Security Incident Management Prepared by Carl Blackett 19/01/2009
DOCUMENT CONTROL Purpose of document This document describes the Security Incident Management and defines all roles and responsibilities associated. Change control Issue Change Issued by Reason for Change No Date 0.1 Carl Blackett First Draft issued to Security Forum 0.2 30/01/09 Carl Blackett Second Draft incorporating feedback from security forum. 1.0 02/03/09 Carl Blackett Version 1.0 incorporating feedback from all parties. 1.1 14/04/09 Carl Blackett Updated to incorporate feedback from Corporate Data Protection Officer. Distribution Name Organisation/role Note Carl Blackett ICT Security Manager author Stephen Corporate Information QA Livermore Security Officer Ann Carey Client Manager QA Kurt Frary e-services Technical QA Architect Security Forum DISO & Deputy DISO review Contents Background 3 Flow Diagram 4 Description 5 Roles and Responsibilities 7 2
1. Background Norfolk County Council requires a Security Incident Management to protect the confidentiality, integrity and availability of its information, data and systems. This process is designed to assist in the effective management of security related incidents. The scope includes identification, recovery, communication and recommendations. This process will be used in conjunction with relevant corporate and departmental incident resolution processes and technologies. This document describes the activities to be followed in the event of a security related incident and the roles and responsibilities to be assigned during security incident management. This process will utilise the Security Incident Assessment Form which will detail incident manager, escalation and communication channels and assist with incident classification to ensure consistency. Norfolk County Council Corporate Information Security Policy states; Corporate incident management procedures should be developed and maintained. These should be followed in all security incidents and as a minimum should cover: 1. Analysis and cause of the incident 2. Planning and implementing remedies to prevent a recurrence 3. audit trails and collecting and retaining of evidence for use in disciplinary matters, breach of contract by a supplier or a breach in computer misuse or data protection legislation. 4. Actions to recover from security breaches or systems failure 5. Communications with business users during a security incident. 3
2. flow Diagram 1. Start 2. Incident classified as Security Incident 3. Security incident Manager Established as per Incident assessment workbook 4. Security Incident Assessed 5. Further Action Required? No 13. Ends Yes 6. Security incident log and security incident timeline created (If required) 7. Incident investigation Team established and requested to meet (if required) 8. Tech and overview report created (If required) 9. Action owners established, agreed and documented 10. Security incident resolved 11. Conduct security incident review (de-brief) 12. Create security incident closure report 13. Ends 4
2.1. Description 1. Start This marks the beginning of the security incident management process. This process will have many triggers depending upon departmental issues and alignment to Risk and Insurance classifications. 2. Incident Classified as Security Incident This process is designed for the sole purpose of recording and managing security related incidents. The reportee will be responsible for ascertaining whether a reported occurrence is to be handled formally as a security incident. This reportee could be Departmental Information Security Officer, Charles House Service Desk, Corporate Data Protection Officer, Corporate Information Manager or Corporate ICT Security Manager. A security incident is identified as an incident which relates to one or more of the following categories; a. Data Loss or unlawful disclosure of information b. Actions constituting a breach of policy c. Loss of hardware, mobile device or removable media d. Suspicious activity 3. Security Incident Manager Established as per Security Incident assessment form An initial incident manager should be assigned to investigate the incident. This incident manager assignment will be determined by the reportee using the Security Incident Assessment Form. This incident manager will be 1 of the following (or an authorised deputy); a. Corporate ICT Security manager ICT related incidents b. Corporate Information Security Manager Information related incidents (corporate) c. Corporate Data Protection Officer Personal data related incidents d. Departmental Information Security Officer Information related incidents (departmental) 4. Security Incident Assessed The incident manager will complete an initial assessment of the incident, utilising the Security Incident Assessment form, to ensure all information required is available and all necessary parties are informed and prepared for any action required. This assessment form has been created to ensure consistency of assessment in line with Corporate Risk and Insurance assessment framework. This assessment process will include scope/scale of incident, impact on business, risk, resolution target, options and recommendation and will be completed using the incident management assessment form. This will also indicate communication, governance, escalation channels and information regarding and related Business Continuity processes to be followed. 5. Further Action Required The incident manager will decide whether dedicated time and resource is required to resolve incident or whether standard, normal procedures should be followed. If normal procedures are to be used for resolution this will be documented. This incident process is designed for incidents where additional action or speed of response is required and is not designed to replace normal operational incident management processes. 5
6. Security Incident Log and Security Incident Timeline created. In order to preserve chronological detail of incident, actions taken and progress made towards resolution an incident log and timeline is required. This log and timeline will be created within the normal Incident Management System utilised by Charles House Services. In the event the incident involves information whose addition into this system would be deemed inappropriate an alternative log and timeline will be created by incident manager who will ensure this is stored in a secure manner. 7. Incident investigation team established and requested to meet Where an incident requires immediate decision and resource allocation an incident investigation team will be assembled by the incident manager. This team will comprise of all individuals required to confirm assessment, agree actions and allocate resources accordingly. During the initial meeting a schedule will be created for reconvening of this team to establish current status and ensure plan is on course to complete as initially defined. 8. Technical and overview report created and communicated A technical report will be created by appropriately qualified technical analyst for system involved (if applicable) and communicated to incident manager. An incident overview report will be created by the assigned incident manager to provide an executive summary of incident and action plan. These reports will be discussed and amended during incident investigation team meeting then communicated accordingly. 9. Action owners established, agreed and documented Action owner will be established based upon recommendations listed in incident overview report. These action owners will be agreed at the initial incident investigation team meeting and documented to enable incident manager to track progress. 10. Security Incident Resolved Incident manager will establish whether initial issue has been resolved within timescales originally agreed and documented during incident investigation team meeting. 11. Conduct security incident review (de-brief) The Incident manager will lead a formal incident review meeting to establish (where possible) cause of incident, establish whether current processes are adequate to handle future incidents and identify further actions to prevent re-occurrence. These recommendations will be fed into the incident closure report. Incident report to be communicated to all parties as per communications schedule within Incident Assessment Form. 12. Create Security incident closure report Following the incident review an incident closure report will be created. This report will detail incident, actions taken and recommendations to prevent re-occurrence. These recommendations may be physical, logical or procedural changes. 13. Ends This marks the end of the Security Incident Management. 6
3. Roles and Responsibilities Role Department Responsibility Incident Manager Various Chair of incident investigation team meeting Creation of overview report Management of action plan Escalation point for resolution issues Communication of reports Service Desk Analyst Charles House Services Call logging User communication Corporate ICT Security Manager e-services Creation and maintenance of process Escalation point for ICT security related incidents Corporate Information Security Officer e-services Escalation point for information security related incidents Departmental Information Security Officer Various Corporate Data Protection Officer Corporate FOI & DPU / Various Departmental point of contact Provide assistance to incident management Escalation point for Data Loss or unlawful disclosure of information incidents Technical Specialist Charles House Services Creation of technical report Technical support infrastructure issues Application Specialist Charles House Services / Various Technical support for application issues Security Forum Various Quarterly review of all security incidents 7