NHS Business Services Authority Information Security Incident Handling Procedure



Similar documents
NHS Business Services Authority Information Security Policy

Information security policy

DBC 999 Incident Reporting Procedure

Information Incident Management Policy

Information Security Management System (ISMS) Policy

Information Security

Information Security Incident Management Policy

Data Security Incident Response Plan. [Insert Organization Name]

University of Sunderland Business Assurance Information Security Policy

NHS Business Services Authority Registration Authority and Smartcard Management Procedure

Incident reporting procedure

Data Management Policies. Sage ERP Online

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Security Incident Management Policy

Counter Fraud and Security Management Service complaints handling policy and procedure

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

IT Security Incident Management Policies and Practices

Information Security Incident Management Policy and Procedure

NHS Business Services Authority Information Governance Policy

Incident Response Plan for PCI-DSS Compliance

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

Security Incident Management Process. Prepared by Carl Blackett

California State University, Chico. Information Security Incident Management Plan

Aberdeen City Council IT Security (Network and perimeter)

ISO Information Security Management Systems Foundation

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

DUUS Information Technology (IT) Incident Management Standard

USE OF PERSONAL MOBILE DEVICES POLICY

Information Technology Services Information Security Incident Response Plan

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

University of St Andrews Out of Hours Protocol Appendices: A- CCTV Code of Practice B- Service Level Statement

IT Security Incident Response Protocol McGill University

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Electronic Trading Information Template

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Corporate Information Security Policy

Information Security Policy. Chapter 10. Information Security Incident Management Policy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

INFORMATION TECHNOLOGY SECURITY STANDARDS

NHS Business Services Authority Records Management Audit Framework

Defensible Strategy To. Cyber Incident Response

How To Audit The Mint'S Information Technology

INFORMATION GOVERNANCE POLICY: NETWORK SECURITY

Information Governance Policy

Incident Response. Six Best Practices for Managing Cyber Breaches. Nick Pollard, Senior Director Professional Services EMEA / APAC, Guidance Software

Domain 1 The Process of Auditing Information Systems

Incident Manager. Notified. Major Incident? YES. Major Incident Declared. Initial Communication Drafted. MIH At A Glance. Major Incident Ended

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Staff Investigation Protocol

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

Security Incident Policy

ITIL Example change management procedure

University of Hong Kong. Emergency Management Plan

University of Liverpool

<COMPANY> P01 - Information Security Policy

Business Continuity Policy and Business Continuity Management System

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Policy Document Control Page

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

TELEFÓNICA UK LTD. Introduction to Security Policy

Birmingham City Council Internet Monitoring Standard

CRITICAL/NON CRITICAL INCIDENT MANAGEMENT AND REPORTING PROCEDURE

Policies and Procedures. Policy on the Handling of Complaints

INFORMATION SECURITY INCIDENT REPORTING POLICY

Standard: Information Security Incident Management

The University of Iowa. Enterprise Information Technology Disaster Plan. Version 3.1

Information Management and Security Policy

BUSINESS CONTINUITY PLAN

Rotherham CCG Network Security Policy V2.0

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

Dealing with customer complaints and compliments procedure

ISO Controls and Objectives

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

UBC Incident Response Plan

Computer Forensics Preparation

UCF Security Incident Response Plan High Level

Business continuity management policy

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

INFORMATION SECURITY POLICY

ISO27001 Controls and Objectives

Transcription:

NHS Business Services Authority Information Security Incident Handling Procedure NHS Business Services Authority Corporate Secretariat NHSBSAIS003

Issue Sheet Document reference NHSBSAIS003 Document location F:\CEO\IGM\IS\BSA Title NHS Business Services Information Security Incident Handling Procedure Author Gordon Wanless Issued to NHSBSA Information Security Staff Why issued For action Last Reviewed 27 January 2011 Revision Details Version Date Amended by Approved by Details of amendments Initial Release 27.1.2011 - IGSG -

Contents Page 1. Introduction and Scope 1 2. Incident Containment 1 3. Incident Resolution 1 Appendix A Flowchart 1 Meeting\NHSBSAIS003 - NHSBSA Information Security Incident Handling Procedure.DOC Page 3 of 8

1 Introduction and Scope This procedure provides guidance on the handling of security incidents, breaches or suspected incidents and breaches. The scope of this document is limited to those security incidents that affect the NHSBSA only. The reporting of security incidents is covered in the procedure titled NHS Business Services Authority Information Security Incident Reporting Procedure. This procedure is solely concerned with the handling of reported security incidents. 2 Incident Containment The underlying aim of the Containment stage of the handling process is to limit the actual and potential impact of the breach. There are three key elements of containment: limiting the impact of the breach; preserving the evidence of the breach; controlling awareness of the breach. 2.1 Limiting the Impact Action taken to limit the impact of a breach will rely heavily on a person s understanding of the risks and issues involved. For example a System Administrator will understand the need to quarantine a virus infected client. Similarly, a member of the security team might take the decision to evacuate areas of the site following discovery of a suspect package. 2.2 Preserving the Evidence When taking action to limit the impact of an incident, care should be taken not to destroy or disturb any evidence which might later help in the identification of its cause. Controls should be put in place to prevent other staff from likewise interfering with evidence. 2.2.1 Evidence Identification Log All evidence identified following an incident should be recorded on an Evidence Identification Form. This will allow an auditable record to be maintained of all evidence associated with an incident. All evidence collected under the respective security incident must be entered within this form. The format of Evidence no must be in a sequence concatenated to the security incident number, for example: if 3 items of evidence have been collected for a

security incident with number 123, the Evidence Numbers on the Evidence Identification Log must read 123-1, 123-2 and 123-3. 2.3 Controlling Awareness There are a number of reasons why controlling the sphere of knowledge about an incident may be vitally important. A failure to do so may seriously impact the speed of an incident s resolution and the viability of any subsequent investigation. The following factors should be considered: Avoiding Panic - Certain types of incident such as bomb threats and fire evacuations have the potential to cause panic where information about the situation is not properly controlled. Rather than giving guidance that is hasty and ill-considered, the steps of Detection and Confirmation (see above) should occur wherever there is sufficient time. A delay in releasing information may also be desirable in such circumstances to allow other measures to be put in place e.g. Evacuation-Coordination Teams or Fire Warden organisation. By limiting knowledge to such a group the risk of the relevant facts and issues being obscured by misinformation and unqualified advice are greatly reduced. Maintaining Confidentiality - During any incident there may be sensitivity issues to be considered (from both a commercial and legal/regulatory perspective.) In dealing with an incident staff should always be wary of taking action which might: compromise protectively marked material; result in unnecessary negative publicity or otherwise cause commercial embarrassment. Although these considerations of confidentiality are secondary to the concerns of system integrity and the safety of staff, they are nonetheless important factors. 3 Incident Resolution Once the incident has been Identified and Contained, efforts can then be focused on finding an appropriate solution. The fundamental features of any solution should be investigation, action (and follow-up/record-keeping.) The order in which they are implemented depends upon the nature of the incident. For NHS Pensions only, on receipt of the incident form the HoIG will log the incident onto the information security incidents register. After the HoIG has entered the incident details into the Central Register he will provide a copy of the incident reporting form to the NHS Pensions Information Security Manager (ISM) (or delegated person) to initiate the appropriate investigation. 3.1 Investigation Wherever possible there should be a thorough investigation into the cause and extent of a breach before any corrective action is taken. Attempting to fix a problem that isn t properly understood creates a risk of exacerbating it. Once the Meeting\NHSBSAIS003 - NHSBSA Information Security Incident Handling Procedure.DOC Page 5 of 8

situation has been suitably analysed, a solution should be devised and implemented through the coordination of technical, security and management resources. In certain circumstances the need for action will be significantly more urgent, meaning that the amount of investigation time available is limited. In such circumstances qualified individuals may take immediate action (ideally with Management authority) to solve the problem. An example of this would be where a network breach has been identified and contained, and an immediate solution is available to restore the system (e.g. vulnerability patch.) System Administrators might feel that in these circumstances the overriding requirement of system availability warrants implementation of the solution before a full investigation into the breach can take place. 3.2 Action What action is to be taken in solving any particular security incident will depend upon: the results of the investigation (see above) guidance given in the specific incident procedures The judgement of qualified individuals on the scene Where the solution to be implemented may potentially cause disruption to system processes or loss of data, all efforts should be made to provide an adequate back-out plan. Some incidents may involve invoking the NHSBSA Disciplinary Procedures. Incidents that are deemed to be a disciplinary offence are detailed within the NHSBSA Disciplinary Procedures and the NHSBSA Information Security Policy. 3.3 Follow-Up Once a solution has been implemented and the incident closed, it is vital that time is taken to learn lessons. There should be a debriefing involving all relevant parties to answer the following questions: Review Questions Is their a consensus as to the cause of the incident? Were there any specific weaknesses that allowed the incident to occur / worsen? How quickly was the problem detected / confirmed? Were there any communication problems encountered in reporting the incident? How might these be solved for future incidents? Meeting\NHSBSAIS003 - NHSBSA Information Security Incident Handling Procedure.DOC Page 6 of 8

Was the incident limited as quickly and effectively as possible? If not what else might have been done? Was any evidence about the incident lost due to procedure failure? How might useful information about the incident have been better stored (or backed-up)? Was awareness of the incident properly contained or controlled? What effect did any leakage have on the handling of the incident? Were any other important issues raised during the incident that need to be included within the procedure? All reported incidents will be re-evaluated after a 6 month period to ensure the type of incident is no longer being reported or the volume of those incidents has dramatically reduced. If there is no change in the volume of each type of incident the IGSG will be alerted and appropriate action taken. This could be, for example, further training courses for staff or an improvement to existing security and / or confidentiality arrangements. Incidents may be used in training sessions about security and confidentiality as examples of 'real life events' relevant to the NHSBSA which can then be more easily related to by staff. This gives attendees examples of what can occur, how to respond to such events and importantly how to avoid them in the first instance. 3.4 Record Keeping Once an incident has been investigated and reviewed, the record within AMDOCS / the information security incidents register will be updated and closed off. The HoIG will also report these incidents to the Information Security Forum (ISF). Meeting\NHSBSAIS003 - NHSBSA Information Security Incident Handling Procedure.DOC Page 7 of 8

Appendix A - Flowchart NHSBSA Staff have reported a Security Incident (logged with Capita Service Desk under the classification of Information Security or if NHS Pensions only to the HoIG) this will be logged in the Capita Service Desk Tool Amdocs or for NHS Pensions only, the information security incidents register. Capita Service Desk Inform Capita Infosec Team who then inform CFSMS ITSO/ITSM to evaluate situation. ITSO may need to report incident Escalate to other Incident (Forensics/ITSM) to parties see below. allow a forensic image to be completed, before assigning to support personnel Incident assigned to support personnel to resolve and complete report. (Update record in Amdocs) Resolve incident complete report and inform ITSO ITSO may need to report incident to one of the following:. 1. NHSBSA Information Governance Manager - serious untoward incidents (personal data) 2. Govcert U.K. Information Security related incidents 3. Cinras Crypto Comsec issues Reviewing Security Incidents (Security Forum) Meeting\NHSBSAIS003 - NHSBSA Information Security Incident Handling Procedure.DOC Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information