INFORMATION SECURITY INCIDENT REPORTING POLICY

Transcription

1 Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance Data Protection Officer All staff INFORMATION SECURITY INCIDENT REPORTING POLICY Pages 1 Version 1.0

2 Document Control This is a CONTROLLED document and updates or changes to this document are authorized and then advised by to the relevant document holders. It is UNCONTROLLED when printed. You should verify that you have the most current issue. DOCUMENT HISTORY Author(s) Names Helen Worth Role Senior Information Governance Officer Document Log Version Status Date Issued Description of Change Pages affected Review 0.1 Draft All 0.2 Draft Updated to reflect feedback All during consultation 1.0 Issued 30/04/2013 Approved by IM&T Board All March 2014 Pages 2 Version 1.0

3 Contents 1.0 Introduction What is Information? What is the Approach? Purpose Scope Indentifying Incidents Reporting Incidents Logging Incidents Escalation Managing Incidents Incident Classification Investigating the Incident Closure and final report Follow up Enforcement... 8 Pages 3 Version 1.0

4 1.0 Introduction To ensure that Herefordshire Council minimises the damage from information security incidents and learns from them, it should ensure that all information security incidents are reported, recorded and investigated. All employees are required to report any observed or suspected incident promptly to allow the issue to be fully investigated in order to reduce the risk of it re-occurring. 1.1 What is Information? Information can be in a number of forms: Spoken in conversations (including telephone) Printed out and or written on paper Sent by fax Sent via Sent by text (SMS) Stored on computers Transmitted across networks Stored on media (tapes, disks, CDs, film, microfiche etc.) Stored in databases As part of presentations Any other methods used to convey information and knowledge. 1.2 What is the Approach? We are obliged by law to deal with any serious breach of information security under the P.A.C.E. (Police And Criminal Evidence) process. The most effective way of providing information security is to use a structured approach that will ensure the appropriate controls are applied to specific areas rather than general controls to all areas. The Code of Practice for Management was published in 1995 as British Standard, BS 7799 (Now ISO27001). This standard provides a comprehensive set of security controls comprising the best information security practices in current use. Its objectives are to provide organisations with a common basis for providing information security and to enable information to be shared between organisations. 2.0 Purpose The purpose of this policy is to inform all employees of their responsibilities in recognising and reporting suspected and actual information security incidents. This policy should be read in conjunction with the following policies and procedures: Internet Acceptable Use Policy Policy. Software Policy. GCSx Acceptable Usage Policy and Personal Commitment Statement. IT Access Policy. Information Protection Policy. Computer, Telephone and Desk Use Policy. Pages 4 Version 1.0

5 Remote Working Policy. Removable Media Policy. Data Protection Policy. Communications and Operation Management Policy. IT Infrastructure Policy. 3.0 Scope This Policy applies to all Herefordshire Council Members, employees, consultants, agency staff and independent contractors. 4.0 Indentifying Incidents For the purpose of this policy an information security incident is defined as: ''An identified occurrence or weakness indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation which may be security relevant.'' Both incidents and weaknesses have the potential to affect the confidentiality, integrity and availability of information. Some common examples of information security incidents are listed below. Please note that this list is not exhaustive and should be used as guidance: The loss or theft of information. The transfer of sensitive or confidential information to those not entitled to receive it. Attempts to gain unauthorised access to data, information storage or a computer system. The unauthorised use of a system by an individual. The inappropriate disposal of sensitive or confidential information. The loss of computer equipment. The loss of computer media e.g. CDs, DVDs and Memory Sticks. Attempts to gain unauthorised access to secure areas. Management of information assets when a member of staff is suspended. Attempts to commit fraud 5.0 Reporting Incidents All Incidents should be reported to the Information Governance Team as soon as they are detected ing informationgovernance@herefordshire.gov.uk 5.1 Logging Incidents The following information must be provided when reporting an information security incident to the Information Governance Team: Date, Time and location of the incident Who discovered the incident Systems affected Pages 5 Version 1.0

6 Information Affected Department involved Description of what happened Who has been informed Actions taken so far 5.2 Escalation When considering what action to be taken the following people will be informed and consulted as appropriate: Data Protection Officer Senior Information Risk Owner Information Asset Owner/Data Steward Chief Executive Information Commissioner 6.0 Managing Incidents All incidents reported to the Information Governance team will be managed following the process below. 6.1 Incident Classification Once a security incident is reported, the Information Governance Team must classify the incident as follows: High risk incidents pose a severe risk to Herefordshire Council information and will be classified as critical security incidents. These incidents include, for example, a widespread risk of compromising systems or compromising sensitive or critical data Medium risk incidents pose a medium risk to Authority information and as such will be classified as medium-severity security incidents. These incidents include, for example, compromising an information system that does not contain sensitive data and will not pose a widespread risk to other Authority information systems. Low risk incidents pose a low risk to Authority information and will be classified as low-severity security incidents. These incidents include, for example, compromise of a system that does not contain critical or sensitive data or pose the risk of compromising other systems. 6.2 Investigating the Incident The purpose of an investigation is not to set out to find someone to blame, it is to learn and improve. All incidents will be investigated in order to establish facts and any corrective and/or preventative actions required. Not all incidents will need the same depth of investigation to find out the full facts and determine what went wrong. The investigation is intended to: Pages 6 Version 1.0

7 Find out all of the facts. Determine what went wrong. Identify risks that are appropriate for follow up and action. Make recommendations to address the risks. Investigation of the incident will include the collection and recording of evidence and it is important the Information Governance Team find out the following: a) The extent of the breach. b) They amount of information involved. c) The sensitivity of the information involved. d) The Potential for loss or damage to individuals, the council or any other body. e) What measures need to be taken and how quickly to address:- i. Restoring any lost information to our custody or control. ii. Whether to warn people about the loss, including who and when. iii. Whether to report the loss to the Information Commissioner (if it involves personal data) and when to do so. iv. Whether to report the loss to the Police. The investigation process may also include the following: Taking statements, formal or informal, from those involved, especially where the quality of evidence may be lost through time or people may not be present for long. Convening a meeting as appropriate involving people who are likely to have an active role in remedying the incident or dealing with any of the outside parties involved. Involving the council s Public Relations team Involving the Information Commissioners Office and dealing with any subsequent action arising from it. Consider measures that can be put in place to eliminate or reduce the chances of a re-occurrence. Involve legal services where there is a risk of a claim against the council and update risk registers. 6.3 Forensic Evidence As part of the investigation process a forensic examination of equipment may be required for evidential purposes. Although the investigation may not be a criminal case there may be an internal case requiring disciplinary procedures. If a forensic examination needs to take place the following must be adhered to: Evidence must be logged in and out of the evidence store. If evidence needs to be handed to a third party (i.e. the police) this must be signed for by the third party. Evidence returned by a third party must be signed back into the evidence store and kept along with confirmation that it is no longer required. Evidence must be retained for a minimum of 6 months after the end of the investigation. Evidence will only be authorised for re-issue by Information Governance. Pages 7 Version 1.0

8 6.4 Closure and reporting All incidents classified as High will have a closure report written which will be provided to the relevant parties. Any risks identified as a result of the incident occurring will be recorded on the Information Security Risk Treatment Plan and assigned to the relevant business owners for corrective and/or preventative actions to be implemented. All incidents will be summarised in a monthly report to the KIS Steering Group and where appropriate to the IM&T Steering Group. A quarterly trend report will be provided to the IM&T Board. 6.5 Follow-up Some incidents require considerable time and effort. Performing follow-up activity is, however, one of the most critical activities in responding to incidents. Following up afterwards will help the Authority improve their incident handling procedures and review their ISMS (information Security Management System) as well as continue to support any efforts to prosecute those who have broken the law. Follow-up activities include the following: Analysing what has transpired and what was done to intervene. Analysing the cost of the incident. Preparing a report for the IM&T Board Revising the ISMS. Lessons learned contained in the report described above should be used as the basis for modifying Authority information incident response policies and procedures. 7.0 Enforcement Enforcement of this policy is the responsibility of all managers as part of their management role. The Internal and External Audit may undertake reviews on a planned and ad-hoc basis as part of the audit process. The Information Governance team will conduct quality reviews on cyclical basis as part of their security role. A violation of standards, procedures, or guidelines established in support of this policy will be brought to the attention of the Information Governance Officer for investigation. The Information Governance Team enforces this policy by continuously monitoring, through the use of software tools. Business Unit Management, Human Resources, Internal Audit and External Audit will be notified when it is considered a breach has taken place. It is the responsibility of all users (as defined within the Scope of this document) to ensure compliance with the policy. Failure to adhere to the policy may result in a breach of Financial Regulations, Standing Orders and or current legislation. In the event of a breach by an Authority employee, disciplinary action may be taken in accordance with the Disciplinary Code of Conduct. Action against non-herefordshire council employees may result in removal/suspension of IT facilities, removal from site, cancellation of any contracts and possible legal action. Pages 8 Version 1.0