Incident Response Guidance for Unclassified Information Systems



Similar documents
How To Audit The Mint'S Information Technology

Data Security Incident Response Plan. [Insert Organization Name]

Information Technology Policy

Computer Security Incident Response Team

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Computer Security Incident Response Team

IT Security Incident Management Policies and Practices

DUUS Information Technology (IT) Incident Management Standard

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Incident Reporting Guidelines for Constituents (Public)

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

Legislative Language

Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

Network Security Policy

IMS-ISA Incident Response Guideline

Information Security Incident Management Guidelines

Information Security Handbook

Security Incident Procedures Response and Reporting Policy

Computer Security Incident Reporting and Response Policy

Cyber Incident Response

Information Security Incident Management Guidelines. e-governance

Threat Management: Incident Handling. Incident Response Plan

Evaluation Report. Office of Inspector General

INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION PROCESS, APPROVAL TO OPERATE

Information Resource Management Directive USAP Information Security Incident Management

GEARS Cyber-Security Services

IT Security Handbook. Incident Response and Management: Targeted Collection of Electronic Data

Incident Response Team Responsibilities

Business & Finance Information Security Incident Response Policy

Attachment F. Incident Response

Incident Handling Procedure

DBC 999 Incident Reporting Procedure

Standard: Information Security Incident Management

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

University of Colorado at Denver and Health Sciences Center HIPAA Policy. Policy: 9.2 Latest Revision: 04/17/2005 Security Incidents Page: 1 of 9

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

ADS Chapter 544 Technical Architecture Design, Development, and Management

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

UBC Incident Response Plan

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

PBGC Information Security Policy

Public Law th Congress An Act

APHIS INTERNET USE AND SECURITY POLICY

Cyber Security: Cyber Incident Response Guide. A Non-Technical Guide. Essential for Business Managers Office Managers Operations Managers.

SUPPLIER SECURITY STANDARD

Incident Response Plan for PCI-DSS Compliance

Local Government Cyber Security:

Data Management & Protection: Common Definitions

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Service Children s Education

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

UCF Security Incident Response Plan High Level

Network Security Policy

The statements in this policy document establish HEALTHeLINK's expectations with respect to incident management.

California State University, Chico. Information Security Incident Management Plan

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Cyber Security Incident Reporting Scheme

The intended audience is system administrators, Directors, and Department Heads.

T141 Computer Systems Technician MTCU Code Program Learning Outcomes

Attachment A. Identification of Risks/Cybersecurity Governance

Data Management Policies. Sage ERP Online

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

Office of Inspector General

Network & Information Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY POLICY

Office of Inspector General

Montana Tech Escalation Procedures for. Security Incidents

State of South Carolina Policy Guidance and Training

Incident categories. Version (final version) Procedure (PRO 303)

External Supplier Control Requirements

Your Agency Just Had a Privacy Breach Now What?

Office of Inspector General

Audit of the Department of State Information Security Program

Risk Management Guide for Information Technology Systems. NIST SP Overview

TSA audit - How Well Does It Measure Network Security?

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Guidelines 1 on Information Technology Security

Security Policy for External Customers

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Technical Standards for Information Security Measures for the Central Government Computer Systems

787 Wye Road, Akron, Ohio P F

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

GAO INFORMATION SECURITY. Fundamental Weaknesses Place EPA Data and Operations at Risk. Testimony

CONTENTS. Introduction Page 2. Scope.Page 2. Policy Statements Pages 2-3. Major IT Security Incidents Defined... Page 3

SCOPE; ENFORCEMENT; AUTHORITY; EXCEPTIONS

PERSONALLY IDENTIFIABLE INFORMATION (Pin BREACH NOTIFICATION CONTROLS

ISMS Implementation Guide

The University of Tennessee Chattanooga Incident Response Plan

The Ministry of Information & Communication Technology MICT

VMware vcloud Air HIPAA Matrix

Document Title: System Administrator Policy

S E R V E R C E N T R E H O S T I N G

Final Audit Report. Report No. 4A-CI-OO

Transcription:

Mandatory Reference: 545 File Name: 545mad_051503_cd32 Revision: 05/15/2003 Effective Date: 05/23/2003 Incident Response Guidance for Unclassified Information Systems Recent Government Information Security Reform (GISR) legislation and regulatory guidance stress the importance of incident response in protecting information systems (IS). If an incident occurs, a prompt and coordinated response can limit damage, speed recovery, and help restore service to users. A. Computer Security Incident A computer security incident is an occurrence having actual or potentially harmful effects on an information technology (IT) system. The types of activity widely recognized as harmful include, but are not limited to, the following: 1. Attempts (either failed or successful) to gain unauthorized access to (or use of) a system or its data; 2. Unwanted disruption or denial of service; 3. Unauthorized changes to system hardware, firmware, or software, including adding malicious code (such as viruses); or 4. Detection of symptoms of the above, such as altered or damaged files, virus infection messages appearing during start-up, inability to log in, etc. Note: Not every event that fits these definitions requires an incident response. For example, we expect routine attempts to send viruses into the system, and these are foiled daily by key countermeasures. Such expected and unsuccessful events do not need to be treated as computer security incidents. On the other hand, incidents that are unexpected, are successful (or nearly successful), or indicate a new vulnerability, threat source, or motivation must be reported. Likewise, individual threats that cause an estimated harm of over $15,000 must be reported, even if expected or routine. If there is doubt about whether to report an incident, it should be reported. The Computer Incident Response Team (CIRT) (see section B.6) will determine the level of response and documentation needed. *Asterisks indicate that the adjacent material is new or substantively revised. 1

B. Incident Reporting Process The following steps and the Incident Reporting Process Chart in Section C demonstrate the duties of system users, system administrators, and IS management when a suspected computer security incident occurs. 1. Individual system user duties include Stopping all work on the computer; At Missions, quickly reporting a suspected or actual incident to the local System Information System Security Officer (ISSO) 1 and System Manager; In USAID/W, calling the IRM Help Desk at (202) 712-1234 or sending an e-mail from an unaffected computer to irmhelpdesk@usaid.gov; and After business hours, calling the USAID Security Operations Center at (202) 712-5644. 2. The IRM Help Desk duties include a. In preparation for incidents Maintaining an up-to-date list of USAID/W System Owners, System Managers/IT Specialists, and System ISSOs for each system. For the list of current ISSOs, see Mission and System ISSOs (this list is only available to those with USAID intranet access). Developing procedures for handling after-hours calls regarding possible computer security incidents, including a phone message referring after-hours callers who need to report a possible computer security incident to the USAID Security Operations Center at (202) 712-5644. b. Identification Creating a Remedy ticket regarding the possible incident; and Notifying the appropriate System Managers or IT Specialists. c. After the CIRT resolves the incident or deems the anomaly a non-incident Closing the Remedy ticket; and 1 Mission ISSOs are considered to be System ISSOs *Asterisks indicate that the adjacent material is new or substantively revised. 2

Ensuring that the initial reporter of the incident and any others who may have been affected are aware that they may use their computer again. 3. USAID Security Operations Center duties include Referring possible computer security incidents reported by Missions during non-duty hours to the first available IRM Security representative on the Emergency Computer Security Incident POC List 2. (This list is Sensitive But Unclassified (SBU) and is only available to those with intranet access.) 4. The System Manager/IT Specialist of the system involved in the possible incident duties include a. Identification Quickly and briefly investigating system anomalies to determine if a possible computer security incident is taking place or has occurred involving their system; If the System Manager/IT Specialist determines the event is a possible incident, notifying the System ISSO and system owner; and If the System Manager/IT Specialist believes the event to be a nonincident, notifying the IRM Help Desk. 5. System ISSO duties include a. Upon notification of a possible incident Notifying and activating the Computer Incident Response Team (CIRT) based on the system involved (see Figure 1); and Serving as the initial CIRT Team Chief. If more than one system is involved, the USAID ISSO becomes the CIRT Team Chief. 6. The CIRT consists of the System ISSO (the initial Team Chief for the incident), the System Manager, a computer security subject matter expert (SME) from the Emergency Computer Security Incident POC List, a core group of representatives called in for each platform involved, and the Bureau for Management, Office of Information Resources Management, 2 System/Mission ISSO may call the Security Operations Center for Emergency Computer Security Incident POC names and phone numbers. *Asterisks indicate that the adjacent material is new or substantively revised. 3

Telecommunications and Computer Operations Division (M/IRM/TCO) Network Operations Center (NOC) Manager if TCO systems are involved. (See Figure 1) Figure 1 - Computer Incident Response Team The duties of the CIRT include a. Identification *Declaring the anomaly a non-incident and notifying the USAID ISSO at isso@usaid.gov and the IRM Help Desk at irmhelpdesk@usaid.gov; or Declaring the event a computer security incident. b. Upon validation of an incident Instructing the user on whether and/or how to proceed; *Notifying the USAID ISSO at isso@usaid.gov within 24 clock hours; Identifying whether other systems are involved; Formulating a plan of action for containment and eradication, and recovery of systems and data; Assigning a priority level sufficient to ensure the availability of any required resources. Any resource designated must be exclusively dedicated to and focused on the investigation until the issue is concluded; Starting detailed documentation in an incident log, noting the event date and time, summarizing the anomaly, describing their own activities and those of a possible intruder or of malicious code, and documenting time and costs associated with resolving the incident; and *Promptly submitting initial and all subsequent reports, including information required for the Information Systems Security Incident Report (Section D of this reference), on the incident to the USAID ISSO at isso@usaid.gov. c. During containment, eradication, and recovery *Asterisks indicate that the adjacent material is new or substantively revised. 4

Taking screen captures and/or snapshots of pertinent files within the first half-hour of any incident investigation (backing up files may also be required); Securing and protecting the affected system(s) and all related media as directed by the designated ISSO; Identifying risks to systems or data, including any significant operational impact caused by the computer security incident, and coordinating organization-specific issues that might affect any response plan their designated ISSO may need to communicate to the USAID ISSO; Continuing to investigate, report on, and mitigate the incident until resolution; Reducing/eliminating risk and cleaning up the system; Maintaining documentation; and *Notifying the IRM Help Desk at irm-helpdesk@usaid.gov and the USAID ISSO at isso@usaid.gov of the resolution. d. Lessons learned Documenting notable lessons learned from the CIRT perspective and providing them to the USAID ISSO. 7. The USAID ISSO duties include a. In preparation for incidents Identifying and assisting in the assignment of needed resources to support the CIRT; Communicating to all users of USAID information systems the incident response requirements outlined in this document; and Providing specialized training for personnel with specific Incident Response responsibilities. b. During containment, eradication, and recovery Assisting the CIRT, and if more than one system is involved, assuming the position of CIRT Team Chief, and setting up an Agency-level CIRT; *Asterisks indicate that the adjacent material is new or substantively revised. 5

Notifying the Director, M/IRM, the Chief Information Officer (CIO), and the Director, Office of Security (SEC) of significant computer security incidents; Working with law enforcement, users, and/or System Administrators, network managers/administrators, and local designated ISSO(s) to advise on response actions; Collecting information from the CIRT required for the Information Systems Security Incident Report (Section D of this reference); and Submitting the Information Systems Security Incident Report, within a median time of five business days, on behalf of USAID to the General Service Administration's Federal Computer Incident Response Capability (FEDCIRC). c. Lessons learned Including lessons learned in security training and policy development; and Notifying the Office of Inspector General (OIG) about computer security incidents involving any apparent violation of laws, rules, or regulations. The specific procedures contained in this Mandatory Reference have been coordinated with key offices, including the Office of the General Counsel (GC), SEC, OIG, and the USAID ISSO. *Asterisks indicate that the adjacent material is new or substantively revised. 6

C. Incident Reporting Process Chart The following Incident Reporting Process Chart outlines the duties of system users, system administrators, and IS management, as detailed in Section B. User Reports Abnormal Event/ Activity or Suspected Incident to Help Desk 3 Help Desk Notifies System Manager Create/Update Remedy Ticket Communicate to System Administrators/ISSOs/ Users Yes Possible Incident? No System Manager Notifies Help Desk System Manager Notifies System ISSO System Manager Notifies System Owner Maintain Documentation System ISSO Activates CIRT 1 Incident? No CIRT Notifies Help Desk Yes CIRT Notifies & Reports to USAID ISSO Incident Contained, Eradicated, and Resolved Maintain Documentation & Reports USAID ISSO Notifies Director of M/IRM, CIO, & SEC USAID ISSO Reports to FEDCIRC and Other Authorities Update safeguards, procedures, etc. 3 3 Please note that procedures may be different in Missions or when calling after hours at USAID/W. Please see paragraph B.1 for details. *Asterisks indicate that the adjacent material is new or substantively revised. 7

D. United States Agency for International Development Information Systems Security Incident Report Incident Number: Category (defined below): 1 2 3 4 5 6 7 8 Date of Incident: Time of Incident: 1. Reporting Organization Information: Organization: Name: Section: Telephone #: E-mail Address: 2. Target Host Information: Host IP: Host Machine Name: Classification Levels: Classified /Sensitive But Unclassified /Non-Sensitive System Mission: Operating System: 3. Source(s) Information: Source(s) IP: Source Host Name: Source Name and Address: 4. Intrusion Information: Type of Incident or Attack: How Detected: Description of Incident: Was System Compromised? Yes No Impact on Operation: Countermeasure(s): 5. Notification: Network Administrator: Firewall Administrator: LAN Administrator: Network Security: Virus Section: Information Systems Security Officer: Federal Computer Incident Response Team: Law Enforcement Agency: Incident Category Definitions: Cat # Definition Cat # Definition 1 Unauthorized Root / Administrative Access 5 Poor Security Practice 2 Unauthorized User Access 6 Unauthorized Probe / Information Gathering 3 Unauthorized Attempted Access 7 Malicious Logic 4 Denial of Service 8 Misuse 545mad_051503_w052303 *Asterisks indicate that the adjacent material is new or substantively revised. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information