistance from ICT Support Staff). Not use any removable media (for example USB memory sticks) that may also have been infected Responsibilities for the Management of Information Security Incidents A consistent approach to dealing with all security events must be maintained across the Council. The events must be analysed and the Information Management Officer must be consulted to establish when security events become escalated to an incident. The incident Page 7 of 11

8 response procedure must be a seamless continuation of the event reporting process and must include contingency plans to advise the Council on continuing operation during the incident Collection of Evidence If an incident requires information to be collected for an investigation, strict rules must be adhered to. The collection of evidence for a potential investigation must be approached with care and where necessary the Information Management Officer may contact the Councils Data Protection Officer and Internal Audit for guidance. If in doubt about a situation, for example concerning computer misuse or paper security, contact the ICT Service Desk for advice Responsibilities and Procedures Management responsibilities and appropriate procedures must be established to ensure an effective response against security events. The Information Management Officer must in consultation with Senior Information Management Risk Officer (SIRO), Legal Services, Internal Audit and Human Resources decide when events are classified as an incident and determine the most appropriate response. An incident management process must be created and include details of: Identification of the incident, analysis to ascertain its cause and vulnerabilities exploited. Limiting or restricting further impact of the incident. Tactics for containing the incident. Corrective action to repair and prevent reoccurrence. Communication across the Council to those affected. The actions required to recover from the security incident must be under formal control. Only identified and authorised staff should have access to the affected electronic or paper based systems during the incident and all of the remedial actions should be documented in as much detail as possible Learning from Information Security Incidents To learn from incidents and improve the response process incidents must be recorded and a Post Incident Review conducted. The following details must be retained by ICT: Types of incidents. Volumes of incidents and malfunctions. Costs incurred during the incidents. Page 8 of 11

9 The information must be collated and reviewed on a regular basis by ICT Services and any patterns or trends identified. Any changes to the process made as a result of the Post Incident Review must be formally noted. The information, where appropriate, should be shared with GovCertUK, the Warning, Advice and Reporting Point (WARP) to aid the alert process for the region and where deemed appropriate the Information Commissioners Office (ICO). Page 9 of 11

10 11 Appendix 2 Examples of Information Security Incidents Examples of the most common Information Security Incidents are listed below. It should be noted that this list is not exhaustive. Misuse Giving information to someone who should not have access to it - verbally, in writing or electronically. Computer infected by a Virus or other Malware. Sending a sensitive to 'all staff' by mistake. Receiving unsolicited mail of an offensive nature. Receiving unsolicited mail which requires you to enter personal data. Finding data that has been changed by an unauthorised person. Receiving and forwarding chain letters including virus warnings, scam warnings and other s which encourage the recipient to forward onto others. Unknown people asking for information which could gain them access to Council data (e.g. a password or details of a third party). Sending confidential or sensitive information to the incorrect recipient Use of unapproved or unlicensed software on Council equipment. Accessing a computer system using someone else's authorisation (e.g. someone else's user id and password). Writing down your password and leaving it on display / somewhere easy to find. Printing or copying confidential information and not storing it correctly or confidentially. Theft / Loss Theft / loss of a hard copy file. Theft / loss of any computer equipment. Page 10 of 11

11 SECURITY INCIDENT MANAGEMENT POLICY OWNER: ICT SMT DATE: 24/02/ Appendix 3 Process Flow; Reporting an Information Security Event or Weakness INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 1. 0 All suspected security events to be reported to user s Line Manager and the ICT Service Desk via telephone. The following information must be provided *Contact name and number of the person reporting the incident * address of the person reporting the incident *Department and Directorate of person reporting the incident *The type of data, information or equipment involved Whether * the loss of data put any person or other data at risk *Location of the incident *Inventory numbers of any equipment affected *Location of data or equipment affected *Type and circumstances of the incident Event Record created in HEAT and unique sequential reference number generated and provided to the customer The ICT Service Desk will advise the user to *Note the symptoms and any error messages on the screen Disconnect the workstation from the network if an infection is suspected and request assistance from ICT Support Staff *Not use any removable media, for example USB memory sticks that may have been infected Security event to be analysed by Information Management Officer and progressed as either an event or an incident Incident Event or Incident Event If an incident requires the collation of evidence for a potential investigation this must be approached with care and the Councils Data Protection Officer and Internal Audit team consulted for guidance Incident Management Process to be invoked to include Analysis of the cause and the vulnerabilities exploited * * Limiting or restricting further impact of the incident *Tactics for containing the incident *Corrective action to repair and prevent reoccurrence *Communication across the Council to those affected ICT Information Management Officer to Sign off event with SIRO Event Closed Actions required to recover from the incident must be under formal c. ontrol Identified / Authorised staff only to have access to the affected systems during the incident. Remedial action undertaken to be documented in as much detail as possible Post Incident Review to be conducted, the following must be retained by ICT, Types of incident, volumes of incidents and malfunctions, costs incurred during the incident. Where appropriate information to be shared with WARP (Warning, Advice and Reporting Point), GovCert UK and the Information Commissioners Office (ICO) Incident Closed Incident Report retained Page 1 Page 11 of 11