IT Security Incident Management Policies and Practices



Similar documents
Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

The Office of the Government Chief Information Officer INFORMATION SECURITY INCIDENT HANDLING GUIDELINES [G54]

DUUS Information Technology (IT) Incident Management Standard

Information Security Incident Management Guidelines. e-governance

Defensible Strategy To. Cyber Incident Response

Data Security Incident Response Plan. [Insert Organization Name]

Information Technology Policy

IMS-ISA Incident Response Guideline

Data Management Policies. Sage ERP Online

UBC Incident Response Plan

California State University, Chico. Information Security Incident Management Plan

Security Incident Procedures Response and Reporting Policy

Standard: Information Security Incident Management

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Information Security Policy. Chapter 10. Information Security Incident Management Policy

Computer Security Incident Response Team

CONTENTS. Introduction Page 2. Scope.Page 2. Policy Statements Pages 2-3. Major IT Security Incidents Defined... Page 3

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Technology Services Information Security Incident Response Plan

Rulebook on Information Security Incident Management General Provisions Article 1

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Information Security Incident Management Policy

Cyber Incident Response

16) INFORMATION SECURITY INCIDENT MANAGEMENT

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

INFORMATION SECURITY INCIDENT REPORTING POLICY

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

DBC 999 Incident Reporting Procedure

Computer Security Incident Response Team

FACT SHEET: Ransomware and HIPAA

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES

The statements in this policy document establish HEALTHeLINK's expectations with respect to incident management.

LogRhythm and NERC CIP Compliance

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

Better secure IT equipment and systems

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Incident Response Guidance for Unclassified Information Systems

Computer Security Incident Reporting and Response Policy

ELECTRONIC INFORMATION SECURITY A.R.

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

INFORMATION TECHNOLOGY SECURITY STANDARDS

Threat Management: Incident Handling. Incident Response Plan

How To Audit The Mint'S Information Technology

GEARS Cyber-Security Services

Texas A&M AgriLife Computer Incident Response Plan

Incident Response. Proactive Incident Management. Sean Curran Director

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Mike Casey Director of IT

Things To Do After You ve Been Hacked

Data Security Breach Incident Management Policy

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Information Security Incident Management Guidelines

Security Controls Implementation Plan

Cyber Security: Cyber Incident Response Guide. A Non-Technical Guide. Essential for Business Managers Office Managers Operations Managers.

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Frequently Asked Questions: Notice on Technology Risk Management

Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response

Policy Title: HIPAA Security Awareness and Training

Information Security Incident Management Policy and Procedure

UCF Security Incident Response Plan High Level

Resources for Chapter 11

Information Incident Management Policy

ITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS

INCIDENT RESPONSE POLICY & PROCEDURES

External Supplier Control Requirements

Privacy and Security Incident Management Protocol

Cyber Incident Management Planning Guide. For IIROC Dealer Members

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

How To Protect Decd Information From Harm

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program

Incident Handling Procedure

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

Incident categories. Version (final version) Procedure (PRO 303)

Top Considerations for Incident Response

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Security Policy for External Customers

The intended audience is system administrators, Directors, and Department Heads.

ISO Controls and Objectives

Virginia Commonwealth University School of Medicine Information Security Standard

Local Government Cyber Security:

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Information Resource Management Directive USAP Information Security Incident Management

Incident Reporting Guidelines for Constituents (Public)

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Supplier Information Security Addendum for GE Restricted Data

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Information Security Policy

Bitrix Software Security. Powerful content management with advanced security features

Evaluation Report. Office of Inspector General

TRIPWIRE NERC SOLUTION SUITE

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Incident Response 101: You ve been hacked, now what?

Transcription:

IT Security Incident Management Policies and Practices Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Feb 6, 2015 i

Document Control Document Owner Classification Publication Date Issue to ITSC INTERNAL 6 Feb 2015 Public Version History Ver. No. Ver. Date Revised By Description 1.0 6 Feb 2015 ITSC Initial Release ii

Table of Contents 1 Introduction... 4 2 Definitions and Abbreviations... 5 2.1 Information Security Incident... 5 2.2 Personal Data Incident... 5 2.3 Abbreviations... 5 3 Information Security Incident Response Team... 7 3.1 Team Structure... 7 3.2 Roles and Responsibilities... 7 3.2.1 All staff members, contractors and students... 7 3.2.2 ISIRT Manager... 7 3.2.3 ISIRT Members... 8 3.2.4 Cyber Security Coordinators (CSC)... 8 3.3 Reporting... 8 4 Incident Handling Process... 9 4.1 Overview of the Incident Handling Process... 9 4.2 Preparation... 9 4.3 Incident Impact Analysis... 10 4.4 Incident Detection and Reporting... 10 4.5 Escalation and Notification... 11 4.6 Containment... 11 4.7 Eradication and Recovery... 11 4.8 Aftermath... 11 5 References... 12 iii

1 Introduction Recently, malware attack, hacking and other IT security incidents were found to be targeting universities IT facilities. In order to ensure The Hong Kong University of Science and Technology (HKUST) can promptly response to IT security incidents detected within HKUST, IT Security Incident Management Policies and Practices have to be documented. This document outlines the management and handling procedures of information security related incidents within HKUST. 4

2 Definitions and Abbreviations 2.1 Information Security Incident According to NIST Computer Security Incident Handling Guide (SP800-61), A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. The term 'security incident' used in this guideline refers to any incident related to information security. In the case of Security Incident, such incident indicates that the security of an information system, service or network within the University may have been breached or compromised which is very likely to weaken or impair service operation. It poses a threat to the service in respect of availability, integrity and confidentiality. However, adverse events such as natural disaster, hardware/software breakdown, data line failure, power disruption etc. are outside the scope of this guideline. Example of security incidents includes: Unauthorized access and use of systems Hacking, or attempted hacking of the University IT facilities Computer viruses and hoaxes, and malicious codes or scripts affecting networked systems Leaks or breach of sensitive University data 2.2 Personal Data Incident Among the category of sensitive University data, some of them may be related to personal data. Therefore, any IT security incident that affects personal data within the University would be categorized as Personal Data Incident. When personal data incidents or suspected incidents are expected to be involving the breach of personal data privacy, the incident management procedure should follow the procedure stated in the Personal Data Privacy Policy of The Hong Kong University of Science and Technology. Besides, all personal data privacy breaches must be reported to Data Privacy Officer of the University. 2.3 Abbreviations The following abbreviations are commonly used in this document: 5

IH IRT ISIRT ITSC HKUST Service desk CSC IT Support team Incident Handling Incident Response Team which is the same as Information Security Incident Response Team Information Security Incident Response Team Information Technology Services Center The Hong Kong University of Science and Technology Service desk support team in ITSC Cyber Security Coordinator representing the departments to coordinate and handle IT Security IT team responsible for supporting the IT system of concern in HKUST 6

3 Information Security Incident Response Team 3.1 Team Structure An Information Security Incident Response Team (ISIRT) shall include an ISIRT Manager, Deputy Manager and ISIRT members from User service team, Network team and Infrastructure team for supporting incident handling process. The ISIRT may also include CSC from other departments of the University for handling security incidents related to the relevant department. ISIRT roles ISIRT Manager ISIRT Deputy Manager ISIRT Members (User service team) ISIRT Members (Network team) ISIRT Members (Infrastructure team) ISIRT Members (for public relationship) ITSC roles IT Security Officer IT Security Officer (Backup) User service team representatives Network team representatives Infrastructure team representatives User service team representatives 3.2 Roles and Responsibilities 3.2.1 All staff members, contractors and students Report security weakness and suspicious security incidents to the Service desk of ITSC or ISIRT Keep appropriate records of systems so that exceptional events are noticed and can be presented to ISIRT for investigation and handling Assist the ISIRT members in investigating and resolving the incidents 3.2.2 ISIRT Manager IT security officer takes the role as manager of ISIRT Have delegated authority to make immediate decisions on how to deal with an incident Ensure consistent application of incident classification and impact assessment Ensure that all ISIRT members have the required knowledge and skills levels, and that these continue to be maintained 7

Classify incidents and determine corresponding severities Assign investigation of each incident to the most appropriate member of his / her team and monitor the progress Document incidents 3.2.3 ISIRT Members Assist the ISIRT manager in investigating, containing and resolving IT security incidents within their areas of specialty Classify incidents and determine corresponding severities in their own responsible areas Ensure timely communication with the ISIRT manager during investigating, containing and resolving IT security incidents Document detected incidents 3.2.4 Cyber Security Coordinators (CSC) Coordinate with ITSC in handling security incidents Liaise with ITSC on training and awareness Implement security practices in the department 3.3 Reporting security@ust.hk will be published by ITSC for HKUST users to report security incidents. 8

4 Incident Handling Process 4.1 Overview of the Incident Handling Process When Security Incident occurs, Security Incident Handling, or in short Incident Handling (IH) is crucial for returning the IT Service to Users as quickly as possible, at the same time identifying the cause of the incident and minimize the chance of occurrence in the future. IH is a set of continuous process governing the activities before, during and after a security incident occurs. The Incident Handling Procedure is derived based on the SANS 6-Steps Incident Handling Methodology with the addition step of Forensics Investigation, the following is the overview of the Security Incident Handling Cycle. Preparation Follow Up and AfterMath Incident Detection Recovery Containment Eradication 4.2 Preparation Planning and preparing for the resource can serve as the basis of the later steps. Proper incident impact analysis, urgency and prioritization definition has to be established. Systems/Applications normal status and behaviour should be recorded. Incident detection mechanisms should be defined. IT support team should develop its own set of incident handling procedure. Security vulnerabilities and latest patch version should be recorded and maintained by relevant IT support team for prompt detection and incident response. 9

4.3 Incident Impact Analysis When an incident is detected, the corresponding Service desk and IT staff has to categorize the incident to relevant incident impact level. The 4 types of Incident Impact Levels are listed below. Incident Impact Level Extensive/ Widespread Significant/ Large Moderate/ Limited Minor/ Localized Descriptions of Impact Level If not resolved immediately, the incident will result in unscheduled service interruption of critical service, or severe security breach together with financial loss, data breaches or reputation damage. If not resolved timely, the incident may affect the normal operation of core services and lead to security breach. Financial loss or reputation damage is also probable. If not resolved within a reasonable period of them, may introduce additional vulnerabilities and expose the information systems or resource to higher risk of service interruption. Financial loss or reputation damage is possible if such vulnerabilities are exploited accidentally or by malicious parties. The incident is related to non-critical information systems or non-sensitive data, and the possibilities or causing service interruption, financial loss or reputation is remote. However, it may require additional controls or alternative operational procedures to retain service level and could lead to downgrade of efficiency Example of incidents e.g. compromise of computer handling student records; media reported compromise of system, etc e.g. disruption of teaching related IT systems; compromise of computing facilities but without student or staff records, etc e.g. IT systems found to be vulnerable or compromised; some non-teaching related servers suspected to be compromised e.g. virus infection of few desktop computers which are not used for student records After deciding the impact of the incident, priority in handling an incident also depends on the urgency of the incident. 4.4 Incident Detection and Reporting Incident detection is in dormant state and abnormalities from different detection channels will monitor the system until abnormalities has been detected. The main aim of this phase is to determine and scope of the suspected incident, classify and notify responsible parties. 10

IT support team should perform preliminary analysis of suspected incident. If incident is declared open, IT support team should maintain logs and system snapshot for further analysis and forensics investigation. 4.5 Escalation and Notification The escalation procedure defines the way to escalate the security incident to relevant parties and management to ensure that important decision can be promptly taken. Within the escalation path, IT support team should alert all the related parties (for attention, seek for support and approval on recommended actions). IT support team should define and implement its applicable reporting, notification and escalation path and priority. 4.6 Containment IT support team shall deploy a handling team to contain the incident to limit the scope, impact & magnitude, protect critical resources and determine operation status before the spread of it overwhelms resources or the damage increases. 4.7 Eradication and Recovery After containment of the incident, IT support team should perform the necessary activities to determine the root cause of the detected security incident. During the Eradication stage, IT support team should get rid of the incident by applying patches/fix, correcting system misconfiguration, password or software update. In some situation, IT support team may have to completely reinstall the entire system. During the Recovery stage, IT support team could further recover damaged or lost data to the restored system. IT support team may have to perform pre-production security assessment then restore system to normal operation. 4.8 Aftermath IT support team shall prepare a draft follow-up report, and submit the draft report to all parties for review and comments. The finalized report will provide a reference that can be used to assist in handling similar incidents. The finalized report should be kept for at least 3 years. 11

5 References 1. Information Security Incident Handling Guidelines [G54], version 5.0, The Office of the Government Chief Information Officer, Sep 2012. 2. Information Security Incident Management Standard v1.0, City University of Hong Kong, 24 th Dec 2013. 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information