SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures



Similar documents
Information Incident Management Policy

PS177 Remote Working Policy

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Corporate Information Security Policy

So the security measures you put in place should seek to ensure that:

Incident reporting procedure

Tracker Stolen Vehicle Tracking System Standard Operating Procedure

Incident Reporting Guidelines for Constituents (Public)

Network Password Management Policy & Procedures

Information Security Incident Management Policy

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

Data Security Incident Response Plan. [Insert Organization Name]

Security Incident Policy

A practical guide to IT security

The Ministry of Information & Communication Technology MICT

ISO27001 Controls and Objectives

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Network Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

The potential legal consequences of a personal data breach

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

How To Protect Decd Information From Harm

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

INFORMATION SECURITY POLICY

Information Security Incident Management Policy September 2013

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Information Security Policy

Data Protection Breach Reporting Procedure

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

ISO Controls and Objectives

NETWORK SECURITY POLICY

Security Incident Management Policy

Rotherham CCG Network Security Policy V2.0

DBC 999 Incident Reporting Procedure

Data Protection Breach Management Policy

How To Ensure Network Security

Data and Information Security Policy

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

Information Security Policy. Chapter 10. Information Security Incident Management Policy

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Highland Council Information Security Policy

06100 POLICY SECURITY AND INFORMATION ASSURANCE

Data Access Request Service

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Mike Casey Director of IT

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Newcastle University Information Security Procedures Version 3

How To Protect School Data From Harm

Physical Security Policy

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

Data Security Policy

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

E- Safety and Digital Photography - College ICT

Guidance on data security breach management

University of Liverpool

Guidance on data security breach management

Information Circular

Information security incident reporting procedure

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

NETWORK SECURITY POLICY

Policy Number: ULH-IM&T-ISP01 Version 3.0 Page 1 of 25

John of Rolleston Primary School

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Policy Document. IT Infrastructure Security Policy

DATA AND PAYMENT SECURITY PART 1

ULH-IM&T-ISP06. Information Governance Board

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Information Governance Policy (incorporating IM&T Security)

Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy

Policy Document. Communications and Operation Management Policy

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

Acceptable Use of Information Systems Standard. Guidance for all staff

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Information Security Policy. Policy and Procedures

Data Security Breach Incident Management Policy

Information Security

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

ABERDARE COMMUNITY SCHOOL

Small businesses: What you need to know about cyber security

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Data Protection Policy

Transcription:

SECURITY INCIDENT REPORTING AND MANAGEMENT Standard Operating Procedures Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance or instruction by any police officer or employee as it may have been redacted due to legal exemptions. Owning Department Version Number Information Management 1.02 Date Published 28/11/2013

CONTENTS 1. PURPOSE 2. RESPONSIBILITIES 3. DEFINITION OF SECURITY INCIDENT 4. HOW TO REPORT A SECURITY INCIDENT 5. INCIDENT MANAGEMENT 6. CYBER/ICT INCIDENT MANAGEMENT 7. INFORMATION SECURITY BREACH MANAGEMENT 8. PHYSICAL SECURITY INCIDENT MANAGEMENT 9. RECORDING 10. EXTERNAL REPORTING APPENDICES In Use Appendix A C Division N Appendix B V Division N Appendix C P Division N Appendix D A & B Divisions N Appendix E E & J Divisions N Appendix F N Division N Appendix G G, U, Q, L & K Divisions N Appendix H D Division N Appendix I List of Associated Legislation Y Appendix J List of Associated Reference Documents Y Appendix K List of Associated Generic PSoS Forms N Appendix L Glossary of Terms N Appendix M - Examples of Security Incidents Y Appendix N - Information Required for Information Breach Y 2

1. PURPOSE 1.1 The Security Incidents Reporting Standard Operating Procedure (SOP) supports the Information Security Policy. 1.2 HMG Security Policy Framework requires the Service to put in place effective systems for detecting, reporting and responding to security incidents. Supporting this, the ACPO/ACPOS Community Security Policy requires member forces to ensure that adequate resources are assigned to security incident investigation and quarterly reporting returns through the Police Warning, Advice and Reporting Point (PolWARP). 1.3 This SOP defines what a security incident is, how it should be reported and outlines the different types of outcomes. 2. DEFINITION OF SECURITY INCIDENT 2.1 A security incident is defined as any event such as a security breach, threat, weakness or malfunction that has, or could have, resulted in the loss or damage to PSoS information assets. Incidents fall into the following categories: Cyber/ICT security incidents - resulting from electronic attacks, compromise of communications security or disruption of online services Information breaches - compromise or loss of information through carelessness, theft, insider fraud, deliberate leaking or malicious attack Physical security incidents - resulting from criminality or environmental hazards 2.2 Refer to Appendix M for examples of Security Incidents. 2.3 Any security weakness identified or suspected should be reported in accordance with section 4 of this procedure. 3. RESPONSIBILITIES 3.1 All users* of Police Service of Scotland (PSoS) information and information systems are responsible for: Noting and reporting any observed or suspected information security events, incidents or weaknesses. In the event of a cyber/ict security incident, following the protocol in the IT Security SOP. * Users are defined as PSoS personnel (officers and police staff), contractors, and third party users (any other personnel authorised to use PSoS information and information systems) 3

3.2 Line Managers are responsible for: Ensuring that all staff under their supervision are made aware of and have access to the procedure for reporting information security incidents. Ensuring that their staff are available to assist in the investigation of a security incident. 3.3 Information Security Officers (ISO) are responsible for: Through-life co-ordination of information security incidents in accordance with this procedure Supporting the submission of internal and external information security incident reports. 3.4 The Head of Information Management will be responsible for: Ensuring the timely submission of relevant security reports to the Senior Information Risk Owner (SIRO), in accordance with the service's Information Risk Appetite and obligations under relevant codes of connection. Ensuring the timely submission of quarterly reports of slow time incidents through the Police Warning Advice and Reporting Point (PolWARP). 4. HOW TO REPORT A SECURITY INCIDENT 4.1 Cyber/ICT security incidents: Staff must report incidents to the IT Helpdesk Team immediately. Information has been removed due to its content being exempt in terms of the Freedom of Information (Scotland) Act 2002, Section 30 Prejudice to Effective Conduct of Public Affairs 4.2 Information breaches and Physical security incidents: Staff must report incidents to the line manager or senior police officer present immediately. Information has been removed due to its content being exempt in terms of the Freedom of Information (Scotland) Act 2002, Section 30 Prejudice to Effective Conduct of Public Affairs 4.3 Suspected or known information security weaknesses: Staff must report weaknesses in accordance with section 4.1 or 4.2 as appropriate 4

Staff must not attempt to test security weaknesses. Testing weaknesses is likely to constitute system misuse. Staff carrying out unauthorised tests are liable for any resulting damage to systems and services. 4.4 Investigations involving information security incidents: Officers and staff encountering a potential information security incident in the course of an on-going incident or investigation must provide notification in accordance with 4.1 to 4.3 above. This includes, but is not restricted to: a. Counter Corruption Unit investigations b. Professional Standards Department investigations c. Public-facing personnel receiving notification of 'found' police information d. Information Asset Owners (System Owners) and system administrators receiving notification of incidents in line with system-specific procedures (e.g. those found in the CHS Use and Management SOP). 4.5 Information to be collated: As much information as possible should be provided to assist the investigation of incidents, breaches and weaknesses. A schedule of minimum information required in the event of an information breach is included at Appendix N. 5. INCIDENT MANAGEMENT 5.1 On receiving a report to the ISO mailbox, an ISO will be identified as the single point of contact (ISO SPOC) for managing the incident. 5.2 The named ISO will have overall responsibility for incident management. 5.2 The ISO SPOC is responsible for ensuring the identification and appropriate management of incidents in accordance with Police Warning, Advice and Reporting Point (PolWARP) Procedures as either: Fast time incidents (incidents likely to have immediate or serious implications for the CJX community) Slow time incidents (other incidents - local and low level) 6. CYBER/ICT INCIDENT MANAGEMENT 6.1 The ICT Helpdesk will progress incidents relating to Police Scotland information assets in accordance with the ICT Security Incident Handling Process 5

6.2 For fast time incidents the ISO SPOC will ensure that PolWARP and relevant external agencies have been informed where appropriate. 6.3 For incidents involving cryptographic material the ISO SPOC will ensure that the incident is reported using CINRAS. 6.4 SPA ICT will provide the ISO SPOC with an account of the progress and outcomes of all reported incidents relating to Police Scotland information assets. 7. INFORMATION SECURITY BREACH MANAGEMENT 7.1 The line manager receiving a report in accordance with 4.2 must: Identify and action any immediate steps necessary to (a) prevent further information loss and (b) preserve evidence Ensure that an email report has been sent to the corporate ISO mailbox Inform the Divisional on call duty officer Liaise with the ISO SPOC 7.2 Divisional on call duty officer will: Identify and action any immediate steps necessary to (a) prevent further information loss and (b) preserve evidence Liaise with the ISO SPOC at the earliest opportunity Initiate the creation of a restricted incident on STORM Inform the senior on call officer, who will provide an initial notification to the Senior Information Risk Owner (SIRO) as appropriate. Inform the duty press officer for the preparation of a press release. Consider the call out of specialist officers. Set Gold Silver and Bronze designations at an appropriate level, dependant on the risk. Notify head of Professional Standards/Counter Corruption Unit as appropriate and advise of any inference of criminality or misconduct. In consultation with the SIRO and the Head of Information Management, consider the timely dissemination of information to other affected agencies / individuals / departments. 7.3 The ISO SPOC will: Ensure that fast time incidents are reported through PolWARP Ensure that incidents involving cryptographic material are reported using CINRAS Liaise with the Head of Information Management at the earliest 6

opportunity Coordinate incident management and ensure appropriate resolution through liaison with relevant departments and specialisms. Liaise with Professional Standards/Counter Corruption Unit as appropriate Notwithstanding any criminal or internal disciplinary proceedings, carry out a full investigation of the incident Submit a draft incident report to the Head of Information Management 7.4 The Head of Information Management in consultation with the Information Asset Owner will: Consider the development of a recovery plan Assess the risks associated with the incident Submit an incident report to the SIRO 7.5 The Head of Information Management in consultation with the SIRO will Assess the incident for relevance in terms of the Data Protection Act 1998 Consider the submission a Security breach notification to the Information Commissioner's Office Consider any requirements to notify relevant third parties 8. PHYSICAL SECURITY INCIDENT MANAGEMENT 8.1 The line manager receiving a report in accordance with 4.2 must: Identify and action any immediate steps necessary to (a) prevent information loss and (b) preserve evidence Ensure that an email report has been sent to the corporate ISO mailbox Liaise with the ISO SPOC If appropriate, inform the Divisional on call duty officer 8.2 The ISO SPOC will: Coordinate incident management and ensure appropriate resolution through liaison with relevant departments and specialisms Notwithstanding any criminal or internal disciplinary proceedings, carry out a full investigation of the incident Submit a draft incident report to the Head of Information Management 8.3 The Head of Information Management will: Assess the information risks associated with the incident 7

Consider the development of an action plan 9. RECORDING 9.1 Information has been removed due to its content being exempt in terms of the Freedom of Information (Scotland) Act 2002, Section 30 Prejudice to Effective Conduct of Public Affairs 9.2 All incidents logged will be categorised against the list of 'Examples of Incidents to be Reported to PolWARP' (Appendix A of PolWARP Procedures). The log will include as a minimum all information required to support external reporting obligations. 9.3 Incidents recorded on the Information Security Incident Log will be cross referenced to the relevant asset in the corporate Information Asset Register. 9.3 Where appropriate, risks identified through the processes set out at section 5 will be escalated to the corporate risk register. 10. EXTERNAL REPORTING 10.1 In compliance with the Data Protection Act 1998, serious breaches of the seventh Data Protection Principle will be reported to the Information Commissioner's Office. 10.2 In compliance with the ACPO/ACPOS Community Security Policy the Head of Information Management will ensure the quarterly reporting of incidents relating to information systems through the Police Warning, Advice and Reporting Point (PolWARP). 10.3 In compliance with the Public Services Network (PSN) Code of Connection (available from Information Management of Request) all security incidents relating to the PSN network will be escalated to the PSN Security Manager. 8

APPENDIX I LIST OF ASSOCIATED LEGISLATION The Computer Misuse Act 1990 The Data Protection Act 1998 The Official Secrets Acts 1911 to 1989 9

LIST OF ASSOCIATED REFERENCE DOCUMENTS APPENDIX J Cabinet Office - Information Assurance Maturity Model (available from Information Management on request) HMG Security Policy Framework International Organisation for Standardisation - ISO/IEC 27001:2005: Information technology: Security techniques: Information security management systems Requirements (available from Information Management on request) Police Warning, Advice and Reporting Point (PolWARP) Procedures (available from Information Management on request) Scottish Police Authority - ICT Security Incident Handling Process (available from Information Management on request) ACPO/ACPOS Community Security Policy Airwave SOP Building Security at Police Premises SOP Data Protection Policy CHS Use and Management SOP Door Access Procedure SOP Email and Internet Security SOP Government Protective Marking Scheme SOP ICT User Access and Security SOP Information Security Policy Information Security SOP IT Security SOP Visitors to Police Premises SOP Public Services Network (PSN) Code of Connection (available from Information Management of Request) 10

APPENDIX M EXAMPLES OF SECURITY INCIDENTS 1. CYBER / ICT SECURITY INCIDENTS 1.1 Unauthorised access to information systems Malicious software/virus/trojan (see section 3.2 of the IT Security SOP) Intrusion attempts Successful intrusions Connection of unauthorised ICT systems or devices to PSoS computer systems or networks (see section 3.2 of the IT Security SOP) Download and/or installation of unauthorised software (see section 12.2 of the Email and Internet Security SOP) 1.2 Deliberate unauthorised alteration of data Malicious software/virus (see section 3.2 of the IT Security SOP) Unauthorised user intervention 1.3 Accidental unauthorised alteration of data User error 1.4 Loss of access to information systems Malicious software/virus/trojan (see section 3.2 of the IT Security SOP) Denial of Service (DoS) or Distributed Denial of Service (DDOS) attack Hardware or software failure Airwave confirm stunning User error 2. INFORMATION BREACHES 2.1 Deliberate unauthorised disclosure of information Information made available to people who are not authorised to have it Disclosures of police information on personal social networking sites (see sections 3.9 to 11 and 12.2 of the Email and Internet Security SOP) Unauthorised upload and removal of information using email system, webmail, or external device (see section 3.7 of the Email and Internet Security SOP) 2.2 Accidental unauthorised disclosure of information 11

Misdirection of correspondence or communications Sensitive voice communications in public environment Insecure disposal of information 2.3 Unauthorised access to information or information systems Unauthorised use of log-in credentials (e.g. password sharing) Any breach of the ICT User Access and Security SOP (e.g. access rights incorrectly granted or retained) 2.4 Unauthorised use of information or information systems Use of corporate information for unauthorised purpose Use of police information for non-policing purpose 2.5 Theft or loss of information Theft or loss of technological assets (laptop / PDA / Airwave radio / mobile phone / USB memory stick, etc) Theft or loss of hard copy information 2.6 Deliberate unauthorised destruction of information Deletion or destruction of information contrary to statute or corporate policy 2.7 Accidental destruction of information All incidents of accidental destruction of information 3. PHYSICAL SECURITY INCIDENTS 3.1 Premises not secured Means of access lost, stolen or inappropriately shared (warrant/authorisation cards / Keys / access cards / access codes) including any breach of sections 2.4 or 2.5 of the Door Access Procedure SOP. Any breach of the Building Security at Police Premises SOP (e.g. unsecured access points (doors / windows / alarms)) Any breach of section 3.3 of the IT Security SOP (physical security of computer rooms) 3.2 Unauthorised person(s) on premises Deliberate circumvention of access protocols including use of deception ('social engineering') 12

Failure of access protocols including any breach of the Door Access Procedure SOP or Visitors to Police Premises SOP Systematic failure of non-uniformed officers/staff to wear appropriate ID 3.3 Information not secured within premises Information or data not stored or managed in accordance with the Government Protective Marking Scheme SOP Computer monitors or hard copy information visible from outside of the premises Passwords displayed or stored with related assets Unattended equipment left logged on Computers vulnerable to electronic surveillance/interception 3.4 Information not secured outwith premises Information visible in public place Information left unattended in vehicle or public place 13

APPENDIX N INFORMATION REQUIRED IN EVENT OF INFORMATION BREACH All possible appropriate investigation must be carried out immediately an incident is discovered. To assist the investigation, a reporting officer / member of police staff should provide as much supporting information as possible. The minimum information required (if relevant) will include: What has been lost? Where has it been lost? Who is reporting the loss? Who is responsible for the loss? What information is believed to be lost? Is the information GPMS marked? What is the GPMS marking considered to be? Is the information Personal information? What quantity of Information has been lost? If a mobile data device has been lost, is it encrypted? If yes, what encryption is on the device? Has any information relevant to passwords etc. been lost with the device? Have initial enquiries been carried out? Have any other authorities / bodies been informed? Duty Divisional On Call Officer details? STORM Incident reference number? Full Impact Assessment of the loss? 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information