California State University, Chico. Information Security Incident Management Plan



Similar documents
Data Security Incident Response Plan. [Insert Organization Name]

UBC Incident Response Plan

The Office of the Government Chief Information Officer INFORMATION SECURITY INCIDENT HANDLING GUIDELINES [G54]

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

How To Audit The Mint'S Information Technology

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Security Incident Management Guidelines

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Data Management Policies. Sage ERP Online

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

University of Colorado at Denver and Health Sciences Center HIPAA Policy. Policy: 9.2 Latest Revision: 04/17/2005 Security Incidents Page: 1 of 9

IT Security Incident Management Policies and Practices

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Computer Security: Principles and Practice

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

Incident Response Plan for PCI-DSS Compliance

Network Security Policy

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

So the security measures you put in place should seek to ensure that:

Standard: Information Security Incident Management

Network & Information Security Policy

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

Guidelines 1 on Information Technology Security

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

NC DPH: Computer Security Basic Awareness Training

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

Network Security: Policies and Guidelines for Effective Network Management

The Ministry of Information & Communication Technology MICT

California State University, Sacramento INFORMATION SECURITY PROGRAM

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Data Protection Breach Management Policy

Information Technology Cyber Security Policy

SECTION 15 INFORMATION TECHNOLOGY

An Introduction to Network Vulnerability Testing

Data Security Breach Incident Management Policy

Information Incident Management Policy

Data Management & Protection: Common Definitions

Top tips for improved network security

Information Technology Policy

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

R345, Information Technology Resource Security 1

BUCKEYE EXPRESS HIGH SPEED INTERNET SERVICE ACCEPTABLE USE POLICY

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Network- vs. Host-based Intrusion Detection

Acceptable Usage Policy

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

APPROPRIATE USE OF INFORMATION POLICY 3511 TECHNOLOGY RESOURCES ADOPTED: 06/17/08 PAGE 1 of 5

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Local Government Cyber Security:

The potential legal consequences of a personal data breach

Cablelynx Acceptable Use Policy

University of Wisconsin-Madison Policy and Procedure

University of Sunderland Business Assurance Information Security Policy

Procedure Title: TennDent HIPAA Security Awareness and Training

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

INFORMATION SECURITY PROGRAM

COSC 472 Network Security

Department of Education. Network Security Controls. Information Technology Audit

Standard: Event Monitoring

Secure Software Programming and Vulnerability Analysis

Exam 1 - CSIS 3755 Information Assurance

Network Security and the Small Business

Commercial in confidence TELSTRA WHOLESALE ACCEPTABLE USE POLICY. Commercial-in-Confidence. Issue Number 1.5, 20 November 2012

DUUS Information Technology (IT) Incident Management Standard

Guideline on Auditing and Log Management

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Cyber Security: Cyber Incident Response Guide. A Non-Technical Guide. Essential for Business Managers Office Managers Operations Managers.

Transcription:

Information Security Incident Management Plan Version 0.8 January 5, 2009

Table of Contents Introduction... 3 Scope... 3 Objectives... 3 Incident Management Procedures... 4 Roles and Responsibilities... 5 Training and Implementation... 5 Appendix A Definitions... 6 Appendix B Incident Types... 7 Information Security Office 2 05/19/14

Introduction Effective information security management involves a combination of prevention, detection, and reaction. In addition to deploying strong security protection, the university should be able to respond to incidents and invoke proper procedures if an information security incident occurs. Security event and incident management is vital to the information security management process. The purpose of this document is to outline the procedures for management an information security event or incident. Such events or incidents may take the form of a virus, worm or Trojan attack, a denial of service (DoS) or other intrusion, or misuse of information resources by an individual, machine, or site. Scope These procedures and guidelines are for management, administration, and other technical and operational staff to prepare for, detect, and respond to information security incidents. Because security events and incidents involving different computer systems will lead to different consequences, departments should customize the security event and incident management procedures according to their specific needs. Objectives A well defined security event and incident management plan is vital to the effective operation of a computer system, in addition to the information security operation as a whole. The major objectives of security event and incident management include Ensure the required resources are available, including manpower, technology, etc. Ensure that all the responsible parties have a clear understanding of the tasks they should perform following predefined procedures Ensure that the response is systematic and efficient and that there is prompt recovery for the compromised system Ensure that the response activities are coordinated Minimize the possible impact of information leakage, corruption, and system disruption, etc. Share experience in incident response within and among departments Prevent further attacks and damages Handle related legal issues Information Security Office 3 05/19/14

Incident Management Procedures All information security incident management procedures are located in the Information Security Knowledge Base on the wiki at https://wiki.csuchico.edu/confluence/display/isec/home. Security Incident Response The Security Incident Response Procedure defines the steps to be followed when an incident occurs. The procedure aims at minimizing damage, eradicating the cause of the incident, and restoring the system to normal operation etc., in accordance with predefined goals and priorities. The procedure is broadly categorized into five stages: identification, containment, eradication, recovery and follow-up. Although the procedure is written generally with intrusions in mind, it is meant to serve as a guideline and as such the same basic steps apply to other types of incidents. A system administrator or system manager may establish additional security incident response procedures, checklists, and best practices to guide teams. These procedures should be provided to all employees including management personnel for their reference and compliance. They should be clear, straightforward, and easily understood so all personnel understand what they need to do. Notification The Security Incident Notification Procedure defines the process to notify management and relevant parties of the incident to ensure that important decisions are promptly made. It sets out the points of contact (both internal and external) at various levels for notification based on the type and severity of the incident. Notification procedures and contact lists may vary for different kinds of incidents and for different systems regarding contact points and follow-up actions. Information about incidents should be disclosed only on a need-to-know basis, and only the Information Security Officer has the authority to share or authorize others to share information about security incidents with others not directly involved. Reporting and Tracking The Security Incident Reporting and Tracking Procedure defines the means of reporting and tracking suspicious activities so all parties involved are notified in a timely manner and all required information is documented. In addition, the procedure deals with how all parties involved will know to whom they should report, and in what way, and what they should not report. A Post-Incident Report is also prepared to maintain consistency and ensure completeness of the information collected during security incident reporting. To facilitate an effective reporting and tracking procedure all involved staff should be familiar with the reporting procedure and capable of reporting security incidents quickly. In addition, a security incident reporting form should be created to standardize the information to be collected, and if necessary, draw up a separate procedure for non-office-hour reporting. Information Security Office 4 05/19/14

Roles and Responsibilities Information Security Office The Information Security Office (ISEC) is responsible for working with the campus community to secure systems and network resources, and protect the confidentiality of student, faculty and staff information. Related to incident management the Information Security Office is responsible to: Consult with campus users and departments to investigate security issues. Ensure incident response procedures are developed, implemented and followed Respond to and recover from disruptive and destructive information security events Incident Management Team (IMT) The Incident Management Team is responsible for implementation of the Incident Management Plan, including the facilitation of all incident management procedures (security incident response, notification and reporting and tracking). Their tasks include but are not limited to: Assessing, responding, and resolving information security incidents in partnership with campus technical staff, University Police, Public Affairs, etc. Notifying appropriate units of possible security infringements Reporting any security breach Disseminating guidelines related to security to departmental data managers and system administrators System Administrators and Department/System Managers All campus system administrators and department/system managers are responsible for following the incident management procedures outlined in the plan. A system administrator or department manager may establish additional security incident response procedures, checklists, and best practices, as well as system/department-specific contact lists. Training and Implementation Management, administration, and technical and operational staff need to have a thorough understanding of these procedures in order to work together to effectively respond to information security incidents. The Incident Management Team conduct a variety of training sessions to review and discuss the procedures so all parties are prepared in the event an incident occurs. Once the detailed Security Incident Response procedure has been covered in training, it is not expected that technical and operational staff will refer to it at each stage during an incident. Instead, a checklist is available to speed response and ensure steps are not missed. Department-and computer system-specific incident management procedures will not be covered in these training sessions yet need to be understood by appropriate staff. Information Security Office 5 05/19/14

Appendix A Definitions The term incident refers to an adverse event in an information system and/or network, or the threat of such occurrence. Examples of incidents include unauthorized use of another user s account, unauthorized use of system privileges, and execution of malicious code that destroys data. Incident implies harm or the attempt to harm. An event is any observable occurrence in a system and/or network. Examples of events include the system boot sequence, a system crash, and packet flooding within a network. These observable events recorded on Incident Management Forms, along with the evidence collected, provide the bulk of your organization s case if the perpetrator of an incident is caught and prosecuted. The term security incident refers to any incident related to information security. It refers to an adverse event in an information system and/or network which pose a threat to computer or network security in respect of availability, integrity, and confidentiality. Examples of security incidents include malicious code attacks, unauthorized access, unauthorized utilization of services, denial of resources, disruption of services, compromise of protected data/program/network system privileges, malicious destruction or modification of data/information, penetration and intrusion, misuse of system resources, viruses and hoaxes, and malformed codes or scripts affecting networked systems. Information Security Office 6 05/19/14

Appendix B Incident Types Type Malicious code attacks Denial of service (DoS) Unauthorized access or utilization of services/hacks Description Malicious code attacks include attacks by programs such as viruses, Trojans, and worms used by hackers to gain privileges, capture passwords, and/or modify audit logs. Hackers and malicious code can disrupt/deny network and computing services in many ways, including erasing a critical program, mail spamming (flooding a user account or mail system), and altering system functionality by installing a Trojan. Unauthorized access ranges from improperly logging into a user's account to unauthorized access to data stored on a system. Unauthorized access could also entail access to network data by installing a sniffer program or device to capture all packets traversing the network at a particular point. Examples of unauthorized utilization of services include using the network file system (NFS) to mount the file system of a remote server machine, the VMS file access listener to transfer files without authorization, or inter-domain access mechanisms in Windows NT to access files and directories in another organization's domain. Misuse Threats Misuse occurs when someone uses a computing system for purposes prohibited by the Policy on the Use of Computing and Communications Services (EM 97-18). Threats express the intention to inflict harm or indicate impending danger or harm. They are often received via e-mail, but could also be communicated via other electronic means. Information Security Office 7 05/19/14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information