Information Security Incident Reporting & Investigation

Transcription

1 Information Security Incident Reporting & Investigation Purpose: To ensure all employees, consultants, agency workers and volunteers are able to recognise an information security incident and know how to act on it, by reporting it correctly. Owner Director of Finance & Corporate Services Approved 18/05/2016 Policy IS/006 Number Review Date 17/05/2018 Change History Version Date Summary of Change Effective Date 18/05/2016 Page Page 1 of 9

2 This policy should be considered in conjunction with the following relevant linked policies; 1. Data Protection & Confidentiality 2. Information Governance 3. Information Security Systems 4. Usage 5. Information Security Classification 6. Internet Usage 7. Social Media 8. Requesting Access, Equipment & Services 9. Records Management & Retention Policy Contents Page 1) Introduction 3 2) Definition of a Security Incident 3 3) Reporting a Security Incident 6 4) Security Incident Investigation 7 5) Findings of Sabotage or Misuse 8 6) Policy Review 8 Appendix 1 Security Incident Reporting Form Effective Date 18/05/2016 Page Page 2 of 9

3 1 Introduction 1.1 The organisation is responsible for the security and integrity of all the data it holds. The purpose of this policy is to ensure all employees, consultants, agency workers and volunteers are able to recognise an information security incident and know how to act on it, by reporting it correctly. 1.2 The organisation must protect the data it holds using all means necessary by ensuring at all times that any incident, which could cause damage to the organisation s assets and reputation is prevented and/or minimised. 1.3 Raising awareness and fostering a culture of proactive incident reporting will help reduce the number of security incidents which often go unreported and/or unnoticed. 2 Definition of a Security Incident 2.1 There are many types of security incident, which could affect security these include (but are not limited to); Loss of confidential information Compromise of the integrity of information Denial of service Unauthorised access to systems Misuse of systems or information Theft or damage to systems Virus attacks Intrusion by hackers Loss of ID badge Missing correspondence/documents through the postal system Incorrect recipient or personal & sensitive information sent via unencrypted Exposure of uncollected print-outs Loss of mobile phones and devices Other incident types include, 2.2 Computers left unlocked when unattended users of the organisation s network are continually reminded of the importance of locking their computer screens when not in use or when leaving their computer unattended for any length of time. All employees, consultants, agency workers and volunteers must lock their screens without exception when not in use the quickest way to carry this out is to use the windows key and press L. Should an Effective Date 18/05/2016 Page Page 3 of 9

4 employee discover an unlocked computer, they should lock it and notify the individual of their action never send joke s from someone s account to make a point. Continual failure to lock their screen when not in use should be reported as an incident for further investigation and action. 2.3 Password disclosures Authorised users are issued with a logon of Username and Password combination to allow access to systems and data. It is imperative that individual passwords are not disclosed to others regardless of trust. If an individual needs access to a specific set of data or system then they must go through the correct procedures for access authorisation in their own right there are no exceptions to this. If anyone suspects that their or any other user s password has been disclosed, whether intentionally, inadvertently or accidentally then this must be reported as an incident. 2.4 Bogus s is a popular method for 3 rd parties to either trick an individual to disclose personal or sensitive data or introduce a virus/malware or malicious code into the organisation s network. All users of the organisation s IT systems are required to be vigilant and reduce the risk from attack. Traits to look out for to identify a bogus are; The message contains a mismatched URL The message contains poor spelling and grammar The message asks for personal information The offer seems too good to be true You didn't initiate the action The message makes unrealistic threats Something just doesn't look right 2.5 Bogus s containing macros or hyperlinks will contain a virus/malware and/or malicious code, which could disable the network and severely impact on business operations. Should a user receive such an it is absolutely vital that if they do inadvertently open the , they absolutely must not click any hyperlinks or enable macros. This should then be reported as an incident immediately. 2.6 As a reminder s from the following (but not limited to) HMRC Various Banks (in particular Santander ) especially if you are not in the finance team Tesco regarding a delivery Companies House PayPal (check the URL) A Nigerian Prince Effective Date 18/05/2016 Page Page 4 of 9

5 Anyone offering you a significant refund (inc. PPI) for a service you haven t used are bogus and should be deleted. If you are ever unsure about the legitimacy of an , seek advice from the IT section or Quality & Compliance Manager before you open the Media Loss Use of portable media such as CD, DVD, USB s, HD Drives etc for storing data requires the user to be fully aware of the responsibilities of using such devices. The use of laptops, tablets, smart phones and many other portable devices increases the potential for data to be exposed and vulnerable to unauthorised access. Any authorised user of a portable device (including portable media) who has misplaced or suspects damage (whether intentional or accidental) or theft must report it as an incident. 2.8 Data Loss/Disclosure the potential for data loss does not only apply to portable media but it also applies to data which is; Transmitted over the network and reaching an unintended, unauthorised recipient. Intercepted over the internet through non-secure channels Posting of data on the internet whether accidental or intentional Published on the organisation s website and identified as inaccurate or inappropriate Conversationally - information disclosed during conversation Press or media unauthorised disclosure by employees or an ill advised representative to the press or media Data which can no longer be located and is unaccounted for on an IT system Uncollected printouts Paper copies of data and information which can no longer be located Hard copies of information and data accessible from desks, unlocked filing cabinets and unattended areas. 2.9 All employees, consultants, agency workers and volunteers must act responsibly, professionally and be mindful of the importance of maintaining the security and integrity of organisational data at all times. Any loss of data and/or disclosure to unauthorised parties must be reported immediately. Effective Date 18/05/2016 Page Page 5 of 9

6 3 Reporting a Security Incident 3.1 All security incidents or suspected security incidents should be reported, with as much detail as possible, immediately. 3.2 To help understand who to report what type of security incident to please see the flowchart below; Is it a security incident? Not sure? Yes Speak to the Quality & Compliance Manager for further advice Does the incident involve IT Systems (inc. ) or mobile devices? No Yes Report the incident to the Quality & Compliance Manager Report the incident to the IT Section The Quality & Compliance Manager (depending on type & severity), notifies the Executive Team / DWP Security Team / Caldicott Guardian etc IT Section to notify the Quality & Compliance Manager Effective Date 18/05/2016 Page Page 6 of 9

7 3.3 When reporting a security incident, you must include as much information as possible including; What type of security incident it is When the incident happened If you think/know that customer data has been affected How it s thought the breach occurred Names of any other people involved/affected 3.4 The Security Incident form (appendix 1) should be completed as soon as possible and sent to the Quality & Compliance Manager however the incident should be reported verbally in the first instance as time is of the essence, especially with security incidents involving the network or IT systems. 3.5 IT users should be aware that security incidents which involve their IT account (inc. ) may lose access temporarily, until the scope of the incident and threat to the rest of the network and IT systems is established. 3.6 The Quality & Compliance Manager records all incidents on the Security Incident Register. This information is routinely reported to the Executive Team on a bi-annual basis. 3.7 The Quality & Compliance Manager will also notify the appropriate bodies following a security incident for example the Caldicott Guardian if the breach involves NHS data or the DWP Security Team. 4 Security Incident Investigation 4.1 The Quality & Compliance Manager (with support from the IT Section as appropriate) will carry out an investigation for security incidents in order to establish the scope of the breach or loss, damage caused, risk to the organisation and preventative actions required to stop future occurrences. 4.2 Where security incidents involve IT systems or the network then access to other accounts or I / U drives may be required. The organisation reserves the right to inspect any and all files stored in private areas of our network as part of a security incident investigation. 4.3 The organisation has software and systems in place to monitor and record all and internet usage. No employee, consultant, agency worker or volunteer should have any expectation of privacy as to their usage, IT account contents or internet usage via the organisations network. Effective Date 18/05/2016 Page Page 7 of 9

8 4.4 If access to another individuals account is required as part of an investigation then permission will be sought from a member of the Executive Team. When appropriate, employees will be notified of this action. 4.5 Once the investigation is complete, a report (if appropriate) will be submitted to the Executive Team for review and action. Other parties, such as the DWP Security Team, will also receive a copy of the report along with any corrective actions as appropriate. 5 Findings of Sabotage or Misuse 5.1 The organisation expects all users with access to customer personal & sensitive information to respect the need for confidentiality and to avoid improper use or transfer of such information. Inappropriate IT or data usage will be managed within the organisation s Disciplinary policy. Any user who fails to adhere to these principles will subject themselves to disciplinary action, up to and including, dismissal, in addition such unauthorised access is liable for prosecution as a criminal offence under Section 55 of the Data protection Act 1998 and/or legal action under the Computer Misuse Act Policy Review 6.1 This policy will be reviewed every two years unless there is a change of law, guidelines or contractual obligation and maybe subject to change. Effective Date 18/05/2016 Page Page 8 of 9

9 Appendix 1 Information Security Incident Report Form Please complete this form as fully as you are able as this will help with actions to contain and manage the incident to prevent further breach and/or loss. Name Team Location Date Line-Manager IT Section Verbally Notified? Yes/No* Quality & Compliance Manager Notified? Yes/No* Type of Security Incident please tick as appropriate; Loss of Confidential data Information integrity compromised Virus Attack Misuse of systems/data Unauthorised access to systems Denial of Service Loss of ID Badge Theft or damage to systems Intrusion by Hackers Data sent via unencrypted Missing Documents in Post system Uncollected printed documents Loss of mobile phone/device sent to incorrect recipient VDU unlocked & unattended Password Disclosures Bogus Media Loss (USB etc..) Unauthorised posting on the internet Data loss via conversation Data missing from IT system (folders etc) Hard copy data accessible from desks/unlocked Unauthorised disclosure to press / media filing cabinets etc.. Other please describe: Date of Incident Time of incident (if known) Type of data involved Customer* / Staff* / Financial* / Business* / NHS* / DWP* / Other* please state: Please describe the incident including any events leading up to it and/or actions taken by you *please delete as appropriate Please send this form to the Quality & Compliance Manager as soon as possible Effective Date 18/05/2016 Page Page 9 of 9