Incident Categories (Public) Version 3.0-2016.01.19 (Final)



Similar documents
Incident categories. Version (final version) Procedure (PRO 303)

Incident Reporting Guidelines for Constituents (Public)

IMS-ISA Incident Response Guideline

University of Colorado at Denver and Health Sciences Center HIPAA Policy. Policy: 9.2 Latest Revision: 04/17/2005 Security Incidents Page: 1 of 9

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

UBC Incident Response Plan

Information Technology Services Information Security Incident Response Plan

Information Security Incident Management Guidelines

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Data Management & Protection: Common Definitions

Data Security Incident Response Plan. [Insert Organization Name]

Cyber Incident Response

Information Incident Management Policy

Information Technology Policy

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Cyber Security: Cyber Incident Response Guide. A Non-Technical Guide. Essential for Business Managers Office Managers Operations Managers.

Data Management Policies. Sage ERP Online

ISO Information Security Management Systems Foundation

INFORMATION TECHNOLOGY SECURITY STANDARDS

Cyril Onwubiko Networking and Communications Group ncg.kingston.ac.

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Cyber Security Incident Reporting Scheme

Incident Response Plan for PCI-DSS Compliance

Overview of computer and communications security

Local Government Cyber Security:

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

How To Audit The Mint'S Information Technology

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

DBC 999 Incident Reporting Procedure

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

Evaluation Report. Office of Inspector General

Common Cyber Threats. Common cyber threats include:

Information Security Policy

Security Incident Policy

External Supplier Control Requirements

USM IT Security Council Guide for Security Event Logging. Version 1.1

So the security measures you put in place should seek to ensure that:

Protecting your business from fraud

How To Monitor The Internet In Idaho

Acceptable Use Policy

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

DATA BREACH COVERAGE

Fraud and Abuse Policy

Cyber Security Threats and Countermeasures

Incident Object Description and Exchange Format

Information Security Incident Management Guidelines. e-governance

ANTI-VIRUS POLICY OCIO TABLE OF CONTENTS

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

Sample Employee Network and Internet Usage and Monitoring Policy

Cybersecurity Awareness. Part 1

How To Protect Decd Information From Harm

Acceptable Usage Policy

Network Security Policy

INFORMATION SECURITY INCIDENT REPORTING POLICY

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

White Paper. How to Effectively Provide Safe and Productive Web. Environment for Today's Businesses

Acceptable Use Policy

US-CERT Overview & Cyber Threats

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

White Paper. Sarbanes Oxley and iseries Security, Audit and Compliance

University of Liverpool

UNCLASSIFIED. General Enquiries. Incidents Incidents

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

INFORMATION SECURITY PROCEDURES

Security. Definitions

Don t Fall Victim to Cybercrime:

WEB ATTACKS AND COUNTERMEASURES

Acceptable Use and Publishing Policy

Disciplinary and Dismissals Policy

Standard: Information Security Incident Management

INFORMATION SECURITY. Agencies Need to Improve Cyber Incident Response Practices

I N T E L L I G E N C E A S S E S S M E N T

Section 12 MUST BE COMPLETED BY: 4/22

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Cybersecurity for the C-Level

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

ISO27001 Controls and Objectives

CS574 Computer Security. San Diego State University Spring 2008 Lecture #7

Transcription:

Incident Categories (Public) Version 3.0-2016.01.19 (Final) Procedures (PRO 303) Department: GOVCERT.LU Classification: PUBLIC

Contents 1 Introduction 3 1.1 Overview................................................. 3 1.2 Purpose.................................................. 3 1.3 Scope................................................... 3 1.4 References................................................ 3 1.5 Definitions and Abbreviations...................................... 3 2 Information Security Incident Definition 4 3 Incident Categories 4 3.1 Category Allocation........................................... 7 2/8

1 Introduc on 1.1 Overview Once an incident report has been received, it should be treated efficiently and rapidly in order to help the constituent solve the problem. The categorisation of incidents helps GOVCERT.LU to plan actions to resolve the incident and helps the constituent respect the reporting timeframe. The categorisation of incidents also supports the definition of standard incident response procedures for each type of incident. 1.2 Purpose The aim of this procedure is to define: - the incident categories used by GOVCERT.LU - how a category is allocated to an incident - the reporting timeframe for constituents for each type of incident 1.3 Scope This procedure concerns the GOVCERT.LU ticketing tool, its members and its constituents. 1.4 References 1. PRO301 - Incident Reporting Guidelines for Constituents 2. PRS401 - Incident Management Process 3. CSIRT Case Classification - Example for Enterprise CSIRT. URL: http://www.first.org/_assets/ resources/guides/ 4. SP800-61: Computer Security Incident Handling Guide. Aug. 2012. URL: http://csrc.nist.gov/ publications/ 5. US CERT Incident categories. URL: http : / / www. us - cert. gov / government - users / reporting - requirements 1.5 Defini ons and Abbrevia ons Abbreviation Definition NIST CAT AV National Institute of Standards and Technology Incident category Antivirus Table 1: Definitions and Abbreviations 3/8

2 Informa on Security Incident Defini on An information security incident (or incident) is a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and preservation of confidentiality, integrity and availability of information. Event: An Event is an occurrence or change in a particular set of circumstances: NOTE 1: An event can be one or more occurrences, and can have several causes. NOTE 2: An event can consist of something that does not happen. NOTE 3: An event can sometimes be referred to as an incident or an accident. Information security event: An information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be relevant to security. 3 Incident Categories For each category of incident, a reporting timeframe applies for the concerned constituent. The reporting timeframe is the timeframe within which the constituent should report the incident. Once this timeframe has exceeded, GOVCERT.LU cannot guarantee that the incident will be resolved efficiently. The reporting timeframe is defined according to the sensitivity of the targeted system(s) as follows: - Critical system: a critical system is a system, application, data, or other resources that is essential to the survival of an organisation. When a critical system fails or is interrupted, core operations are significantly impacted. - Non critical system: system, application, data, or other resources which do not have strong impact on the good operation of the constituency if compromised. 4/8

Warning: When updating this table; please update also the table 2 in the PRO301 - Incident Reporting Guidelines for Constituents Category Name CAT 1 CAT 2 CAT 3 CAT 4 CAT 5 Compromised information Compromised Asset Unauthorised Access Description Successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property. Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malwareinfected hosts where an attacker is actively controlling the host. In this category an individual (internal or external) gains logical or physical access without permission to a national or local network, system, application, data, or other resource. Malicious Code Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or (Distributed) Denial of Service application. Organisations are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software. An attack that successfully prevents or impairs the normal authorised functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. Critical system Within one (1) hour of Within one (1) hour of Within one (1) hour of Reporting Timeframe Within one (1) hour of discovery/detection if widespread across organization otherwise one (1) day. Within two (2) hours of discovery/detection if the successful attack is still ongoing and the organisation is unable to successfully mitigate activity. Non critical system Within four (4) hours of Within one (1) hour of Within four (4) hours of Within four (4) hours of discovery/detection if widespread across organisation otherwise one (1) day. Within four (4) hours of discovery/detection if the successful attack is still ongoing and the organisation is unable to successfully mitigate activity. 5/8

Category Name Description CAT 6 Theft or Loss Theft or loss of sensitive equipment (Laptop, hard disk, media etc.) of organisation. CAT 7 Phishing Use of fraudulent computer network technology to entice organisation s users to divulge important information, such as obtaining users bank account details and credentials by deceptive emails or fraudulent web site CAT 8 CAT 9 Unlawful activity Within one (1) day of Scans/Probes/ Attempted Access organisation CAT 10 Policy Violations Fraud / Human Safety / Child Porn. Computerrelated incidents of a criminal nature, likely involving law enforcement, Global Investigations, or Loss Prevention. This category includes any activity that seeks to access or identify an computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. Deliberate violation of Infosec policy such as: - Inappropriate use of corporate asset such as computer, network, or application. - Unauthorised escalation of privileges or deliberate attempt to subvert access controls. Critical system Within one (1) day of Within four (4) hours of Within six (6) hours of Within one (1) hour of Within six (6) hours of Reporting Timeframe Non critical system Within one (1) week of Within one (1) day of Within two (2) weeks of Within one (1) week of Table 2: Information Security Incident Categories 6/8

The categories and attacks are based on a mix of categories proposed by NIST (SP800-61: Computer Security Incident Handling Guide), FIRST (CSIRT Case Classification - Example for Enterprise CSIRT) and US-CERT (US CERT Incident categories). 3.1 Category Alloca on Table 2 describes all the categories of incidents. A category is allocated by constituent and GOVCERT.LU to an incident according to the following flow chart: Category Allocation Flow Comments GOVCERT.LU Constituent - The reading order of table 2 is from the top down. Table 2 provides the inputs for N (CAT 1, CAT 2, CAT 3, CAT 4 CAT 9 and CAT 10). New incident N = 1 (CAT 1) - Incidents are categorised on a first-match basis by the constituent. N Matching Category/Incident? N = N + 1 Y Category allocation Ticket opening Sending of the incident report - Category modification and/or adding categories Categories? Y Category Modification/Adding N End Figure 1: Category Allocation Flow 7/8

The constituent choses the category that fits best such as described in figure 1. During the identification phase 1 GOVCERT.LU can (if judged necessary) change this category (false encoding by the constituent) and/or add others categories. 1 See PRS401 - Incident Management Process 8/8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information