SlideShare a Scribd company logo

Generic_Sample_incidentresponseplanIRP_ISS_2016

Download as DOCX, PDF
S
Samuel Loomis

Generic Sample Company has developed an Information Security Incident Response Plan to effectively handle security incidents. The plan establishes an Information Security Subcommittee to govern incident response. It defines roles and responsibilities, and outlines the incident response process including identification, classification, triage, evidence preservation, forensics, eradication, confirmation of elimination, and resumption of operations. The plan also covers education/awareness, communications, and compliance requirements.

1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1 Generic Sample Company, LLC. Information Security Incident Response Plan Agency: Generic Sample Company, LLC. Date: 09/24/2014 Revised: 5/16/2016 Written by: Samuel A. Loomis Contact: Information Security Director’s Fist and Last Name
2
3 TABLE OF CONTENTS Introduction ..................................................................................................... 4 Incident Response Plan.................................................................................... 4 Information Security Subcommittee................................................................ 4 Terms and Definitions ................................................................................... 5,5 Roles and Responsibilities................................................................................ 6 Program............................................................................................................ 7 Education and Awareness .............................................................................. 10 Communications............................................................................................. 11 Compliance............................................................................................... 11, 11 Implementation.............................................................................................. 12 Approval......................................................................................................... 13 Information Security Subcommittee (ISS) Structure .................................... 13 ISS Responsibilities and Functions .............................................................. 133
4 Introduction The CLEAN credit and Identity Theft Protection Act of Virginia (Va. Code Ann. § 59.1-443.2 (2005) requires agencies to develop the capacity to respond to incidents that involve the security of information. Agencies must implement forensic techniques and remedies, and consider lessons learned. The statute also requires reporting incidents and plans to the Virginia Information Technology Agency (VITA). The CLEAN credit and Identity Theft Protection Act of Virginia (Va. Code Ann. § 59.1-443.2 (2005) requires agencies to take specific actions in cases where compromise of personally identifiable information has occurred. This plan addresses these requirements. Generic Sample Company has developed this Information Security Incident Response Plan to implement its incident-response processes and procedures effectively, and to ensure that all Generic Sample Company employees understand them. The intent of this document is to: o describe the process of responding to an incident, o educate employees, and o build awareness of security requirements. Incident Response Plan An incident response plan or IRP brings together and organizes every resource necessary for dealing with any event that harms or threatens Generic Sample Company’s security of information assets. Events may be defined as, but not limited to: malicious code attack, an unauthorized access to information or systems, the unauthorized use of services, a denial of service attack, or a hoax. The goal at Generic Sample Company is to facilitate quick and efficient response to incidents, and to limit their impact while protecting our information assets. This plan defines key roles and responsibilities, documents the steps necessary for effectively and efficient governance during an information security incident, and lastly defines channels of communication. The plan also prescribes the education needed to achieve these objectives. An Incident Response is established to provide a quick, effective and orderly response to computer related incidents such as virus infections, hacker attempts and break-ins, improper disclosure of confidential information to others, system service interruptions, breach of personal information, and other events with serious information security implications. The Information Security Subcommittee’s mission is to prevent a serious loss of profits, public confidence or information assets by providing an immediate, effective and skillful response to any unexpected event involving computer information systems, networks or databases. The Information Security Subcommittee is authorized to take appropriate steps deemed necessary to contain, mitigate or resolve a computer security incident. The ISS is responsible for investigating suspected intrusion attempts or other security incidents in a timely, cost-effective manner and reporting findings to management and the appropriate authorities as necessary. The ISS will coordinate these investigations. The ISS will subscribe to various security industry alert services to keep abreast of relevant threats, vulnerabilities or alerts from actual incidents.
5 Information Security Subcommittee Each of the followingareaswill have aprimaryandalternate member: • SeniorExecutive- President/Sr.VP/InformationSecurityOfficer • InformationTechnologyDirector(ITD) • Directorof Compliance (Compliance) • Directorof Human Resources(HR) • Directorof Operations(OPS) • AuthorizedInformationSecurityRepresentative(AISR) Terms and Definitions Asset: Anything that has value to the agency Control: Means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal in nature. Incident: A single or a series of unwanted or unexpected information security events (see definition of "information security event") that result in harm, or pose a significant threat of harm to information assets and require non-routine preventative or corrective action. Incident Response Plan: Written document that states the approach to addressing and managing incidents. Incident Response Policy: Written document that defines organizational structure for incident response, defines roles and responsibilities, and lists the requirements for responding to and reporting incidents. Incident Response Procedures: Written document(s) of the series of steps taken when responding to incidents. Incident Response Program: Combination of incident response policy, plan, and procedures. Information: Any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, including electronic, paper and verbal communication. Information Security: Preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.
6 Information Security Event: An observable, measurable occurrence in respect to an information asset that is a deviation from normal operations. Threat: A potential cause of an unwanted incident, which may result in harm to a system or the agency Roles and Responsibilities The following are suggested roles and responsibilities Generic Sample Company has considered: incident response team members, incident commander, and agency point of contact to interface with the Virginia Information Technology Agency (required by statewide policy: Code of Virginia § 2.2-603.F). Senior Executive (INFO SEC Officer): Responsible for overall day-to-day operations at Generic Sample Company Information Security Subcommittee: (ISS) Consists of Directors of IT, Compliance, Operations and HR reporting directly to the Information Security Officer. Responsible for maintaining compliance and governance of information security during an incident, data breach, or internal breach. ISS Directors orchestrate classification, triage, evidence preservation, forensics, eradication, elimination and resumption of operations within Generic Sample Company. Authorized Information Security Rep: Responsible for information security at Generic Sample Company, for reducing risk exposure, and for ensuring the agency’s activities do not introduce undue risk to the enterprise. The director also is responsible for ensuring compliance with state enterprise security policies, standards, and security initiatives, and with state and federal regulations. Incident Response Point of Contact: Responsible for communicating with Virginia Information Technologies Agency (VITA) and coordinating agency actions with VITA in response to an information security incident. Information Owner: Responsible for creating initial information classification, approving decisions regarding controls and access privileges, performing periodic reclassification, and ensuring regular reviews for value and updates to manage changes to risk. User: Responsible for complying with the provisions of policies, procedures and practices.
7 Program Generic Sample Company incident response governing structure– Generic Sample Company LLC has a dedicated Incident Response Subcommittee (ISS) responsible for the governance of information security breaches, both internal and external. Elements forming Generic Sample Company LLC’s Information Security Department have developed the policy and procedures. Resources from both departments as well as Human Resources are also responsible for awareness, identification and disseminating resolution to all management and work group associated within Generic Sample Company. A multi-dimensional ISS organizational function chart is available on page (13) of this IRP, and further details the ISS incident response capabilities Generic Sample Company has, as well as identifying outside resource control such as the corporate (AISR)- Sera Brynn; the capacity by which they provide unbiased security resolution and data security prevention. Generic Sample Company utilizes a multi-tiered penetration testing platform provided by a certified PCI auditing firm in order to maintain the highest degree of security and integrity. (See. Page 13 for reference and graphic illustration) The Incident Response Program is composed of this plan in conjunction with policy and procedures. The following documents should be reviewed for a complete understanding of the program: 1. Generic Sample Company Information Security Incident Response Plan is located at the end of this document. 2. Generic Sample Company IR Procedure: Information Security Incident Response, located in Appendix at the end of this document. The related flowchart for this procedure is found at the end of this document as well. Information security incidents will be communicated in a manner allowing timely corrective action to be taken. This plan shows how Generic Sample Company’s Information Security Subcommittee will handle response to an incident, incident communication, incident response plan testing, training for response resources and awareness training The Information Security Incident Response Policy, Plan, and procedures will be reviewed annually or if significant changes occur to ensure their continuing adequacy and effectiveness. Each will have an owner who has approved management responsibility for its development, review, and evaluation. Reviews will include assessing opportunities for improvement and approach to managing information security incident response in regards to integrating lessons learned, to changes to the Generic Sample Company corporate environment, new threats and risks, business circumstances, legal and policy implications, and technical environment. Identification Identification of an incident is the process of analyzing an event and determining if that event is normal or if it is an incident. An incident is an adverse event and it usually implies either harm, or the attempt to harm Generic Sample Company or Generic Sample Company clients. Events occur routinely and will be examined for impact. Those showing either harm or intent to harm may be escalated to an incident. All Generic Sample Company employees, contractors and/or volunteers are responsible for this step. Also, notifying either the Compliance or IT Directors as well as communicating up through department heads and reporting directly to the Information Security Officer..
8 The term “incident” refers to an adverse event impacting one or more of Generic Sample Company’s information assets or to the threat of such an event. Examples include but are not limited to the following:  Unauthorized use  Denial of Service  Malicious code  Network system failures (widespread)  Application system failures (widespread)  Unauthorized disclosure or loss of information  Information Security Breach  Other Incidents can result from any of the following:  Intentional and unintentional acts  Actions of Generic Sample Company employees  Actions of vendors or constituents  Actions of third parties  External or internal acts  Credit card fraud  Potential violations of Statewide or National Policies  Natural disasters and power failures  Acts related to violence, warfare or terrorism  Serious wrongdoing  Other Incident Classification Once an event is determined to be an incident, several methods exist for classifying incidents. The President, Information Security Officer Directors of Compliance, Information Technology and Human Resources, with the help of the AISR; will classify, evaluate and determine the proper method of resolution for an external incident In the event of an internal breach, all above parties including the Department Head from which the internal incident resides will provide the same method of classification. The following factors are considered when evaluating incidents:  Criticality of systems that are (or could be) made unavailable  Value of the information compromised (if any)  Number of people or functions impacted  Business considerations  Public relations  Enterprise impact  Multi-agency scope
9 Triage The objective of the triage process is to gather information, assess the nature of an incident and begin making decisions about how to respond to it. It is critical to ensure when an incident is discovered and assessed the situation does not become more severe. Elements of compliance, IT and operations will be responsible for reporting triage information and development to the Information Security Officer.  What type of incident has occurred  Who is involved  What is the scope  What is the urgency  What is the impact thus far  What is the projected impact  What can be done to contain the incident  Are there other vulnerable or affected systems  What are the effects of the incident  What actions have been taken  Recommendations for proceeding  May perform analysis to identify the root cause of the incident Evidence Preservation Carefully balancing the need to restore operations against the need to preserve evidence is a critical part of incident response. Gathering evidence and preserving it are essential for proper identification of an incident, and for business recovery. Follow-up activities, such as personnel actions or criminal prosecution, also rely on gathering and preserving evidence. The Authorized Information Security Representative (AISR) who is a neutral 3rd party element, responsible for alerting Generic Sample Company of an incident is responsible for evidence preservation. Reason: Any potential evidence being held within Generic Sample Company’s departmental elements may be considered a conflict of interest and possibly impair further investigation. Forensics In information security incidents involving computers, when necessary Generic Sample Company IT Department will technically analyze computing devices to identify the cause of an incident or to analyze and preserve evidence. Generic Sample Company will practice the following general forensic guidelines:
10 o Keep good records of observations and actions taken. o Make forensically-sound images of systems and retain them in a secure place. o Establish chain of custody for evidence. o Provide basic forensic training to incident response staff, especially in preservation of evidence Elements of IT, compliance and operations are responsible for forensic development, storage and dissemination of analysis to the AISR and Senior Executive levels. Threat/Vulnerability Eradication After an incident, efforts will focus on identifying, removing and repairing the vulnerability that led to the incident and thoroughly clean the system. To do this, the vulnerability(s) needs to be clearly identified so the incident isn't repeated. The goal is to prepare for the resumption of normal operations with confidence that the initial problem has been fixed. The IT Department is responsible for alerting the Information Security Department of threat/vulnerability eradication. Confirm that Threat/Vulnerability has been Eliminated After the cause of an incident has been removed or eradicated and data or related information is restored, it is critical to confirm all threats and vulnerabilities have been successfully mitigated and that new threats or vulnerabilities have not been introduced. The IT department, who is responsible for eradication must have cross-departmental validation from compliance and corresponding departments before acknowledgment of the threat/vulnerability can be deemed eliminated. Resumption of Operations Resuming operations is a business decision, but it is important to conduct the preceding steps to ensure it is safe to do so. The Information Security Subcommittee (ISS) is responsible for reconvening and returning to resumption of operations by unanimous vote. Post-incident Activities An after-action analysis will be performed for all incidents. The analysis may consist of one or more meetings and/or reports. The purpose of the analysis is to give participants an opportunity to share and document details about the incident and to facilitate lessons learned. The meetings should be held within one week of closing the incident. This responsibility falls on ISS directors to coordinate with Human Resources in order to develop a lesson plan for future training opportunities. Education and Awareness Generic Sample Company shall ensure that incident response is addressed in education and awareness programs. The programs shall address:
11 The training module for post-incident activities is a method in development and will eventually be intranet facilitated by the department of human resources, and be made available to all Generic Sample Company employees. A test model for this training is in pre-production. Generic Sample Company Department of Human Resources will facilitate an open training program to all employees, management, department heads and senior executives. Communications Communication is vital to incident response. Therefore, it is important to control communication surrounding an incident so communications is appropriate and effective. Generic Sample Company should consider the following aspects of incident communication: □ Define circumstances when employees, customers and partners may or may not be informed of the issue □ Disclosure of incident information should be limited to a need to know basis □ Establish procedures for controlling communication with the media □ Establish procedure for communicating securely during an incident □ Have contact information for Sera Brynn, vendors contracted to help during a security emergency, as well as relevant technology providers □ Have contact information for customers and clients in the event they are affected by an incident Because of the sensitive and confidential nature of information and communication surrounding an incident, all communication must be through secure channels. Verbal and written communication is the only acceptable method of communication surrounding incident response. Secure communication through face-to-face conversation, documentation, email: only in proper context as to not compromise the confidentiality of an incident. ISS Directors, Senior Executives, Incident Response Resources (i.e. - AISR, IT, Compliance, HR and Operations as well as specific personnel) have direct involvement in incident response and the resolution process. Compliance Generic Sample Company LLC, is responsible for implementing and ensuring compliance with all applicable laws, rules, policies, and regulations. Consider potential communication channels for different circumstances, e.g., your plan may be different for an employee as opposed to a customer data breach. • Generic Sample Company’s Department of Human Resources • Generic Sample Company Authorized Information Security Representative (AISR) • State Chief Information Security Officer: Samuel A. Nixon Jr. – (804) 416-6100 • Department of Justice • Virginia State Police – 804-674-2133 (Bureau of Criminal Investigation)
12 • Other agencies that may be affected • If security breach affects more than 1,000 consumers, contact all major consumer- reporting agencies that compile and maintain reports on consumers on a nationwide basis; inform them of the timing, distribution and content of the notification given to the consumers. • Contact the credit monitoring bureaus in advance if directing potential victims to call them Experian – 1-888-397-3742 Generic Sample Company maintains personal information of consumers and will notify customers if personal information has been subject to a security breach in accordance with the Virginia (Va. Code Ann. § 59.1-443.2 (2005). The notification will be done as soon as possible, in one of the following manners:  Written notification  Electronic, if this is the customary means of communication between you and your customer, or  Telephone notice provided that you can directly contact your customer. Notification may be delayed if a law enforcement agency determines that it will impede a criminal investigation. If an investigation into the breach or consultation with a federal, state or local law enforcement agency determines there is no reasonable likelihood of harm to consumers, or if the personal information was encrypted or made unreadable, notification is not required. Substitute notice If the cost of notifying customers would exceed $250,000, that the number of those who need to be contacted is more than $350,000, or if there isn’t means to sufficiently contact consumers, substitute notice will be given. Substitute notice consists of:  Conspicuous posting of the notice or a link to the notice on your Web site if one is maintained, and  Notification to major Virginia Commonwealth television and newspaper media. Notifying credit-reporting agencies If the security breach affects more than 1,000 consumers Generic Sample Company will report to all nationwide credit-reporting agencies, without reasonable delay, the timing, distribution, and the content of the notice given to the affected consumers. Implementation Generic Sample Company, LLC has embarked upon a process to meet the growing demands of information security. By creating an incident response plan that works in accordance with the Virginia Information Technology Agency (VITA), Generic Sample Company LLC is taking the necessary steps to becoming a leader by adhering to laws and regulation set forth by the Commonwealth of Virginia.
13 Approval By: Name, title Date By: Name, title Date By: Name, title Date By: Name, title Date
14 Information Security Subcommittee Organizational Function Example CEO, President, Information Security Officer AISR, IT Director, Compliance Director, HR Director Functional Role ExamplesResponsibilities • Oversee overall “Corporate Security Posture” (Directs Info. Sec. Subcommittee) • Brief board, customers, public • Set security policy, procedures, program, training for Company • Respond to security breaches (investigate, mitigate, litigate) • Responsible for independent Annual audit coordination • Implement/audit/enforce/assess Compliance • Communicate policies, program (Training) • Implement Policy, Report security vulnerabilities and/or breeches • Authorized Information Security Representative • National Directors • Directors of IT and Compliance • Department of Human Resource • President  Information Security Officer • Department Heads • RVP’s • Managers • FinFit Staff/Employees/Support Staff The Red and Green elements of this graph will compose the Information Security Subcommittee. The Authorized Information Security Rep, IT Director, Compliance Director and Director of Human Resources will be responsible for meeting on all initial Incident Response issues and disseminating policies and procedures to department heads, RVP’s, managers and Generic Sample Company’s staff.
15 Types of Incidents There are many types of computer incidents that may require Incident Response activation. Some examples include: •Breach of personal information •Denial of service/Distributed denial of service •Excessive port scans •Firewall breach •Virus outbreak Senior Executive – Information Security Officer: Reports to President/CEO • Oversees ISS plan of action • Contacts auxiliary departments as appropriate Authorized Information Security Representative/Director of Compliance • Determines the nature and scope of the incident • Contacts members of the Incident Response Team • Determines which Incident Response Team members play an active role in the investigation • Escalates to executive management as appropriate • Monitors progress of the investigation • Ensures evidence gathering, chain of custody and preservation is appropriate • Central point of contact for all computer incidents • Notifies Information Security Office to activate computer incident response team Directors of Compliance/HR • Coordinates activities with the Information Technology Department • Documents the types of personal information that may have been breached • Provides guidance throughout the investigation on issues relating to privacy of customer and employee personal information • Develops appropriate communication to impacted parties • Assesses the need to change privacy policies, procedures, and/or practices as a result of the breach • Provides proper training on incident handling • Collects pertinent information regarding the incident at the request of the Information Security Officer Director of IT/Network Admin • Analyzes network traffic for signs of denial of service, distributed denial of service or other external attacks • Runs tracing tools such as sniffers, transmission control protocol (TCP) port monitors and event loggers • Looks for signs of a firewall breach • Contacts external Internet service provider for assistance in handling the incident • Takes action necessary to block traffic from suspected intruder Operating Systems Architecture • Ensures all service packs and patches are current on mission-critical computers • Ensures backups are in place for all critical systems • Examines system logs of critical systems for unusual activity & Business Applications • Monitors business applications and services for signs of attack • Prepares a written summary of the incident and corrective action taken by Information Technology Department • Assesses the need to change privacy policies, procedures, and/or practices as a result of the breach • Reports directly to the Information Security Officer
16 Network Admin/Authorized Information Security Representative • Alerts other elements of ISS for potential security breaches • Provides critical information on types of personal information that may have been breached • Provides guidance throughout the investigation on issues relating to privacy of customer and employee personal information • Assists in developing appropriate communication to impacted parties • Assesses the need to change privacy policies, procedures, and/or practices as a result of the breach • Reviews audit logs of mission-critical servers for signs of suspicious activity • Contacts the Information Security/Technology Department(s) with any information relating to a suspected breach

More Related Content

PDF
Vskills Certified Network Security Professional Sample Material
Vskills
 
PPTX
Information risk management
Akash Saraswat
 
PPT
Information Risk Management Overview
elvinchan
 
PDF
It risk assessment
Happiest Minds Technologies
 
DOCX
Information security management iso27001
Hiran Kanishka
 
PDF
Outsourcing
karlhennessy
 
PDF
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
DOC
Automated Incident Handling Using SIM
Anton Chuvakin
 
Vskills Certified Network Security Professional Sample Material
Vskills
 
Information risk management
Akash Saraswat
 
Information Risk Management Overview
elvinchan
 
It risk assessment
Happiest Minds Technologies
 
Information security management iso27001
Hiran Kanishka
 
Outsourcing
karlhennessy
 
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
Automated Incident Handling Using SIM
Anton Chuvakin
 

What's hot (20)

PPT
Information Security Background
Nicholas Davis
 
PDF
Information Security Risk Management
Ersoy AKSOY
 
PPT
1. security management practices
7wounders
 
PDF
Understanding security operation.pptx
Piyush Jain
 
PDF
Incident response methodology
Piyush Jain
 
PDF
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
PPT
2. Improving an Existing Sec Sys
Micheal Isreal
 
PDF
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
Ben Browning
 
PDF
SBIC Report : Transforming Information Security: Future-Proofing Processes
EMC
 
DOCX
Cyb 690 cybersecurity program template directions the foll
AISHA232980
 
PPTX
Logging, monitoring and auditing
Piyush Jain
 
PDF
Ch4 cism 2014
Aladdin Dandis
 
PPTX
Risk Management and Security in Strategic Planning
Keyaan Williams
 
PDF
What is Enterprise Security Architecture (ESA)?
John Gardner, CMC
 
PPT
Security Lifecycle Management
Barry Caplin
 
PDF
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
PDF
Risk Assessments
JoAnna Cheshire
 
PDF
Risk Assessment Case Study
Praveen Vackayil
 
PPTX
PACE-IT, Security+ 2.2: Integrating Data and Systems with 3rd Parties
Pace IT at Edmonds Community College
 
PDF
Information Security - Implementation Effectiveness
Venkidesan Narayanan
 
Information Security Background
Nicholas Davis
 
Information Security Risk Management
Ersoy AKSOY
 
1. security management practices
7wounders
 
Understanding security operation.pptx
Piyush Jain
 
Incident response methodology
Piyush Jain
 
Healthcare Cybersecurity Whitepaper FINAL
Steve Knapp
 
2. Improving an Existing Sec Sys
Micheal Isreal
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
Ben Browning
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
EMC
 
Cyb 690 cybersecurity program template directions the foll
AISHA232980
 
Logging, monitoring and auditing
Piyush Jain
 
Ch4 cism 2014
Aladdin Dandis
 
Risk Management and Security in Strategic Planning
Keyaan Williams
 
What is Enterprise Security Architecture (ESA)?
John Gardner, CMC
 
Security Lifecycle Management
Barry Caplin
 
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
Risk Assessments
JoAnna Cheshire
 
Risk Assessment Case Study
Praveen Vackayil
 
PACE-IT, Security+ 2.2: Integrating Data and Systems with 3rd Parties
Pace IT at Edmonds Community College
 
Information Security - Implementation Effectiveness
Venkidesan Narayanan
 
Ad

Similar to Generic_Sample_incidentresponseplanIRP_ISS_2016 (20)

PPTX
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
PPTX
Chapter-Seven.pptxhmhjmhjkhjkhjkljlhjkhjkhj
Shemse Shukre
 
PPT
Convergence innovative integration of security
ciso_insights
 
PDF
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
geradojengel
 
PPT
Information security background
Nicholas Davis
 
PDF
Risk Management
ijtsrd
 
PDF
5 Steps to Mobile Risk Management
DMIMarketing
 
PDF
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
gayosacissey70
 
PDF
Domain1_Security_Principles --(My_Notes)
efs14135
 
DOCX
IT 552 Module Five Assignment Rubric The purpose of t.docx
christiandean12115
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
schiemrossg3
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
camitatse
 
DOCX
E’s Data Security Company Strategic Security Plan – 2015.docx
mydrynan
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
grachalyako20
 
PPT
Information Security
chenpingling
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
marrincehiz
 
DOCX
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
SALU18
 
PDF
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
Chapter-Seven.pptxhmhjmhjkhjkhjkljlhjkhjkhj
Shemse Shukre
 
Convergence innovative integration of security
ciso_insights
 
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
geradojengel
 
Information security background
Nicholas Davis
 
Risk Management
ijtsrd
 
5 Steps to Mobile Risk Management
DMIMarketing
 
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
gayosacissey70
 
Domain1_Security_Principles --(My_Notes)
efs14135
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
christiandean12115
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
schiemrossg3
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
camitatse
 
E’s Data Security Company Strategic Security Plan – 2015.docx
mydrynan
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
grachalyako20
 
Information Security
chenpingling
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
marrincehiz
 
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
SALU18
 
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
Ad

Generic_Sample_incidentresponseplanIRP_ISS_2016

  • 1. 1 Generic Sample Company, LLC. Information Security Incident Response Plan Agency: Generic Sample Company, LLC. Date: 09/24/2014 Revised: 5/16/2016 Written by: Samuel A. Loomis Contact: Information Security Director’s Fist and Last Name
  • 2. 2
  • 3. 3 TABLE OF CONTENTS Introduction ..................................................................................................... 4 Incident Response Plan.................................................................................... 4 Information Security Subcommittee................................................................ 4 Terms and Definitions ................................................................................... 5,5 Roles and Responsibilities................................................................................ 6 Program............................................................................................................ 7 Education and Awareness .............................................................................. 10 Communications............................................................................................. 11 Compliance............................................................................................... 11, 11 Implementation.............................................................................................. 12 Approval......................................................................................................... 13 Information Security Subcommittee (ISS) Structure .................................... 13 ISS Responsibilities and Functions .............................................................. 133
  • 4. 4 Introduction The CLEAN credit and Identity Theft Protection Act of Virginia (Va. Code Ann. § 59.1-443.2 (2005) requires agencies to develop the capacity to respond to incidents that involve the security of information. Agencies must implement forensic techniques and remedies, and consider lessons learned. The statute also requires reporting incidents and plans to the Virginia Information Technology Agency (VITA). The CLEAN credit and Identity Theft Protection Act of Virginia (Va. Code Ann. § 59.1-443.2 (2005) requires agencies to take specific actions in cases where compromise of personally identifiable information has occurred. This plan addresses these requirements. Generic Sample Company has developed this Information Security Incident Response Plan to implement its incident-response processes and procedures effectively, and to ensure that all Generic Sample Company employees understand them. The intent of this document is to: o describe the process of responding to an incident, o educate employees, and o build awareness of security requirements. Incident Response Plan An incident response plan or IRP brings together and organizes every resource necessary for dealing with any event that harms or threatens Generic Sample Company’s security of information assets. Events may be defined as, but not limited to: malicious code attack, an unauthorized access to information or systems, the unauthorized use of services, a denial of service attack, or a hoax. The goal at Generic Sample Company is to facilitate quick and efficient response to incidents, and to limit their impact while protecting our information assets. This plan defines key roles and responsibilities, documents the steps necessary for effectively and efficient governance during an information security incident, and lastly defines channels of communication. The plan also prescribes the education needed to achieve these objectives. An Incident Response is established to provide a quick, effective and orderly response to computer related incidents such as virus infections, hacker attempts and break-ins, improper disclosure of confidential information to others, system service interruptions, breach of personal information, and other events with serious information security implications. The Information Security Subcommittee’s mission is to prevent a serious loss of profits, public confidence or information assets by providing an immediate, effective and skillful response to any unexpected event involving computer information systems, networks or databases. The Information Security Subcommittee is authorized to take appropriate steps deemed necessary to contain, mitigate or resolve a computer security incident. The ISS is responsible for investigating suspected intrusion attempts or other security incidents in a timely, cost-effective manner and reporting findings to management and the appropriate authorities as necessary. The ISS will coordinate these investigations. The ISS will subscribe to various security industry alert services to keep abreast of relevant threats, vulnerabilities or alerts from actual incidents.
  • 5. 5 Information Security Subcommittee Each of the followingareaswill have aprimaryandalternate member: • SeniorExecutive- President/Sr.VP/InformationSecurityOfficer • InformationTechnologyDirector(ITD) • Directorof Compliance (Compliance) • Directorof Human Resources(HR) • Directorof Operations(OPS) • AuthorizedInformationSecurityRepresentative(AISR) Terms and Definitions Asset: Anything that has value to the agency Control: Means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal in nature. Incident: A single or a series of unwanted or unexpected information security events (see definition of "information security event") that result in harm, or pose a significant threat of harm to information assets and require non-routine preventative or corrective action. Incident Response Plan: Written document that states the approach to addressing and managing incidents. Incident Response Policy: Written document that defines organizational structure for incident response, defines roles and responsibilities, and lists the requirements for responding to and reporting incidents. Incident Response Procedures: Written document(s) of the series of steps taken when responding to incidents. Incident Response Program: Combination of incident response policy, plan, and procedures. Information: Any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, including electronic, paper and verbal communication. Information Security: Preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.
  • 6. 6 Information Security Event: An observable, measurable occurrence in respect to an information asset that is a deviation from normal operations. Threat: A potential cause of an unwanted incident, which may result in harm to a system or the agency Roles and Responsibilities The following are suggested roles and responsibilities Generic Sample Company has considered: incident response team members, incident commander, and agency point of contact to interface with the Virginia Information Technology Agency (required by statewide policy: Code of Virginia § 2.2-603.F). Senior Executive (INFO SEC Officer): Responsible for overall day-to-day operations at Generic Sample Company Information Security Subcommittee: (ISS) Consists of Directors of IT, Compliance, Operations and HR reporting directly to the Information Security Officer. Responsible for maintaining compliance and governance of information security during an incident, data breach, or internal breach. ISS Directors orchestrate classification, triage, evidence preservation, forensics, eradication, elimination and resumption of operations within Generic Sample Company. Authorized Information Security Rep: Responsible for information security at Generic Sample Company, for reducing risk exposure, and for ensuring the agency’s activities do not introduce undue risk to the enterprise. The director also is responsible for ensuring compliance with state enterprise security policies, standards, and security initiatives, and with state and federal regulations. Incident Response Point of Contact: Responsible for communicating with Virginia Information Technologies Agency (VITA) and coordinating agency actions with VITA in response to an information security incident. Information Owner: Responsible for creating initial information classification, approving decisions regarding controls and access privileges, performing periodic reclassification, and ensuring regular reviews for value and updates to manage changes to risk. User: Responsible for complying with the provisions of policies, procedures and practices.
  • 7. 7 Program Generic Sample Company incident response governing structure– Generic Sample Company LLC has a dedicated Incident Response Subcommittee (ISS) responsible for the governance of information security breaches, both internal and external. Elements forming Generic Sample Company LLC’s Information Security Department have developed the policy and procedures. Resources from both departments as well as Human Resources are also responsible for awareness, identification and disseminating resolution to all management and work group associated within Generic Sample Company. A multi-dimensional ISS organizational function chart is available on page (13) of this IRP, and further details the ISS incident response capabilities Generic Sample Company has, as well as identifying outside resource control such as the corporate (AISR)- Sera Brynn; the capacity by which they provide unbiased security resolution and data security prevention. Generic Sample Company utilizes a multi-tiered penetration testing platform provided by a certified PCI auditing firm in order to maintain the highest degree of security and integrity. (See. Page 13 for reference and graphic illustration) The Incident Response Program is composed of this plan in conjunction with policy and procedures. The following documents should be reviewed for a complete understanding of the program: 1. Generic Sample Company Information Security Incident Response Plan is located at the end of this document. 2. Generic Sample Company IR Procedure: Information Security Incident Response, located in Appendix at the end of this document. The related flowchart for this procedure is found at the end of this document as well. Information security incidents will be communicated in a manner allowing timely corrective action to be taken. This plan shows how Generic Sample Company’s Information Security Subcommittee will handle response to an incident, incident communication, incident response plan testing, training for response resources and awareness training The Information Security Incident Response Policy, Plan, and procedures will be reviewed annually or if significant changes occur to ensure their continuing adequacy and effectiveness. Each will have an owner who has approved management responsibility for its development, review, and evaluation. Reviews will include assessing opportunities for improvement and approach to managing information security incident response in regards to integrating lessons learned, to changes to the Generic Sample Company corporate environment, new threats and risks, business circumstances, legal and policy implications, and technical environment. Identification Identification of an incident is the process of analyzing an event and determining if that event is normal or if it is an incident. An incident is an adverse event and it usually implies either harm, or the attempt to harm Generic Sample Company or Generic Sample Company clients. Events occur routinely and will be examined for impact. Those showing either harm or intent to harm may be escalated to an incident. All Generic Sample Company employees, contractors and/or volunteers are responsible for this step. Also, notifying either the Compliance or IT Directors as well as communicating up through department heads and reporting directly to the Information Security Officer..
  • 8. 8 The term “incident” refers to an adverse event impacting one or more of Generic Sample Company’s information assets or to the threat of such an event. Examples include but are not limited to the following:  Unauthorized use  Denial of Service  Malicious code  Network system failures (widespread)  Application system failures (widespread)  Unauthorized disclosure or loss of information  Information Security Breach  Other Incidents can result from any of the following:  Intentional and unintentional acts  Actions of Generic Sample Company employees  Actions of vendors or constituents  Actions of third parties  External or internal acts  Credit card fraud  Potential violations of Statewide or National Policies  Natural disasters and power failures  Acts related to violence, warfare or terrorism  Serious wrongdoing  Other Incident Classification Once an event is determined to be an incident, several methods exist for classifying incidents. The President, Information Security Officer Directors of Compliance, Information Technology and Human Resources, with the help of the AISR; will classify, evaluate and determine the proper method of resolution for an external incident In the event of an internal breach, all above parties including the Department Head from which the internal incident resides will provide the same method of classification. The following factors are considered when evaluating incidents:  Criticality of systems that are (or could be) made unavailable  Value of the information compromised (if any)  Number of people or functions impacted  Business considerations  Public relations  Enterprise impact  Multi-agency scope
  • 9. 9 Triage The objective of the triage process is to gather information, assess the nature of an incident and begin making decisions about how to respond to it. It is critical to ensure when an incident is discovered and assessed the situation does not become more severe. Elements of compliance, IT and operations will be responsible for reporting triage information and development to the Information Security Officer.  What type of incident has occurred  Who is involved  What is the scope  What is the urgency  What is the impact thus far  What is the projected impact  What can be done to contain the incident  Are there other vulnerable or affected systems  What are the effects of the incident  What actions have been taken  Recommendations for proceeding  May perform analysis to identify the root cause of the incident Evidence Preservation Carefully balancing the need to restore operations against the need to preserve evidence is a critical part of incident response. Gathering evidence and preserving it are essential for proper identification of an incident, and for business recovery. Follow-up activities, such as personnel actions or criminal prosecution, also rely on gathering and preserving evidence. The Authorized Information Security Representative (AISR) who is a neutral 3rd party element, responsible for alerting Generic Sample Company of an incident is responsible for evidence preservation. Reason: Any potential evidence being held within Generic Sample Company’s departmental elements may be considered a conflict of interest and possibly impair further investigation. Forensics In information security incidents involving computers, when necessary Generic Sample Company IT Department will technically analyze computing devices to identify the cause of an incident or to analyze and preserve evidence. Generic Sample Company will practice the following general forensic guidelines:
  • 10. 10 o Keep good records of observations and actions taken. o Make forensically-sound images of systems and retain them in a secure place. o Establish chain of custody for evidence. o Provide basic forensic training to incident response staff, especially in preservation of evidence Elements of IT, compliance and operations are responsible for forensic development, storage and dissemination of analysis to the AISR and Senior Executive levels. Threat/Vulnerability Eradication After an incident, efforts will focus on identifying, removing and repairing the vulnerability that led to the incident and thoroughly clean the system. To do this, the vulnerability(s) needs to be clearly identified so the incident isn't repeated. The goal is to prepare for the resumption of normal operations with confidence that the initial problem has been fixed. The IT Department is responsible for alerting the Information Security Department of threat/vulnerability eradication. Confirm that Threat/Vulnerability has been Eliminated After the cause of an incident has been removed or eradicated and data or related information is restored, it is critical to confirm all threats and vulnerabilities have been successfully mitigated and that new threats or vulnerabilities have not been introduced. The IT department, who is responsible for eradication must have cross-departmental validation from compliance and corresponding departments before acknowledgment of the threat/vulnerability can be deemed eliminated. Resumption of Operations Resuming operations is a business decision, but it is important to conduct the preceding steps to ensure it is safe to do so. The Information Security Subcommittee (ISS) is responsible for reconvening and returning to resumption of operations by unanimous vote. Post-incident Activities An after-action analysis will be performed for all incidents. The analysis may consist of one or more meetings and/or reports. The purpose of the analysis is to give participants an opportunity to share and document details about the incident and to facilitate lessons learned. The meetings should be held within one week of closing the incident. This responsibility falls on ISS directors to coordinate with Human Resources in order to develop a lesson plan for future training opportunities. Education and Awareness Generic Sample Company shall ensure that incident response is addressed in education and awareness programs. The programs shall address:
  • 11. 11 The training module for post-incident activities is a method in development and will eventually be intranet facilitated by the department of human resources, and be made available to all Generic Sample Company employees. A test model for this training is in pre-production. Generic Sample Company Department of Human Resources will facilitate an open training program to all employees, management, department heads and senior executives. Communications Communication is vital to incident response. Therefore, it is important to control communication surrounding an incident so communications is appropriate and effective. Generic Sample Company should consider the following aspects of incident communication: □ Define circumstances when employees, customers and partners may or may not be informed of the issue □ Disclosure of incident information should be limited to a need to know basis □ Establish procedures for controlling communication with the media □ Establish procedure for communicating securely during an incident □ Have contact information for Sera Brynn, vendors contracted to help during a security emergency, as well as relevant technology providers □ Have contact information for customers and clients in the event they are affected by an incident Because of the sensitive and confidential nature of information and communication surrounding an incident, all communication must be through secure channels. Verbal and written communication is the only acceptable method of communication surrounding incident response. Secure communication through face-to-face conversation, documentation, email: only in proper context as to not compromise the confidentiality of an incident. ISS Directors, Senior Executives, Incident Response Resources (i.e. - AISR, IT, Compliance, HR and Operations as well as specific personnel) have direct involvement in incident response and the resolution process. Compliance Generic Sample Company LLC, is responsible for implementing and ensuring compliance with all applicable laws, rules, policies, and regulations. Consider potential communication channels for different circumstances, e.g., your plan may be different for an employee as opposed to a customer data breach. • Generic Sample Company’s Department of Human Resources • Generic Sample Company Authorized Information Security Representative (AISR) • State Chief Information Security Officer: Samuel A. Nixon Jr. – (804) 416-6100 • Department of Justice • Virginia State Police – 804-674-2133 (Bureau of Criminal Investigation)
  • 12. 12 • Other agencies that may be affected • If security breach affects more than 1,000 consumers, contact all major consumer- reporting agencies that compile and maintain reports on consumers on a nationwide basis; inform them of the timing, distribution and content of the notification given to the consumers. • Contact the credit monitoring bureaus in advance if directing potential victims to call them Experian – 1-888-397-3742 Generic Sample Company maintains personal information of consumers and will notify customers if personal information has been subject to a security breach in accordance with the Virginia (Va. Code Ann. § 59.1-443.2 (2005). The notification will be done as soon as possible, in one of the following manners:  Written notification  Electronic, if this is the customary means of communication between you and your customer, or  Telephone notice provided that you can directly contact your customer. Notification may be delayed if a law enforcement agency determines that it will impede a criminal investigation. If an investigation into the breach or consultation with a federal, state or local law enforcement agency determines there is no reasonable likelihood of harm to consumers, or if the personal information was encrypted or made unreadable, notification is not required. Substitute notice If the cost of notifying customers would exceed $250,000, that the number of those who need to be contacted is more than $350,000, or if there isn’t means to sufficiently contact consumers, substitute notice will be given. Substitute notice consists of:  Conspicuous posting of the notice or a link to the notice on your Web site if one is maintained, and  Notification to major Virginia Commonwealth television and newspaper media. Notifying credit-reporting agencies If the security breach affects more than 1,000 consumers Generic Sample Company will report to all nationwide credit-reporting agencies, without reasonable delay, the timing, distribution, and the content of the notice given to the affected consumers. Implementation Generic Sample Company, LLC has embarked upon a process to meet the growing demands of information security. By creating an incident response plan that works in accordance with the Virginia Information Technology Agency (VITA), Generic Sample Company LLC is taking the necessary steps to becoming a leader by adhering to laws and regulation set forth by the Commonwealth of Virginia.
  • 13. 13 Approval By: Name, title Date By: Name, title Date By: Name, title Date By: Name, title Date
  • 14. 14 Information Security Subcommittee Organizational Function Example CEO, President, Information Security Officer AISR, IT Director, Compliance Director, HR Director Functional Role ExamplesResponsibilities • Oversee overall “Corporate Security Posture” (Directs Info. Sec. Subcommittee) • Brief board, customers, public • Set security policy, procedures, program, training for Company • Respond to security breaches (investigate, mitigate, litigate) • Responsible for independent Annual audit coordination • Implement/audit/enforce/assess Compliance • Communicate policies, program (Training) • Implement Policy, Report security vulnerabilities and/or breeches • Authorized Information Security Representative • National Directors • Directors of IT and Compliance • Department of Human Resource • President  Information Security Officer • Department Heads • RVP’s • Managers • FinFit Staff/Employees/Support Staff The Red and Green elements of this graph will compose the Information Security Subcommittee. The Authorized Information Security Rep, IT Director, Compliance Director and Director of Human Resources will be responsible for meeting on all initial Incident Response issues and disseminating policies and procedures to department heads, RVP’s, managers and Generic Sample Company’s staff.
  • 15. 15 Types of Incidents There are many types of computer incidents that may require Incident Response activation. Some examples include: •Breach of personal information •Denial of service/Distributed denial of service •Excessive port scans •Firewall breach •Virus outbreak Senior Executive – Information Security Officer: Reports to President/CEO • Oversees ISS plan of action • Contacts auxiliary departments as appropriate Authorized Information Security Representative/Director of Compliance • Determines the nature and scope of the incident • Contacts members of the Incident Response Team • Determines which Incident Response Team members play an active role in the investigation • Escalates to executive management as appropriate • Monitors progress of the investigation • Ensures evidence gathering, chain of custody and preservation is appropriate • Central point of contact for all computer incidents • Notifies Information Security Office to activate computer incident response team Directors of Compliance/HR • Coordinates activities with the Information Technology Department • Documents the types of personal information that may have been breached • Provides guidance throughout the investigation on issues relating to privacy of customer and employee personal information • Develops appropriate communication to impacted parties • Assesses the need to change privacy policies, procedures, and/or practices as a result of the breach • Provides proper training on incident handling • Collects pertinent information regarding the incident at the request of the Information Security Officer Director of IT/Network Admin • Analyzes network traffic for signs of denial of service, distributed denial of service or other external attacks • Runs tracing tools such as sniffers, transmission control protocol (TCP) port monitors and event loggers • Looks for signs of a firewall breach • Contacts external Internet service provider for assistance in handling the incident • Takes action necessary to block traffic from suspected intruder Operating Systems Architecture • Ensures all service packs and patches are current on mission-critical computers • Ensures backups are in place for all critical systems • Examines system logs of critical systems for unusual activity & Business Applications • Monitors business applications and services for signs of attack • Prepares a written summary of the incident and corrective action taken by Information Technology Department • Assesses the need to change privacy policies, procedures, and/or practices as a result of the breach • Reports directly to the Information Security Officer
  • 16. 16 Network Admin/Authorized Information Security Representative • Alerts other elements of ISS for potential security breaches • Provides critical information on types of personal information that may have been breached • Provides guidance throughout the investigation on issues relating to privacy of customer and employee personal information • Assists in developing appropriate communication to impacted parties • Assesses the need to change privacy policies, procedures, and/or practices as a result of the breach • Reviews audit logs of mission-critical servers for signs of suspicious activity • Contacts the Information Security/Technology Department(s) with any information relating to a suspected breach