Threat Management: Incident Handling. Incident Response Plan



Similar documents
BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Cisco Advanced Services for Network Security

UBC Incident Response Plan

Security Policy for External Customers

Network Security Policy

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

New River Community College. Information Technology Policy and Procedure Manual

Information Security Incident Management Guidelines

How To Manage Your Information Systems At Aerosoft.Com

How To Ensure The C.E.A.S.A

Network Security Policy: Best Practices White Paper

Critical Security Controls

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

IT Security Incident Management Policies and Practices

How To Audit The Mint'S Information Technology

Standard: Information Security Incident Management

Information Technology Services

IT Contingency Planning: IT Disaster Recovery Planning

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Risk Management Guide for Information Technology Systems. NIST SP Overview

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Incident Response Plan for PCI-DSS Compliance

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

CSIRT Introduction to Security Incident Handling

Payment Card Industry Data Security Standard

Utica College. Information Security Plan

GEARS Cyber-Security Services

Network Security: Policies and Guidelines for Effective Network Management

Supplier Security Assessment Questionnaire

Data Security Incident Response Plan. [Insert Organization Name]

T141 Computer Systems Technician MTCU Code Program Learning Outcomes

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Critical Controls for Cyber Security.

INFORMATION TECHNOLOGY SYSTEMS ASSET MANAGEMENT GUIDELINE

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Blue Ridge Community College Information Technology Remote Access Policy

DBC 999 Incident Reporting Procedure

The Protection Mission a constant endeavor

Incident Response Guidance for Unclassified Information Systems

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Central Agency for Information Technology

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

R345, Information Technology Resource Security 1

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Network & Information Security Policy

University of Pittsburgh Security Assessment Questionnaire (v1.5)

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Virginia Commonwealth University School of Medicine Information Security Standard

Cautela Labs Cloud Agile. Secured.

Defending Against Data Beaches: Internal Controls for Cybersecurity

Overcoming PCI Compliance Challenges

INCIDENT RESPONSE CHECKLIST

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

IBM QRadar Security Intelligence April 2013

NETWORK INFRASTRUCTURE USE

Information Security: A Perspective for Higher Education

Guidelines 1 on Information Technology Security

Guide to Vulnerability Management for Small Companies

Data Management Policies. Sage ERP Online

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Data Center Colocation - SLA

Verve Security Center

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Auburn Montgomery. Registration and Security Policy for AUM Servers

Policy on Connection to the University Network

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

THE TOP 4 CONTROLS.

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Contact: Henry Torres, (870)

Supplier Information Security Addendum for GE Restricted Data

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Sample Vulnerability Management Policy

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

APPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW

External Supplier Control Requirements

Data Security Breach. How to Respond

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

The Business Case for Security Information Management

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Managing internet security

INFORMATION SECURITY California Maritime Academy

Achieving SOX Compliance with Masergy Security Professional Services

HIPAA Security Alert

DUUS Information Technology (IT) Incident Management Standard

Best Practices for Building a Security Operations Center

New Employee Orientation

SUPPLIER SECURITY STANDARD

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Transcription:

In order to meet the requirements of VCCS Security Standards 13.1 Reporting Information Security Events, and 13.2 Management of Information Security Incidents, SVCC drafted an (IRP). Incident handling involves having the necessary tools and resources in place to appropriately handle an incident. The SANS Institute defines an incident as An adverse event in an information system and/or network, or the threat of the occurrence of such an event. Incident implies harm or the intent to do harm. The objective of the is to define the possible incidents that may occur in the Southside Virginia Community College (SVCC) information technology system and define the procedures for handling each type of incident. SVCC IT staff and Incident Response Team may reference the COV ITRM SEC510-00 IT Security Threat Management Guideline, and the VCCS Guidance on Reporting Incidents documents (attachment I 2.1 SVCC Security Plan) for guidance in responding to and recovering from threats against COV owned IT resources. SVCC College has established a Help Desk for users to report all information technology problems. College users should report all incidents to the College Help Desk Daniel: ext. 2041, Christanna: ext. 1078. Incidents may also be reported by generating a ticket using the Issue-Trak application. The incident will then be recorded by the IT staff member on the VCCS Incident Reporting form, (attachment I 2.1 SVCC Security Plan) The objective of the is to define the possible incidents that may occur and define the procedures Information Technology staff (IT) should follow for handling each type of incident. This document should be reviewed at least once a year to determine what if any changes are required. The first step in the process is designating an Incident Response Team (Attachment I 2.1) that includes personnel with the appropriate expertise and authority to respond to each phase of an incident report. These personnel include: Information Technology employees with the expertise in incident handling procedures. Public Relations, College Relations, or similar department who is authorized to communicate with the media if required depending on the nature and impact of the incident. 1

Human Resources personnel who are authorize to assist in disciplinary or employee relations. Security Services or Campus Police offices that may need to make reports internally or externally in physical breach or law breaking situations. These offices may also be needed in situations that require law enforcement intervention (i.e., removal of a disgruntled employee). Facilities Management personnel who may be needed to access physical office locations during an incident (i.e., to obtain a workstation from a locked office). Business Continuity Planning or Continuity of Operations Planning personnel may need to be aware of incidents that may require a review of risk assessments and continuity of operations plans. The next step is to identify and implement controls to deter and defend against incidents. This includes proactive measures to defend against new forms of attacks. The following controls are in place to assist in recognizing and mitigating different incidents. Frequent and as needed IDS, IPS, IOS, OS, vulnerability, and exploit updates from vendors to assist in system administration. Host security configurations that comply with the VCCS Security Standards 11, Access Control, and 8, Human Resources Security. Network security configurations (firewalls, IDS, IPS, perimeter router) that deny all activity not specifically permitted. Monitoring and logging all appropriate network activities as per the VCCS Security Standard 10.10, Security Monitoring. Malicious code prevention software to detect and stop malicious code at the host, server, and application level. The College uses antivirus / antispyware software to protect hosts and servers. Security Awareness and Training standards and procedures that make end users aware of the appropriate use of networks, systems, and applications. SVCC uses MOAT Security Awareness Training. Technical training for information technology staff so they can properly maintain their system, network, or application is available and ongoing and is a budgeted item in the IT department s annual expenditures. Each IT staff member will maintain documentation as to annual training attended. 2

The third requirement of the IRP is that incidents should be handled based on the critical nature of the affected resources and on the current and potential effects of the incident. The information obtained in the Business Impact Analysis and Risk Assessment processes will assist the System Office and Colleges in establishing written guidelines for prioritizing the handling of incidents, how quickly the Incident Response Team must respond to the incident, and what actions should be performed for the incident. SVCC has prioritized the incident handling process as follows: All incidents involving mission critical applications or processes as identified during the Business Impact Analysis (BIA) and Risk Assessment (RA) process (see SVCC security standard 14, Business Continuity Management) will be given priority over all other classifications of incidents. The remaining incidents will be classified and prioritized as follows: Global incidents (those that affect the entire enterprise) will be addressed first. For example, a compromised or defective enterprise server, router, firewall, switch etc. Systemic incidents (those that affect only selected systems) will be addressed next. Examples of this type of incident would be a failed voice gateway router, workgroup server, switch or other system specific infrastructure. The last type of incident to be addressed would be individual or host incidents. This is an incident that only affects one PC on the network, such as a virus, spy ware, or other malicious code. If an incident meets the criteria as defined by the SANS Institute, it should ultimately be reported to the Incident Response Team. Notification of incidents must be emailed to the appropriate SVCC IT network staff and may be reported by phone or in person as needed as long as email documentation is maintained. Individual team members may respond to the incident as circumstances dictate, if it occurs within their individual area of responsibility. All reasonable and proper troubleshooting methods will be employed to identify, contain, control, any incidents that occur. The team or member(s) will respond to the incident(s) in order of priority as defined above. The actions taken in response to the incident will vary with the type, priority, severity, and magnitude of effect. (See Mitigation Strategies document, attachment I 2.1 SVCC Security Plan) these actions may be implemented at the discretion of the Incident Response Team member(s) or designated responder. The strategies outlined in the : Mitigation Strategies document are a general guideline for timely response to an incident. These guidelines are designed to contain and control deleterious effects on the compromised system and minimize the probability of enterprise contamination. A decision may be altered by the Incident 3

Response Team based on the need to gather evidence of the incident and the team must be willing to accept any risks involved in delaying a decision. The next requirement of the plan is that once written guidelines have been established for incident reporting as stated in the IRP and Incident Handling forms (SVCC Security Plan attachment I 2.1), the System Office and Colleges should test the strategies outlined. This testing is to occur as soon as the plan is drafted, and as is necessary, or at least annually. The IRP will be tested along with the DRP testing and evaluated by the ISO. Once testing is complete, meetings will be held with the Incident Response Team to review all phases of the testing using the IRP strategies evaluation form, (SVCC Security Plan attachment I 2.1). The college ISO will maintain all testing documentation. Guidelines should be updated accordingly based on the discussion and findings of the team. Questions to be discussed may include: Discuss the incident details; what happened? Were the written guidelines accessible to the Incident Response Team? Did the team perform appropriately? Were procedures followed? What additional information was required? Were there any actions that inhibited the recovery? What would be done differently in a similar incident? What additional resources, tools, etc. are needed to assist in future incidents? Another requirement of the is to properly report incidents to the VCCS. The VCCS Information Technology Services Office will coordinate security incident reporting for the System Office and Colleges to comply with the Code of Virginia 2.2-603.F, which describes the reporting requirements agency s must follow. The Systems Office and Colleges may reference the VITA Guidance on Reporting Incidents (see SVCC Security Plan attachment I 2.1). and adhere to these guidelines when reporting incidents to the VCCS Information Technology Services Office via Issue Trak (Issue Type: Network Abuse) or Abuse@vccs.edu. At a minimum, the information below is required when reporting an incident. The System Office and Colleges are encouraged to complete the Incident Reporting Form and include this as an attachment to the Issue Trak or Abuse@vccs.edu email. 4

Date and time of the incident Incident description Impact of the Incident Severity of the attack (high, medium, low) Steps taken to respond to the attack Names of others who have been notified All incidents must be reported only through channels that have not been compromised. If either of the above reporting methods are compromised, verbal or face-to-face reporting may be used. The last requirement of the IRP is that the System Office and Colleges must have established procedures for how team members will conduct the investigation, how evidence will be preserved, and how the forensic analysis will be conducted. This may include recording all facts, documenting system events and telephone conversations. This may also describe how team members will work together to ensure viable results in researching and documenting incidents. Forensic analysis may be conducted using forensic software or by manually reviewing files and generating reports. The individuals responsible for documentation, and proper completion of all incident response forms are given in:, Incident Response forms (SVCC Security Plan attachment I 2.1). 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information