Incident Response Plan Template
Content
Information Security Incident Response Plan
Agency: Date: Contact:
<agency> Information Security Incident Response Plan
<Date>
1
TABLE OF CONTENTS Introduction.................................................................................3 Authority.....................................................................................4 Terms and Defnitions...................................................................4 Roles and Responsibil Responsibilities.................. ities............................................. ........................................... ................ 5 Program.......................................................................................6 ducation and A!areness............................................................." #ommunications..........................................................................." #ompliance................................................................................$% Implementation..........................................................................$$ Appro&al....................................................................................$$
<agency> Information Security Incident Response Plan
<Date>
2
Introduction Note to agencies – The purpose of an information security incident response program is to ensure the effective response and handling of security incidents that affect the availability, integrity,, or confidentiality of agency information assets. In addition, an incident response integrity program willassets ensureand ensure information secsystems security urity events, incidents and vulnerabilities incidents vulnerabili tiesenabling associated with with information information are communicated in a manner timely corrective action. This template is intended to be a guide to assist in the development of an agency incident response plan, one component of an incident response program. Agencies may have various capacities and business needs affecting the implementation of these guidelines. This information security incident response plan template was created to align with the statewide Information Security Incident Response olicy !"#$""%$&&&.
ORS 18!1 re"uires agencies to de#elop t$e capacity to respond to incidents t$at in#ol#e t$e security of information! Agencies must implement forensic tec$ni"ues and remedies% and consider lessons learned! &$e statute also re"uires reporting incidents and plans to t$e 'nterprise Security Office! &$e Oregon Consumer Identity &$eft Protection Act (ORS )*)A!)++, re"uires agencies to ta-e specific actions in cases .$ere compromise of personally identifia/le information $as occurred! &$is plan addresses t$ese re"uirements! &$e <agency> $as de#eloped t$is Information Security Incident Response Plan to implement its incident0response processes and procedures effecti#ely% effecti#ely% and to ensure t$at <agency> employees understand t$em! &$e intent of t$is document is to: o o o
descri/e t$e process of responding to an incident% educate employees% and /uild a.areness of security re"uirements!
An incident response plan /rings toget$er toget$er and organies t$e resources for dealing . .it$ it$ any e#ent t$at $arms or t$reatens t$e security of information assets! Suc$ an e#ent may /e a malicious code attac-% an unaut$oried access to information or systems% t$e unaut$oried use of ser#ices% a denial of ser#ice attac-% or a $oa2! &$e goal is to facilitate "uic- and efficient response to incidents% and to limit t$eir impact .$ile protecting t$e state3s information assets! &$e plan defines roles responsi/ilities% documents t$e def steps and efficiently managing an inform infand ormati ation on securi security ty incid inc ident ent%% and define ines snecessary c$a c$anne nnels lsforofeffecti#ely commun communica icatio tion! n! &$ &$e e plan pl an also also prescri/es t$e education needed to ac$ie#e t$ese o/4ecti#es!
<agency> Information Security Incident Response Plan
<Date>
3
Authority State.ide information security policies:
Policy Numer
Policy Title
Effecti!e "ate
1+50++*0+6+
Information Asset Classification
1717++8
1+50++*0+61 1+50++*0+6
Controlling P Po orta/le an and R Re emo#a/le St Storage De De#ices Information Security
57+7++5 57+7++5
1+50++*0+6
'mployee Security
57+7++5
1+50++*01++
&ransporting Information Assets
1717++8
1+50++*011+
Accepta/le 9se of State Information Assets
1+71)7++5
1+50++*0222
Information Security Incident Response
draft
<agency> information security policies:
Policy Numer
Policy Title
Effecti!e "ate
Terms Te rms and "efinitions Note to agencies –Agencies should ad'ust definitions as necessary to best meet their business environment. Asset# Anyt$ing t$at $as #alue to t$e agency agency Cont Co ntro rol# l# ea eans ns of man managi aging ng ris-% ris-% inc includ luding ing polici policies% es% proced procedure ures% s% guidel guideline ines% s% pract practice ices s or
organiational structures% .$ic$ can /e of administrati#e% tec$nical% management% or legal nature Incident# A single single or a series of un.anted or une2pected une2pected information secur security ity e#ents (see
definition of ;information security e#ent;, t$at result in $arm% or pose a significant t$reat of $arm to information assets and re"uire non0routine pre#entati#e or correcti#e action! Incident Inci dent Response Response Plan Plan##
ritten rit ten document t$at states states t$e app approa roac$ c$ to addres addressin sing g and
managing incidents! Incident Response Policy# ritten document t$at defines organiational structure for incident
response% defines roles and responsi/ilities% and lists t$e re"uirements for responding to and reporting incidents!
<agency> Information Security Incident Response Plan
<Date>
4
Incid Inc ident ent Respo Response nse Proced Procedur ures# es# ri ritt tten en docume document( nt(s, s, of t$e series series of st steps eps ta-en ta-en .$en .$en
responding to incidents! Incident Response Pro$ram# Com/ination of incident response policy policy%% plan% and procedures! Information# Any -no.ledge t$at can /e communicated or documentary material% regardless of
its p$ysical form or c$aracteristics% including electronic% paper and #er/al communication! Information Informatio n Security# Preser#ation of confidentiality% integrity and a#aila/ility of information= in
addition% ot$er properties% suc$ as aut$enticity% aut$enticity% accounta/ility accounta/ility%% non0repudiation% and relia/ility can also /e in#ol#ed! Information Informatio n Security E!ent# An o/ser#a/le% measura/le measura/le occurrence in respect to an iinformation nformation asset t$at is a de#iation from normal operations! Threat# A potential cause of an un.anted incident% incident% .$ic$ may result in $arm $arm to a system or t$e
agency
Roles and Responsiilities Note to agencies – These role descriptions come from the statewide information security policies and are presented here their simply as an e&le. Agencies shouldany ad'ust these descriptions as necessary to best meet business environment and include additional roles that have been identified in the agency that apply such as Security (fficer, rivacy (fficer, etc. Agencies need to ident identify ify roles, respo responsibi nsibiliti lities es and ident identify ify who is resp responsib onsible le for inci incident dent response preparation and planning, discovery, reporting, response, investigation, recovery, follow$up and lessons learned. Staffing will be be dependent on agency capabilities. capabilities. The same person may fulfill fulfill one or more of these roles provided there is sufficient sufficient bac)up coverage. The following are are suggested roles and respon res ponsib sibil iliti ities es an age agency ncy sho should uld con consid sider* er* in incid cident ent res respons ponse e tea team m mem member bers, s, inc incide ident nt commander, and agency point of contact to interface with the State Incident Response Team +reuired by statewide policy-.
A$ency "irector
Responsi/le for information security in t$e agency% for reducing ris- e2posure% and for ensuring t$e agency3s acti#ities do not introduce undue ris- to t$e enterprise! &$e director also is responsi/le for ensuring compliance .it$ .it$ state state enter enterpris prise e security security policies% policies% standards% standards% and sec securi urity init nitiat atii#es% es% and and .it$ stat ate e and and fe fede derral regulations!
Incident Response Point of Contact
Responsi/ Respon si/le le for commun communica icatin ting g .i .it$ t$ St State ate Incide Incident nt Response &eam (SIR&,and coordinating agency actions .it$ SIR& in response to an information security incident!
Information O%ner
Responsi/le for creating initial information classification% appro# app ro#ing ing decisi decisions ons regard regarding ing contro controls ls and access access pri pri#i #ileg leges% es% perfor performin ming g period periodic ic reclas reclassi sific ficati ation% on% and en ensu suri ring ng regu regula larr re#i re#ie. e.s s fo forr #alu #alue e an and d up upda date tes s to manage c$anges to ris-!
&ser
Re Resp spon onsi si/l /le e fo forr comp coand mply lyin g .i .it$ t$ t$ t$e e pro# pro#is isio ions ns of policies% procedures p ing practices! ractices!
<agency> Information Security Incident Response Plan
<Date>
5
Pro$ram detail on agency governance structure – identify who is responsible for managing information security secur ity incident incident response for the agenc agency, y, who is responsib responsible le for developing developing policy, policy, who is responsible for developing procedures, who is responsible for awareness, identification of any govern gov ernin ing g bod bodies ies such such as manage managemen mentt com commi mitte ttees es and wor) wor) groups groups,, etc. etc. Includ Include e what what informati infor mation on security security incident incident response capabi capabiliti lities es the agency has or ident identify ify outside outside resource resource and their capabilities. Include how agency will test plan and freuency. Include other related program areas such as business continuity planning, ris) management, and privacy as they relate to incident response. / Not Note e to age agenci ncies es –r –roce ocedur dures es may in inc includ lude e Inc Incide ident nt Re Repor porti ting ng r roced ocedure ures s for sta staff, ff, management, information technology, and oint of 0ontact.
&$e Incide Incident nt Res Respon ponse se Progra Program m is compos composed ed of t$i t$is s plan plan in con4un con4unct ction ion .i .it$ t$ policy policy and procedures!! &$e follo.i procedures follo.ing ng documents documents s$ould /e re#ie.ed re#ie.ed for a complete complete understandi understanding ng of t$e program: 1! <agency> Information Information Security Incident R Response% esponse% Policy um/er ???0??% located located in Appendi2 <insert appendi2 num/er> at t$e t$e end of t$is document! document! ! <agency> Procedure: Information Secur Security ity Incident Response% located in A Appendi2 ppendi2 <insert appendi2 num/er> at t$e end of tt$is $is document! &$e related flo.c$art for t$is procedure is found in Appendi2 Appendi2 <insert appendi2 num/er> at t$e end of t$is document! Information security incidents .ill /e communicated in a manner allo.ing timely correcti#e action to /e ta-en! &$is plan s$o.s $o. t$e <agency> .ill $andle response to an incident% incident communication% incident response plan testing% training for response resources and a.areness training &$e Information Security Incident Response Policy% Plan% Plan% and procedures p rocedures .ill /e re#ie.ed insert interval here, i.e. annually/ or if significant c$anges occur to ensure t$eir continuing ade"uacy and effecti#eness! 'ac$ .ill $a#e an o.ner .$o $as appro#ed management responsi/ility for its de#elo de# elopme pment% nt% re#ie. re#ie.%% and e#a e#alua luati tion! on! Re#i Re#ie.s e.s .i .illll includ include e assess assessing ing opp opport ortuni unitie ties s for impro#ement and approac$ to managing information security incident response in regards to integrati integ rating ng lessons lessons learn learned% ed% to c$anges c$anges to <agency3s <agency3s> > en#ironme en#ironment% nt% ne. t$reats and risris-s% s% /usiness circumstances% legal and policy implications% and tec$nical en#ironment! Identification Identification of an incident is t$e process of analying an e#ent and determining if t$at e#ent is normal or if it is an incident! An incident is an ad#erse e#ent and it usually implies eit$er $arm% or t$e attempt to $arm t$e < agency>! '#ents occur routinely and .ill /e e2amined for impact! &$ose s$o.ing eit$er $arm or intent to $arm may /e escalated to an incident! detail who is responsible for this step and the process that will be used/
&$e term @incident refers to an ad#erse e#ent impacting one or more <agency>3s information assets or to t$e t$reat of suc$ an e#ent '2amples include /ut are not llimited imited to t$e follo. follo.ing: ing: •
9naut$oried use
•
Denial of Ser#ice
•
alicious code
<agency> Information Security Incident Response Plan
<Date>
6
•
•
et.or- system failures (.idespread, Application system system failures (.idespread, (.idespread,
•
9naut$oried disclosure or loss of information
•
Information Security Breac$
•
Ot$er
Incidents can result from any of t$e follo.ing: •
Intentional and unintentional acts
•
Actions of state state employees
•
Actions of #endors #endors or constituents
•
Actions of t$ird t$ird parties
•
'2ternal or internal acts
•
Credit card fraud
•
Potential #iolations of State.ide or <agency>3s Policies
•
atural disasters and po.er failures
•
Acts related to to #iolence% .arfare .arfare or terrorism
•
Serious .rongdoing
•
Ot$er
Incident Classificatio Classification n Once an e#ent is determined to /e an incident% se#eral met$ods e2ist for classifying incidents! detail who is responsible for this step and the process that will be used/
&$e follo.ing factors are considered .$en e#aluating incidents: •
Criticality Criticalit y of systems t$at are (or could /e, made una#aila/le
•
alue alue of t$e information compromised (if any,
•
um/er of people or functions f unctions impacted
•
Business considerations
•
Pu/lic relations
•
'nterprise impact
•
ulti0agency scope
&riage &$e o/4ecti#e of t$e triage process is to gat$er information% assess t$e nature of an incident and /egin ma-ing decisions a/out $o. to respond to it! It is critical to ensure .$en an incident is disco#ered and assessed t$e situation does not /ecome more se#ere! detail who is responsible for this step and the process that will be used/ <agency> Information Security Incident Response Plan
<Date>
7
•
$at type of incident $as occurred
•
$o is in#ol#ed
•
$at is t$e scope
•
$at is t$e urgency
•
$at is t$e impact t$us far
•
•
•
$at is t$e pro4ected impact $at can /e done to contain t$e incident Are t$ere ot$er #ulnera/le or affected affected systems
•
$at are t$e effects of t$e incident
•
$at actions $a#e /een ta-en
•
Recommendations for proceeding
•
ay perform analysis to identify t$e root cause of t$e incident
'#idence Preser#ation Carefully /alancing t$e need to restore operations against t$e need to preser#e e#idence is a critical part of incident response! at$ering e#idence and preser#ing it are essential for proper identification of an incident% and for /usiness reco#ery! Eollo.0up acti#ities% suc$ as personnel actions or criminal prosecution% also rely on gat$ering and preser#ing e#idence! detail who is responsible for this step and the process that will be used/
Eorensics information it is Note to agencies – in cases involving potential e&posure of personally identifiable information recommended that technical analysis be performed.
In information security incidents in#ol#ing computers% .$en necessary <agency> .ill tec$nically analye computing de#ices to identify t$e cause of an incident or to analye and preser#e e#idence! <agency> .ill practice t$e t$e follo.ing general forensic guidelines: guidelines: o o o o
Feep good records of o/ser#ations and actions ta-en! a-e forensically0sound images of systems and retain t$em in a secure place! 'sta/lis$ c$ain of custody for e#idence! Pro#ide /asic forensic training to incident response staff% especially in preser#ation of e#idence
detail who is responsible for this step and the process that will be used/
&$reat7ulnera/ility &$reat7u lnera/ility 'radication After an incident% efforts .ill focus on identifying% remo#ing and repairing t$e #ulnera/ility t$at led to t$e incident and t$oroug$ly clean t$e system! &o do t$is% t$e #ulnera/ility(s, needs to /e clearly identified so t$e incident isnGt repeated! &$e goal is to prepare for t$e resumption of normal operations .it$ confidence t$at t$e initial pro/lem $as /een / een fi2ed! detail who is responsible for this step and the process that will be used/ <agency> Information Security Incident Response Plan
<Date>
8
Confirm t$at &$reat7ulnera/ility &$reat7ulnera/ility $as /een 'liminated After t$e cause of an incident $as /een remo#ed or eradicated and data or related information is restored% it is critical to confirm all t$reats and #ulnera/ilities $a#e /een successfully mitigated and t$at ne. t$reats or #ulnera/ilities $a#e not /een introduced! detail who is responsible for this step and the process that will be used/
Resumption of Operations Resuming operations is a /usiness decision% /ut it is important to conduct t$e preceding steps to ensure it is safe to do so! detail who is responsible for this step and the process that will be used/
Post0incident Acti#ities Acti#ities An after0action analysis .ill /e /e performed for all all incidents! & &$e $e analysis may consist consist of one or more meetings and7or reports! &$e purpose of t$e analysis is to gi#e participants an opportunity to s$are and document details a/out t$e incident and to facilitate lessons learned! &$e meetings s$ould /e $eld .it$in one .ee- of closing t$e incident! detail who is responsible for this step and the process that will be used/
Education and A%areness <agency> s$all ensure t$at incident response response is addressed in education and a.areness programs! &$e programs s$all address: 1iscuss trai 1iscuss training ning programs, programs, cycle2sch cycle2schedule edule,, etc. Ident Identify ify incident incident response response awar awareness eness and training elements – topics to be covered, who will be trained, how much training is reuired./
detail training for designated response resources/ Note to agencies – 1AS has developed a suite of web$based user awareness modules. Additional modules modules are planned and currently Incident Response is is targeted for early early 3""4. They are currently available to all state employees by accessing the state intranet and also are resident on the enterprise 5earning 6anagement System !
Communications Note to agencies $ 0ommunication is vital to incident response. Therefore, it is important to control communication surrounding an incident so communications is appropriate and effective. Agencies should consider the following aspects of incident communication* 1efine circumstances circumstances when employees, customers customers and partners may or may not be □ informed of the issue 1isclosure of incident information should be limited to a need to )now basis □ 7stablish procedures for controlling communication with the media □ □
7stablish procedure for communicating securely during an incident
<agency> Information Security Incident Response Plan
<Date>
9
□
□
8ave contact information for the SIRT SIRT,, vendors contracted to help during a security emergency, as well as relevant technology providers 8ave contact information for customers customers and clients in the event they are affected a ffected by an incident
Because of t$e sensiti#e and confidential nature of information and communication surrounding an incident% all communication must /e t$roug$ secure c$annels! detail procedures for internal and e&ternal communications / detail how to securely communication, what is an acceptable method/ detail who is responsible for communications and who is not authori9ed to discuss incidents/
Compliance <agency> is responsi/le for implementing and ensuring compliance .it$ all applica/le la.s% rules% policies% and regulations! detail agency compliance ob'ectives and initiatives/ list policies +statewide and agency, see authority section of plan-, federal and state regulations-, statutes, administrative rules that apply, etc./ All agencies are sub'ect to the Identity Theft revention Act. Act. :reaches as defined in the Identity Theft revention Act Act are only one type of an incident. If your agency is sub'ect to the regul regulations ations list below for e&le, you should consider the following* The ayment 0ard Industry$1ata Security Standards reuires entities to develop an Incident Response lan, reuire organi9ations to be prepared to respond immediately to a breach by following a previously developed incident response plan that addresses business recovery and continuity procedures, data bac)up processes, and communication and contact strategies 8IAA reuires entities to implement policies a 8IAA and nd procedures to address security incidents, reuires the creation of a security incident response team or another reasonable and appropriate response and reporting mechanism. Agencies sub'ect to 8IAA sh should ould have both an incident response plan and an Incident response response team, as well as a method to classify classify security incidents/ Specific to the Identity Theft revention Act agency plans should cover the following* 0onsider potential communication channels for different circumstances, e.g., your plan may be different for an employee as opposed to a customer data breach. ; <our human resources office ; Agency ublic Information Information (fficer +I(; 1AS 1irector=s (ffice – >"?$?#@$?!"% ; 1AS (ffice 0ommunication 6anager – >"?$?#@$33# ; State 0hief Information Security (fficer – >"?$?#@$>>#
<agency> Information Security Incident Response Plan
<Date>
10
; 1epartment of Bustice ; (regon State olice – >"?$?#@$?#3" +as) for the 0riminal 5ieutenant; (ther agencies that may be affected ; If security breach affects more than !,""" consumers, contact all ma'or consumer$ reporting agencies that compile and maintain reports on consumers on a nationwide basisC inform them of the timing, distribution and content of the notification given to the consumers. ; 0ontact the credit monitoring bureaus in advance if directing potential victims to call them " 7uifa& – !$@""$>3>$3@> ! 7&perian – !$@@@$?4#$?#%3 3 TransDnion – !$@""$@"$#3@4
<agency> maintains personal information of consumers and .ill notify customers if personal information $as /een su/4ect to a security /reac$ in accordance .it$ t$e Oregon Re#ised Statute )*)A!)++ 0 Identity &$eft Protection Act! Act! &$e notification .ill /e done as soon as possi/le% in one of t$e follo.ing manners: • •
•
ritten notification 'lectronic%or if t$is is t$e customary means of communication /et.een you and your customer% &elep$one &elep$one notice pro#ided t$at you can directly contact your customer!
otification may /e delayed if a la. enforcement agency determines t$at it .ill impede a criminal in#estigation! If an in#estigation into t$e /reac$ or consultation .it$ a federal% state or local la. enforcement agency determines t$ere is no reasona/le li-eli$ood of $arm to consumers% or if t$e personal information .as encrypted or made unreada/le% notification is not re"uired! Substitute notice
If t$e cost of notifying customers .ould e2ceed H6+%+++% t$at t$e num/er of t$ose .$o need to /e contacted is more t$an 6+%+++% or if t$ere isn3t means to sufficiently contact consumers% su/stitute notice .ill /e gi#en! Su/stitute notice consists of: •
•
Conspicuous posting of t$e notice or a lin- to t$e notice on your e/ e/ site if one is maintained% and otification to ma4or state.ide Oregon tele#ision and ne.spaper media!
Notifying credit$reporting agencies
If t$e security /reac$ affects affects more t$an 1%+++ consumers <agency> .ill .ill report to all nation.ide nation.ide credit0reporting agencies% .it$out reasona/le delay% t$e timing% distri/ution% and t$e content of t$e notice gi#en to t$e affected consumers! The regulations listed above are provided as e&les of compliance reuirements and are not intended to be a complete listing./
Implementation
<agency> Information Security Incident Response Plan
<Date>
11
summary of initiatives, plans to develop tactical pro'ects initiatives to meet plan components, including inclu ding tim timeline elines, s, perfo performan rmance ce measu measures, res, auditing2 auditing2moni monitorin toring g reuireme reuirements nts for compliance, compliance, etc./
Appro!al approval sign off by agency decision ma)ers, i.e. agency administrator, security officer, 0I(, etc./
By: ame% title
Date
ame% title
Date
By:
<agency> Information Security Incident Response Plan
<Date>
12
