Incident Response Plan Template

Information Security Incident Response Plan

Agency: Date: Contact:


1

TABLE OF CONTENTS Introduction.................................................................................3 Authority.....................................................................................4 Terms and Defnitions...................................................................4 Roles and Responsibilities............................................................. 5 Program.......................................................................................6 ducation and A!areness............................................................." #ommunications..........................................................................." #ompliance................................................................................$% Implementation..........................................................................$$ Appro&al....................................................................................$$


2

Introduction Note to agencies – The purpose of an information security incident response program is to ensure the effective response and handling of security incidents that affect the availability, integrity, or confidentiality of agency information assets. In addition, an incident response program will ensure information security events, incidents and vulnerabilities associated with information assets and information systems are communicated in a manner enabling timely corrective action. This template is intended to be a guide to assist in the development of an agency incident response plan, one component of an incident response program. Agencies may have various capacities and business needs affecting the implementation of these guidelines. This information security incident response plan template was created to align with the statewide Information Security Incident Response olicy !"#$""%$&&&.

ORS 18!1 re"uires agencies to de#elop t$e capacity to respond to incidents t$at in#ol#e t$e security of information! Agencies must implement forensic tec$ni"ues and remedies% and consider lessons learned! &$e statute also re"uires reporting incidents and plans to t$e 'nterprise Security Office! &$e Oregon Consumer Identity &$eft Protection Act (ORS )*)A!)++, re"uires agencies to ta-e specific actions in cases .$ere compromise of personally identifia/le information $as occurred! &$is plan addresses t$ese re"uirements! &$e $as de#eloped t$is Information Security Incident Response Plan to implement its incident0response processes and procedures effecti#ely% and to ensure t$at employees understand t$em! &$e intent of t$is document is to: o o o

descri/e t$e process of responding to an incident% educate employees% and /uild a.areness of security re"uirements!

An incident response plan /rings toget$er and organies t$e resources for dealing .it$ any e#ent t$at $arms or t$reatens t$e security of information assets! Suc$ an e#ent may /e a malicious code attac-% an unaut$oried access to information or systems% t$e unaut$oried use of ser#ices% a denial of ser#ice attac-% or a $oa2! &$e goal is to facilitate "uic- and efficient response to incidents% and to limit t$eir impact .$ile protecting t$e state3s information assets! &$e plan defines roles and responsi/ilities% documents t$e steps necessary for effecti#ely and efficiently managing an information security incident% and defines c$annels of communication! &$e plan also prescri/es t$e education needed to ac$ie#e t$ese o/4ecti#es!


3

Authority State.ide information security policies:

Policy Numer

Policy Title

Effecti!e "ate

1+50++*0+6+

Information Asset Classification

1717++8

1+50++*0+61

Controlling Porta/le and Remo#a/le Storage De#ices

57+7++5

1+50++*0+6

Information Security

57+7++5

1+50++*0+6

'mployee Security

57+7++5

1+50++*01++

&ransporting Information Assets

1717++8

1+50++*011+

Accepta/le 9se of State Information Assets

1+71)7++5

1+50++*0222

Information Security Incident Response

draft

information security policies:

Policy Numer

Policy Title

Effecti!e "ate

Terms and "efinitions Note to agencies –Agencies should ad'ust definitions as necessary to best meet their business environment. Asset# Anyt$ing t$at $as #alue to t$e agency Control# eans of managing ris-% including policies% procedures% guidelines% practices or

organiational structures% .$ic$ can /e of administrati#e% tec$nical% management% or legal nature Incident# A single or a series of un.anted or une2pected information security e#ents (see

definition of ;information security e#ent;, t$at result in $arm% or pose a significant t$reat of $arm to information assets and re"uire non0routine pre#entati#e or correcti#e action! Incident Response Plan#

ritten document t$at states t$e approac$ to addressing and

managing incidents! Incident Response Policy# ritten document t$at defines organiational structure for incident

response% defines roles and responsi/ilities% and lists t$e re"uirements for responding to and reporting incidents!


4

Incident Response Procedures# ritten document(s, of t$e series of steps ta-en .$en

responding to incidents! Incident Response Pro$ram# Com/ination of incident response policy% plan% and procedures! Information# Any -no.ledge t$at can /e communicated or documentary material% regardless of

its p$ysical form or c$aracteristics% including electronic% paper and #er/al communication! Information Security# Preser#ation of confidentiality% integrity and a#aila/ility of information= in

addition% ot$er properties% suc$ as aut$enticity% accounta/ility% non0repudiation% and relia/ility can also /e in#ol#ed! Information Security E!ent# An o/ser#a/le% measura/le occurrence in respect to an information

asset t$at is a de#iation from normal operations! Threat# A potential cause of an un.anted incident% .$ic$ may result in $arm to a system or t$e

agency

Roles and Responsiilities Note to agencies – These role descriptions come from the statewide information security policies and are presented here simply as an e&le. Agencies should ad'ust these descriptions as necessary to best meet their business environment and include any additional roles that have been identified in the agency that apply such as Security (fficer, rivacy (fficer, etc. Agencies need to identify roles, responsibilities and identify who is responsible for incident response preparation and planning, discovery, reporting, response, investigation, recovery, follow$up and lessons learned. Staffing will be dependent on agency capabilities. The same person may fulfill one or more of these roles provided there is sufficient bac)up coverage. The following are suggested roles and responsibilities an agency should consider* incident response team members, incident commander, and agency point of contact to interface with the State Incident Response Team +reuired by statewide policy-.

A$ency "irector

Responsi/le for information security in t$e agency% for reducing ris- e2posure% and for ensuring t$e agency3s acti#ities do not introduce undue ris- to t$e enterprise! &$e director also is responsi/le for ensuring compliance .it$ state enterprise security policies% standards% and security initiati#es% and .it$ state and federal regulations!

Incident Response Point of Contact

Responsi/le for communicating .it$ State Incident Response &eam (SIR&,and coordinating agency actions .it$ SIR& in response to an information security incident!

Information O%ner

Responsi/le for creating initial information classification% appro#ing decisions regarding controls and access pri#ileges% performing periodic reclassification% and ensuring regular re#ie.s for #alue and updates to manage c$anges to ris-!

&ser

Responsi/le for complying .it$ t$e pro#isions of policies% procedures and practices!


5

Pro$ram detail on agency governance structure – identify who is responsible for managing information security incident response for the agency, who is responsible for developing policy, who is responsible for developing procedures, who is responsible for awareness, identification of any governing bodies such as management committees and wor) groups, etc. Include what information security incident response capabilities the agency has or identify outside resource and their capabilities. Include how agency will test plan and freuency. Include other related program areas such as business continuity planning, ris) management, and privacy as they relate to incident response. / Note to agencies –rocedures may in include Incident Reporting rocedures for staff, management, information technology, and oint of 0ontact.

&$e Incident Response Program is composed of t$is plan in con4unction .it$ policy and procedures! &$e follo.ing documents s$ould /e re#ie.ed for a complete understanding of t$e program: 1! Information Security Incident Response% Policy um/er ???0??% located in Appendi2 at t$e end of t$is document! ! Procedure: Information Security Incident Response% located in Appendi2 at t$e end of t$is document! &$e related flo.c$art for t$is procedure is found in Appendi2 at t$e end of t$is document! Information security incidents .ill /e communicated in a manner allo.ing timely correcti#e action to /e ta-en! &$is plan s$o.s $o. t$e .ill $andle response to an incident% incident communication% incident response plan testing% training for response resources and a.areness training &$e Information Security Incident Response Policy% Plan% and procedures .ill /e re#ie.ed insert interval here, i.e. annually/ or if significant c$anges occur to ensure t$eir continuing ade"uacy and effecti#eness! 'ac$ .ill $a#e an o.ner .$o $as appro#ed management responsi/ility for its de#elopment% re#ie.% and e#aluation! Re#ie.s .ill include assessing opportunities for impro#ement and approac$ to managing information security incident response in regards to integrating lessons learned% to c$anges to en#ironment% ne. t$reats and ris-s% /usiness circumstances% legal and policy implications% and tec$nical en#ironment! Identification Identification of an incident is t$e process of analying an e#ent and determining if t$at e#ent is normal or if it is an incident! An incident is an ad#erse e#ent and it usually implies eit$er $arm% or t$e attempt to $arm t$e < agency>! '#ents occur routinely and .ill /e e2amined for impact! &$ose s$o.ing eit$er $arm or intent to $arm may /e escalated to an incident! detail who is responsible for this step and the process that will be used/

&$e term @incident refers to an ad#erse e#ent impacting one or more 3s information assets or to t$e t$reat of suc$ an e#ent '2amples include /ut are not limited to t$e follo.ing: •

9naut$oried use

•

Denial of Ser#ice

•

alicious code


6

•

•

et.or- system failures (.idespread, Application system failures (.idespread,

•

9naut$oried disclosure or loss of information

•

Information Security Breac$

•

Ot$er

Incidents can result from any of t$e follo.ing: •

Intentional and unintentional acts

•

Actions of state employees

•

Actions of #endors or constituents

•

Actions of t$ird parties

•

'2ternal or internal acts

•

Credit card fraud

•

Potential #iolations of State.ide or 3s Policies

•

atural disasters and po.er failures

•

Acts related to #iolence% .arfare or terrorism

•

Serious .rongdoing

•

Ot$er

Incident Classification Once an e#ent is determined to /e an incident% se#eral met$ods e2ist for classifying incidents! detail who is responsible for this step and the process that will be used/

&$e follo.ing factors are considered .$en e#aluating incidents: •

Criticality of systems t$at are (or could /e, made una#aila/le

•

alue of t$e information compromised (if any,

•

um/er of people or functions impacted

•

Business considerations

•

Pu/lic relations

•

'nterprise impact

•

ulti0agency scope

&riage &$e o/4ecti#e of t$e triage process is to gat$er information% assess t$e nature of an incident and /egin ma-ing decisions a/out $o. to respond to it! It is critical to ensure .$en an incident is disco#ered and assessed t$e situation does not /ecome more se#ere! detail who is responsible for this step and the process that will be used/ Information Security Incident Response Plan

7

•

$at type of incident $as occurred

•

$o is in#ol#ed

•

$at is t$e scope

•

$at is t$e urgency

•

$at is t$e impact t$us far

•

$at is t$e pro4ected impact

•

$at can /e done to contain t$e incident

•

Are t$ere ot$er #ulnera/le or affected systems

•

$at are t$e effects of t$e incident

•

$at actions $a#e /een ta-en

•

Recommendations for proceeding

•

ay perform analysis to identify t$e root cause of t$e incident

'#idence Preser#ation Carefully /alancing t$e need to restore operations against t$e need to preser#e e#idence is a critical part of incident response! at$ering e#idence and preser#ing it are essential for proper identification of an incident% and for /usiness reco#ery! Eollo.0up acti#ities% suc$ as personnel actions or criminal prosecution% also rely on gat$ering and preser#ing e#idence! detail who is responsible for this step and the process that will be used/

Eorensics Note to agencies – in cases involving potential e&posure of personally identifiable information it is recommended that technical analysis be performed.

In information security incidents in#ol#ing computers% .$en necessary .ill tec$nically analye computing de#ices to identify t$e cause of an incident or to analye and preser#e e#idence! .ill practice t$e follo.ing general forensic guidelines: o o o o

Feep good records of o/ser#ations and actions ta-en! a-e forensically0sound images of systems and retain t$em in a secure place! 'sta/lis$ c$ain of custody for e#idence! Pro#ide /asic forensic training to incident response staff% especially in preser#ation of e#idence

detail who is responsible for this step and the process that will be used/

&$reat7ulnera/ility 'radication After an incident% efforts .ill focus on identifying% remo#ing and repairing t$e #ulnera/ility t$at led to t$e incident and t$oroug$ly clean t$e system! &o do t$is% t$e #ulnera/ility(s, needs to /e clearly identified so t$e incident isnGt repeated! &$e goal is to prepare for t$e resumption of normal operations .it$ confidence t$at t$e initial pro/lem $as / een fi2ed! detail who is responsible for this step and the process that will be used/ Information Security Incident Response Plan

8

Confirm t$at &$reat7ulnera/ility $as /een 'liminated After t$e cause of an incident $as /een remo#ed or eradicated and data or related information is restored% it is critical to confirm all t$reats and #ulnera/ilities $a#e /een successfully mitigated and t$at ne. t$reats or #ulnera/ilities $a#e not /een introduced! detail who is responsible for this step and the process that will be used/

Resumption of Operations Resuming operations is a /usiness decision% /ut it is important to conduct t$e preceding steps to ensure it is safe to do so! detail who is responsible for this step and the process that will be used/

Post0incident Acti#ities An after0action analysis .ill /e performed for all incidents! &$e analysis may consist of one or more meetings and7or reports! &$e purpose of t$e analysis is to gi#e participants an opportunity to s$are and document details a/out t$e incident and to facilitate lessons learned! &$e meetings s$ould /e $eld .it$in one .ee- of closing t$e incident! detail who is responsible for this step and the process that will be used/

Education and A%areness s$all ensure t$at incident response is addressed in education and a.areness programs! &$e programs s$all address: 1iscuss training programs, cycle2schedule, etc. Identify incident response awareness and training elements – topics to be covered, who will be trained, how much training is reuired./

detail training for designated response resources/ Note to agencies – 1AS has developed a suite of web$based user awareness modules. Additional modules are planned and currently Incident Response is targeted for early 3""4. They are currently available to all state employees by accessing the state intranet and also are resident on the enterprise 5earning 6anagement System!

Communications Note to agencies $ 0ommunication is vital to incident response. Therefore, it is important to control communication surrounding an incident so communications is appropriate and effective. Agencies should consider the following aspects of incident communication* 1efine circumstances when employees, customers and partners may or may not be □ informed of the issue 1isclosure of incident information should be limited to a need to )now basis □ 7stablish procedures for controlling communication with the media □ 7stablish procedure for communicating securely during an incident □ Information Security Incident Response Plan

9

□

□

8ave contact information for the SIRT, vendors contracted to help during a security emergency, as well as relevant technology providers 8ave contact information for customers and clients in the event they are a ffected by an incident

Because of t$e sensiti#e and confidential nature of information and communication surrounding an incident% all communication must /e t$roug$ secure c$annels! detail procedures for internal and e&ternal communications / detail how to securely communication, what is an acceptable method/ detail who is responsible for communications and who is not authori9ed to discuss incidents/

Compliance is responsi/le for implementing and ensuring compliance .it$ all applica/le la.s% rules% policies% and regulations! detail agency compliance ob'ectives and initiatives/ list policies +statewide and agency, see authority section of plan-, federal and state regulations-, statutes, administrative rules that apply, etc./ All agencies are sub'ect to the Identity Theft revention Act. :reaches as defined in the Identity Theft revention Act are only one type of an incident. If your agency is sub'ect to the regulations list below for e&le, you should consider the following* The ayment 0ard Industry$1ata Security Standards reuires entities to develop an Incident Response lan, reuire organi9ations to be prepared to respond immediately to a breach by following a previously developed incident response plan that addresses business recovery and continuity procedures, data bac)up processes, and communication and contact strategies 8IAA reuires entities to implement policies a nd procedures to address security incidents, reuires the creation of a security incident response team or another reasonable and appropriate response and reporting mechanism. Agencies sub'ect to 8IAA should have both an incident response plan and an Incident response team, as well as a method to classify security incidents/ Specific to the Identity Theft revention Act agency plans should cover the following* 0onsider potential communication channels for different circumstances, e.g., your plan may be different for an employee as opposed to a customer data breach. ; "?$?#@$?!"% ; 1AS (ffice 0ommunication 6anager – >"?$?#@$33# ; State 0hief Information Security (fficer – >"?$?#@$>>#


10

; 1epartment of Bustice ; (regon State olice – >"?$?#@$?#3" +as) for the 0riminal 5ieutenant; (ther agencies that may be affected ; If security breach affects more than !,""" consumers, contact all ma'or consumer$ reporting agencies that compile and maintain reports on consumers on a nationwide basisC inform them of the timing, distribution and content of the notification given to the consumers. ; 0ontact the credit monitoring bureaus in advance if directing potential victims to call them " 7uifa& – !$@""$>3>$3@> ! 7&perian – !$@@@$?4#$?#%3 3 TransDnion – !$@""$@"$#3@4

maintains personal information of consumers and .ill notify customers if personal information $as /een su/4ect to a security /reac$ in accordance .it$ t$e Oregon Re#ised Statute )*)A!)++ 0 Identity &$eft Protection Act! &$e notification .ill /e done as soon as possi/le% in one of t$e follo.ing manners: • •

•

ritten notification 'lectronic% if t$is is t$e customary means of communication /et.een you and your customer% or &elep$one notice pro#ided t$at you can directly contact your customer!

otification may /e delayed if a la. enforcement agency determines t$at it .ill impede a criminal in#estigation! If an in#estigation into t$e /reac$ or consultation .it$ a federal% state or local la. enforcement agency determines t$ere is no reasona/le li-eli$ood of $arm to consumers% or if t$e personal information .as encrypted or made unreada/le% notification is not re"uired! Substitute notice

If t$e cost of notifying customers .ould e2ceed H6+%+++% t$at t$e num/er of t$ose .$o need to /e contacted is more t$an 6+%+++% or if t$ere isn3t means to sufficiently contact consumers% su/stitute notice .ill /e gi#en! Su/stitute notice consists of: •

•

Conspicuous posting of t$e notice or a lin- to t$e notice on your  e/ site if one is maintained% and otification to ma4or state.ide Oregon tele#ision and ne.spaper media!

Notifying credit$reporting agencies

If t$e security /reac$ affects more t$an 1%+++ consumers .ill report to all nation.ide credit0reporting agencies% .it$out reasona/le delay% t$e timing% distri/ution% and t$e content of t$e notice gi#en to t$e affected consumers! The regulations listed above are provided as e&les of compliance reuirements and are not intended to be a complete listing./

Implementation


11

summary of initiatives, plans to develop tactical pro'ects initiatives to meet plan components, including timelines, performance measures, auditing2monitoring reuirements for compliance, etc./

Appro!al approval sign off by agency decision ma)ers, i.e. agency administrator, security officer, 0I(, etc./

By: ame% title

Date

ame% title

Date

By:


12

Incident Response Plan Template

Recommend Documents