Incident Response Team Responsibilities

Transcription

1 Scope Any incidents that originate from, are directed towards, or transit Department of Earth and Planetary Sciences controlled computer or network resources will fall under the purview of this Incident Response Plan. Incident types include, but are not limited to, denial of service, port scans, system break- ins, e- mail abuse, copyright infringement, and non- acceptable use. Definitions Incident: An event that has actual or potential adverse effects on computer or network resources such as misuse or abuse; compromise of information; or loss or damage of property or information. Earth and Planetary Sciences Incident Response Team (IRT): The IRT is an ad hoc group of technical and functional specialists. Typically the team will consist of the systems manager, the department chair, and the MSO. Other specialists may be included, as appropriate. Incident Response Team Responsibilities Prior to plan implementation: Develop and maintain incident classification scheme Following plan implementation: Monitor e- mail from campus security administrators, campus secalert system, and department helpdesk for incident reports Respond to reported incidents Upon incident confirmation Classify incidents by priority Determine if incident can be investigated Assess scope of incident damage and communicate incident details to IET support organizations Control and contain incident Collect, document and preserve incident evidence Maintain chain of custody of all incident evidence Interview individuals involved in incident Conduct investigation to identify incident root cause or source, extent of damage, and recommended counter action Follow all policies, laws and regulations relating to privacy Consult with law enforcement agencies, as authorized Following incident containment: Coordinate release of information with public communications staff Prepare reports describing incident investigations 1

2 Prepare recommendations to prevent future similar incidents Prepare recommendations to disrupt incident and/or reduce of incident Prepare recommendations to bypass or correct conditions leading to incident Assist recovery from incident, where applicable Monitor recovery Identify IRT operational improvements Reporting New Incidents A department member or anyone affected by a department computing security incident should report the suspected incident by e- mail (gel- [email protected]). Incident reports will be recorded into a Helpdesk ticket and will be directed to the IRT. If is adversely ed by the incident, report by phone to (530) (voice mail is available). The following information should be obtained from individuals reporting incidents: Contact information Brief description of the incident Log information including date, time, time zone Address of the source of the attack Target network information, if available The IRT will acknowledge receipt of the reported incident. All user reports will be analyzed and prioritized in order to generate an appropriate response plan. In the nontechnical domain, determine what business process the affected system supports. The business process affects the value of the system to the organization, which in turn influences the priority level of the response process that follows. The scope of the IRT response will be determined by the incident priority rating, or as directed by senior campus administrators. Report Exceptions Incidents meeting the following characteristics will be handled as an exception to the above reporting process. Confidential subject matter - Incidents involving restricted data will be directly reported to the EIT Security Coordinator or Vice Provost, Information and Educational Technology. Restricted data is defined in BFB- IS3, Electronic Information Security ( IS- 3). Incidents involving restricted personal information (personal name in combination with Social Security number, driver license number and/or financial account information) must follow the process described in Such reports will be coordinated with the campus police department. Possible Crime - Incidents relating to the report of a possible crime should be communicated directly to the campus police department. Misuse of University Resources - Incidents pertaining to improper governmental actions (see PPM ) and/or research integrity (PPM ) should be reported via procedures contained in the respective policy. At the request of the Offices of the Chancellor and Provost, the IRT may assist investigations under the purview of the UC Investigations Coordination Workgroup. 2

3 Incident Classification Department of Earth and Planetary Sciences The IRT will use the following table as a guideline in establishing incident priority. Given the broad range of incident report subjects, this chart is a guide and cannot be strictly interpreted. Incident Factors Priority Characteristics Low Medium High Urgent Criticality Application Non Tier 1 or 2 App Tier 2 Application Tier 1 Application Tier 1 Application Criticality Infrastructure No Limited scope Campus- wide Campus- wide Impact User/system Affects a few people or a few systems Department- wide Campus- wide Campus- wide Impact Public None Potential Likely Definite Countermeasures Solutions are readily available Weak countermeasures No countermeasures No countermeasures Resolution procedures Available and well- Resolution defined procedure not well- defined, bypass available No resolution procedures or bypass available No resolution procedures or bypass available Incidents classified with a low priority rating may be handled by semi- automated means and may not require any further escalation. Incidents receiving a high or urgent priority classification will receive the highest priority of IRT resources and will be reported to the EIT Security Coordinator, campus security infrastructure, and [email protected]. Once the EIT Security Coordinator has been notified of an incident escalation to a medium or higher rating, the department IRT will work in support of the campus IRT. The incident priority classification will also determine the degree of of campus senior administrators in respect to the incident investigation. The following table describes the typical participation levels for the UC Davis Investigations Coordination Workgroup, EIT Security Coordinator and Vice Provost, Information and Educational Technology 3

4 Incident Response Advisory Group Office of the Vice Provost, IET UC Davis Investigations Coordination Workgroup Priority Participation Low Medium High Urgent None EIT Security VP- IET Contacted Coordinator by EIT Security alerted by Coordinator IRT Receives alerts priority escalation and de- escalation VP- IET Contacted by EIT Security Coordinator Receives alerts priority escalation and de- escalation Approves incident closure None None Alerted by Campus EIT Security Coordinator Receives alerts priority escalation and de- escalation Authorizes external law enforcement Alerted by Campus EIT Security Coordinator Approves incident closure Receives alerts priority escalation and de- escalation Authorizes external law enforcement Incident Classification Escalation/De- escalation All new incidents will be assigned a priority rating by the IRT. Incident ratings may change as more information about the incident becomes available and is reviewed by the IRT. The IRT will determine if an incident rating should be escalated or de- escalated. The same criteria used initially to rate an incident will be used to escalate or deescalate the priority rating. If an incident is escalated to a medium or higher rating, the IRT shall inform the EIT Security Coordinator or designee via e- mail, page or telephone about the incident and the reason for the escalation. Once the EIT Security Coordinator has been notified of an incident escalation to a medium or higher rating, the department IRT will work in support of the campus IRT. If an incident is escalated from a medium priority rating to a higher priority rating, the EIT Security Coordinator, or designee, will notify the UC Davis Investigations Coordination Workgroup and Vice Provost, Information and Educational Technology. If an incident is de- escalated from either an urgent or high rating to a medium or low priority rating, the IRT must receive approval from the EIT Security Coordinator or designee. In such cases, the reason for the de- escalation will be documented within the incident investigation. Such de- escalation will be communicated by the EIT Security Coordinator or designee to the Vice Provost, Information and Educational Technology and, if appropriate, UC Davis Investigations Coordination Workgroup. 4

5 If the incident priority was previously rated as medium and is downgraded to low, the IRT will notify the EIT Security Coordinator or designee describing the priority change. The reason for the de- escalation will be documented within the incident. Incident Investigation Process The definition of an incident is purposely made inclusive, however it is foreseen that many events classified with a low priority may be handled by semi- automated means and not require any further escalation. Those events classified with a low priority rating will follow standard procedures, reflective of the units that perform those responsibilities. The incident investigation process defined in this section is geared toward incidents with a high or urgent priority rating. The incident investigation process follows the general objectives of investigation methodology, including: Conduct objective, thorough and timely incident investigations Preserve individual privacy rights Collect, preserve and protect incident/investigation data Maintain confidentiality as required Maintain thorough documentation of entire investigation process. Safeguard investigation material/documentation Maintain chain of custody of investigation material/documentation Develop conclusions fully supported by facts in evidence Conduct a post- incident review of investigation and document policy or procedural issues that enhanced or hindered the incident detection, monitoring, investigation and subsequent development and implementation of corrective or problem bypass measures. Phase One Identification and Assessment Steps Identify and verify problem (incident types and descriptions) Characterize the damage and extent of the problem, rate the incident priority Determine what investigation actions are to be taken Determine IRT resources are required to conduct the investigation, request/secure hardware, software, personnel resources Communicate with parties that need to be aware of the investigation Phase Two Containment, Mitigation, and Eradication Collect and protect of information associated with an incident investigation Contain the incident and determine further recovery or bypass actions to taken. Caveat: Isolating network services may adversely business continuity. Incident responders cannot arbitrarily take down links between business- critical systems without approval of the business unit manager, and only after a thorough briefing on the pros and cons of such action. Eliminate intruder's means of access and any related vulnerabilities. 5

6 Phase Three Recovery and Follow- up Return the systems to normal operations Close out the problem and follow up with a periodic post mortem review of the investigation. See Incident Closure section for details. Prepare and publish report, as required. If an incident has a rating of urgent, a brief formal report will be submitted by the EIT Security Coordinator to the UC Davis Investigations Coordination Workgroup upon closure of the incident. The report shall describe the incident, investigation methods, general conclusion, recommendations to avoid future related incidents and, if appropriate, lessons learned from the investigation. Incident Tracking and Reporting The Incident Response Team will log, track and document the investigation and resolution of all security incidents. If an incident has a medium or higher priority rating, it is appropriate for the MSO to assign clerical staff to the IRT in order to facilitate logging developments into the trouble ticketing system and to assist in circulating updates to the affected parties. The trouble ticket data for a particular incident investigation will not include any personally identifiable confidential information. Confidential information includes restricted personal information (personal name with Social Security number, drivers license number and/or personal financial account information), respondent and reporter name in an incident relating to a research conduct investigation (see PPM ) and protected health information (see PPM ). Incident Closure Once the systems have been returned to normal operations, the IRT will verify that all corrective and/or preventive tasks are complete and that local services have been restored. In cases where an organizational unit external to Information and Educational Technology is responsible for incident resolution, the IRT Lead will monitor and document incident resolution. If an incident is rated as a low or medium priority, the IRT may close the related ticket. If an incident is rated with a high or urgent priority, the EIT Security Coordinator or designee must review closure of the incident. At any time, the Chancellor or Provost; Vice Provost, Information and Educational Technology; or EIT Security Coordinator may terminate an incident investigation, regardless of incident priority rating. If an incident is turned over to a law enforcement agency, the IRT incident investigation will, in most cases, be terminated. 6