Incident Response Protocol sample
Content
Information Security
Information Security Incident Response Protocol March 2006
Information Security Incident Response Protocol
I. The Information Security Incident Response Protocol The purpose of the Information Security Incident Response Protocol is to establish proce pro cedu dures res in acco accorda rdanc nce e wi with th applic applicab able le legal legal and and regu regulat latory ory requi require remen ments ts and and Unive Un iversi rsity ty polic policy y to addr address ess instan instance ces s of unau unautho thoriz rized ed ac acce cess ss to or discl disclos osure ure of University Information, to be nown as an Incident! In addition to all the defenses that have been mounted in protection of the infrastructure and the information processed within, conventional wisdom recommends a high level of prepared prep arednes ness s for a securit security y inciden incident! t! This This protocol protocol describe describes s the response response to such events, the conditions whereby this process is invoed, the resources required, and the course of recommended action! "entral to this process is the Incident Response T Team eam #IRT$, assembled with the purpose of addressing that particular circumstance where there ther e is credibl credible e evidence evidence of an inciden incident! t! See %Proce %Process ss &low ' (ppend (ppendi) i) (* for a graphical representation of the information flow and decision process! The primary emphasis of activities described within this protocol is the return to a normalied !secure" state as #uic$ly as possible% while minimiin& the adverse impact to the 'niversity 'niversity.. The capture capture and preservation preservation of incident relev relevant ant data !e.&.% networ$ flows% data on drives% access lo&s% etc." is performed primarily for the purpos purpose e of problem problem determi determinat nation ion and resoluti resolution% on% and methods methods current currently ly employed employ ed are suitable for that purpose. purpose. It is understood understood and accepted accepted that strict forensic measures are not used in the data capture and retention. This document document may referen reference ce other other document documentatio ation, n, policies policies and procedu procedures res that support this protocol but are not contained within the document, e!g!, policy that defines sensitive data, scripts to be followed by the IT +elp es #+elpes$ and IT -etwor .per .p erati ation ons s "ente "enterr ##-." ."$$ perso personne nnel, l, or docume document nted ed "IRT "IRT #" #"omp omput uter er Inci Inciden dentt Response Team$ Team$ procedures! /here this occurs, instructions to obtain these materials will be specified! "ircumstances may dictate the activation of other operational teams and e)ecution of otherr protocol othe protocols! s! The IRT must monitor monitor and coordina coordinate te all activit activities ies occurring occurring under other operational teams and protocols, and communicate to all interested parties in a timely manner to ensure accurate assessments and avoid efforts that may be duplicated or at cross0purposes!
II. II. (e (efi fini nitio tions ns ). Informat Information ion Secur Security ity Incide Incident nt (n Information Information Security Security Incident Incident is generally generally defined defined as any nown or or highly suspected suspected circumstance that results in an actual or possible unauthorized release of information deemed sensitive by the University or sub1ect to regulation or legislation, beyond the University2s sphere of control! I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 8 .& 89
Information Security Incident Response Protocol 4)amples of an Information Security Incident may include but are not limited to: o the theft or physical loss of computer equipment nown to hold files containing SS-s o an unencrypted list of alumni contributors emailed to an unauthorized recipient a server nown to hold sensitive data is accessed or otherwise compromised by an o unauthorized party printed copies of student loan applications are discovered in a publicly accessible o dumpster o an outside entity is sub1ected to a oS #istributed enial of Service$ attac originating from within the University networ a firewall is accessed by an unauthorized entity o a networ outage is attributed to the activities of an unauthorized entity o "ategories &or the purposes of this protocol, incidents are categorized as %Unauthorized (ccess* or %Unauthorized (cquisition*, and can be recognized by associated characteristics! Unauthorized Access The unauthorized access to or disclosure of University information through networ and;or computing related infrastructure, or misuse of such infrastructure, to include
access to related access related compone components nts #e!g!, #e!g!, networ, networ, server server,, worsta worstation tion,, router router,, firewal firewall, l, system, application, data, etc!$ "haracteristics of security incidents where "haracteristics where unauthorized access might have occurred may include but are not limited to: 4vidence #e0mail, system log$ of disclosure of sensitive data o from the suspected suspected target target o (nomalous traffic to or from System alerts #-US($ o Une)pected changes in resource usage o Increased response time o System slowdown or failure o "hanges in default or user0defined settings o o o o o o o o o
Une)plained or une)pected use of system resources Unusual activities appearing in system or audit logs "hanges to or appearance of new system files -ew folders, files, programs or e)ecutables UserI loc out (ppliance (pplianc e or equipment equipment failure failure Une)pected enabling or activation of services or ports Protective mechanisms disabled #firewall, anti0virus$
Unauthorized Acquisition The unauthorized physical access to, disclosure or acquisition of assets containing or providing access to University information #e!g!, removable drives or media, hardcopy,
wiring closets, file or document storage, appliance hardware, etc!$ I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 < .& 89
Information Security Incident Response Protocol unauthoriz orized ed acquisition acquisition might "harac "har acte teri rist stic ics s of secu securi rity ty inci incide dent nts s wher where e unauth might have have occurred may include but are not limited to: Theft of computer equipment where sensitive data is stored o 6oss of storage media #removable drive, "0Rom, =, flash drive, magnetic tape$ o Printed materials containing University sensitive data mishandled or left unsecured o Illegal entry #burglary$ o .ffice equipment in disarray or out of place o Suspicious or foreign hardware is connected to the networ o -ormally0secured storage areas found unsecured o >roen or non0functioning locing mechanisms o o Presence of unauthorized personnel in secured areas o isabled security cameras or devices
Severity Incidents are further delineated by the actual and potential impact on the business of the Universit University y! &or additional additional informatio information n on severity severity assign assignment ments s and associate associated d symptoms, see %Incident Severity, (ppendi) *! The primary focus of this protocol is the handling of Severity ? Incidents! *. Informati Information on Security Security Incident Incident Response Response Team Team The Information Security Incident Response Team #IRT$ is comprised of individuals with decision0maing authority from within the University and charged by the (dministration with the responsibility of assisting in the process described within this document! +. 'niversi 'niversity ty Informat Information ion University Information is any information maintained by or on behalf of the University that is used in the conduct of University business regardless of the manner in which such information is maintained or transmitted! University Information formats include, but are not limited to oral or written words, screen display, electronic transmission, stored media, printed material, facsimile or any other medium! (. Sensit Sensitiv ive e (at (ata a Sensitive ata is: o any University Information declared to be "onfidential, or Restricted by University policy, and any personally identifiable information as determined or governed by law or o regulation or University policy requiring protection from disclosure! 4)amples include but are not limited to: -etI and Password o -ame in combination with SSo "redit or ebit "ard -umber and (ccess "ode #e!g!, PI- or Password$ o Personal medical records o o o
Unpublished results of protected research or financial Proprietary data #e!g!, formulas orinvestment patents$ strategies
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 9 .& 89
Information Security Incident Response Protocol o
%(nonymous onor* records
,. 'niversi 'niversity ty +lien +lientt !+lien !+lient" t" ( University University "lient "lient #"lient$ #"lient$ is: any faculty, student, staff or alumni affiliated with the University, or o o any department or school of the University, or o
any employee #permanent, temporary and contract personnel$ -. rd Party ( <rd party is: any entity having a relationship with the University not described as a "lient #e!g!, o business partner, research sub1ect, vendor$, or any e)ternal entity initiating contact with the University #e!g!, RI((, target of oS o attac, student applicant, member of the general public$!
III. Information Security Security Incident Response Response Team Team !IRT" ). Inciden Incidentt Response Response Team +omposition +omposition The IRT consists of a Primary Te am and Secondary Team, Team, member if deemed necessar y! if4ach member of the Primary Team Team will designate an (lternate to necessary! participate the Primary 3ember is unavailable! See %Primary and (lternate "ontact 6ist 0 ( (ppendi) ppendi) >* for a listing of individual individual members! The Primary Te Team will consist of represe representative ntatives s from the following areas: )/. Primary Team Team !Re#uired" ?! Information Information and and System System Security;" Security;"ompliance ompliance #ISS;"$ 0 Team eam 6ead 6ead 8! "ompu "omputin ting g Serv Service ices s #"S$ #"S$ <! Technology chnology Suppo Support rt Servic Services es #TSS$ #TSS$ 9! Telecommunications lecommunications and -etwor -etwor Services Services #T-S$ @! 3ana 3anage geme ment nt Syst System ems s A! (udit (uditing ing epar epartme tment nt B! .ffic .ffice e of 7en 7enera erall "oun "ounse sell C! Univ Univer ersi sity ty Pol Polic ice e D! Univ Univers ersity ity Relat Relation ions s ?E!isaster Recovery;>usiness "ontinuity Planning )2. Secondary Team Team !as needed" The circumstances surrounding surrounding each incident incident may differ and require personnel with e)pertise or sills beyond that of the Primary Team! Team! 3embers of the Primary Team Team will determine what, if any, additional resources are required and a Secondary Team may be established with: o Individuals with decision0maing authority identified to have a vested interest in the resolution of the incident! o Individuals identified as sub1ect matter e)perts or having sills required for resolution of the incident! I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 @ .& 89
Information Security Incident Response Protocol Information Security "oordinators representing an affected "lient or < rd Party, or nown to have an established relationship with an affected "lient or < rd Party, may be requested to serve on the Secondary Team! *. Team b1ect b1ectiv ives es 6ed by the University2s Information and Systems Security;"ompliance office, the IRT2s ob1ective is to: ?! "oordinate "oordinate and oversee oversee the the response response to Incidents Incidents in accordance accordance with with the requirements of state and federal laws and University policyF 8! 3inimize the the potential potential negative negative impact to the University University,, "lient "lient and <rd Party as a result of such IncidentsF <! /here /here appropri appropriate, ate, inform inform the the affected affected "lient "lient and and < rd Party of action that is recommended or required on their behalfF 9! Restore services services to a normalized normalized and secure state of of operation! operation! @! Provide clear and timely timely communication communication to all interested interested parties! parties! +. Resp Respon onsi sibil biliti ities es To ensur ensure e an appro appropri priate ate and and timel timely y e)ec e)ecuti ution on of this this protoc protocol, ol, the the IR IRT T 6ead 6ead #or #or designated IRT 3ember$ is required to: ?! "onfirmation "onfirm the the occurrence occurr enceinclude of an an Incident Incide nt not requiring requiri ng the e)ecution of of this protocol! protocol! activities but are limited to: e)ecution direct conversation with "lient, < rd Party, +elpes, -." personnel, %on call* o engineer, IRT members or others having information about the event review of system logs or audit records o o e)amination or analysis of anomalies or untoward events collection of any evidence supportive of the event o 8! Supervise Supervise and direct direct the consistent, consistent, timely, timely, and appropriate appropriate response response to an Incident! Incident! <! Provide appropriat appropriate e communication communication to parties having having a vested vested interest interest in the incident! 9! .ffer .ffer supp support ort to the the "lien "lientt or <rd Party as appropriate until the Incident is resolved! @! "onduct "onduct a post0I post0Inci ncident dent review review!! A! 3aintain 3aintain the the procedure procedures s containe contained d in this documen document! t! (. )ccoun ccountab tabili ility ty Individual IRT members are accountable to the Team and University (dministration for the timely and effective e)ecution of this protocol and associated activities! ,. Reportin Reportin& & a Securi Security ty Incid Incident ent (nyone (nyon e with nowledge or a reasonable reasonable suspicion of an incident is instructed to mae an immediate report to any of the following: The IT -etwor .perations "enter o The IT +elp es o The e0mail addresses of securityuniversity.edu securityuniversity.edu o -ote: -o te: These These e0mai e0maill addre address sses es may be used used but but are are less less effe effect ctive ive than than the the direc directt notification of the +elp es or -." via voice communication or voicemail! I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 A .& 89
Information Security Incident Response Protocol +elpes and -." personnel use scripts #e!g!, lists of predetermined questions$ to assist in problem determination determination and resolution! resolution! These scripts scripts assist support personnel personnel to identify those events that may be classified as an Information Security Incident! (dditional (ddition al information may be found in %7uidelines %7uidelines for +elpes and -." Person Personnel nel ' (ppendi) (ppend i) +*! )nyone receivin& notification of an Incident must contact the 3+ immediately. 3+ personnel will contact the Telecommunications and 3etwor$ Services 4on call en&ineer5 in the li$elihood of of an incident. The en&ineer will follow the T3S defined escalation procedures and immediately contact the IRT 7ead when an Incident has or appears to have occurred. -. )ctivation )ctivat ion of Team .nce the IRT 6ead has determined an Incident has occurred, the IRT 6ead will activate activate this protocol protocol within 89 hours hours after Incide Incident nt determination! determination! -otification -otification of the Primary Team member or (lternate should occur via a direct communication by telephone or face0to0 face 0to0face face contact! contact! =oice0m =oice0mail ail and e0mail e0mail are not consider considered ed direct direct noti notifica fication tion!! Resp Re spec ectiv tive e Prima Primary ry and and (lterna lternate te Team membe members rs shou should ld e) e)ch chang ange e inform informati ation on frequently to ensure their nowledge of the incident is current! "onsult the %-otification Tree ' (ppendi) "* for details and notification assignments!
I8. 9ey +omponents of Response Protocol The In The Incid ciden entt Resp Respons onse e Proto Protoco coll consi consist sts s of fiv five e ey compo compone nent nts: s: (ssess ssessmen ment, t, -otification;"ommunication, "ontainment, "orrective 3easures and "losure! ). )sses ssessm smen entt The IRT 6ead will determine the category and severity of the Incident and undertae discussions and activities to best determine the ne)t best course of action, i!e!, decide if protocol e)ecution is required! The %(ssessment "heclist 0 (ppendi) 4* is used in the initial assessment process conducted by the IRT 6ead! .nce the IRT is assembled, the (ssessment (ssessme nt "heclist "heclist is e)ecuted e)ecuted and reviewed reviewed to ensure all pertinent pertinent facts are established! (ll discussions, decisions and activities are to be documented! *. 3otification:+ommunication esigna es ignated ted persons persons will will tae action to notify notify the appropr appropriate iate interna internall and e)terna e)ternall parties, as necessary! */. Internal 3otification !within the 'niversity" (ll Internal Internal -otification -otification and and communication communication must must be approved approved by the Primary Primary IRT! IRT! ?! Primary Tea Team m members notify notify (lternate (lternate Tea Team m members #and #and vice0versa$! vice0versa$! The IRT will notify members of Secondary Team #if assembled$! 8! IRT 6ead 6ead will notify notify University University (dministra (dministration, tion, IT irectors irectors and and the Information Information Security "oordinators of the Incident and provide ongoing status! <! IRT 6ead will issue issue or direct all %sensitive* %sensitive* internal communications! communications! 9! IT0T IT0Technology Support Support Services Services will issue all public public internal internal communication! communication! I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 B .& 89
Information Security Incident Response Protocol *2. ,;ternal 3otification !outside the 'niversity" (ll 4)ternal 4)ternal -otification -otification and communication communication must be approved approved by the .ffice of 7eneral "ounsel! ?! <rd Party ' IRT 6ead #or designated representative$ and the .ffice of 7eneral "ounsel will establish communication with any < rd Party, as appropriate for the circumstance! 8! 6aw 4nforcement 4nforcement ' University University Police Police notifies notifies local, state, and;or and;or federal federal law enforcement agencies as appropriate! <! Regulators Regulators 0 .ffice .ffice of 7eneral 7eneral "ounsel "ounsel notifies notifies the the appropriate appropriate regulatory regulatory agencies! 9! IRT members members will will assist in determining determining if other other parties parties should should be notified notified #e!g!, #e!g!, ell2s Stolen "omputer ivision$! @! -ews outlets outlets ' IT0T IT0Technology Support Support Services Services and University University Relations Relations will determine if, how and when news outlets should be notified, and respond to all inquiries from news outlets! A! School and and Research Research administratio administration n determine determine if government government notification notification #e!g!, #e!g!, ., &($ is required and tae appropriate action! B! .ther affected affected parties parties ' The The IRT will will determine if there are other other parties parties of interest, with communications issued accordingly! *. +lient 3otification ?! "lient should should be informed that the Incident has been been reported, reported, recorded recorded and an investigation underway! 8! "lient shall shall be ept ept abreast abreast of the status of the Incident Incident investigation investigation in a timely manner! <! "lient shall shall be notified notified of results, closure of of investigation, investigation, and recommendation recommendations! s! *<. Status ?! IRT 6ead 6ead and IT0Tec IT0Technical hnical Support Support Services assumes assumes respon responsibility sibility for preparing preparing and issuing timely communication to IRT members, (dministration and other interested parties! 8! "ommunications "ommunications may include meetings, video conferenc conferencing, ing, teleconferen teleconferencing, cing, e0 mail, mai l, te telep lepho hone; ne;mes messag saging ing,, voice voice record recording ings s or other other means means as deeme deemed d appropriate! <! &requ &requen ency cy and and timeli timeline ness ss of commu communic nicati ation ons s wi willll be es esta tabli blish shed ed and and revi revised sed throughout the life of the incident! +. +ontainment The Th e IRT IRT will will deter determin mine e and and cause cause to be e) e)ecu ecuted ted the the appro appropri priat ate e activ activiti ities es and and proce pro cess sses es re requ quire ired d to quic quicly ly conta contain in and and minimi minimize ze the immed immedia iate te impact impact to the the rd Univers Uni versity ity,, "lient "lient and < Party! Party! Recommended Recommended activities activities addressing addressing Unauthorize Unauthorized d (ccess and Unauthoriz Unauthorized ed (cquisitio (cquisition n are described in %Incident %Incident "ontainment "ontainment (ctivities (ctivities 0 (ppendi) (ppend i) &*! "ontainment activities are designed with the primary ob1ectives of: "ounteract the immediate threat o I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 C .& 89
Information Security Incident Response Protocol o o o o
Prevent propagation or e)pansion of the incident 3inimize actual and potential damage Restrict nowledge of the incident to authorized personnel Preserve information relevant to the incident
(. +orrective Measures Th The e IRT IRT will wirequired ll deter determin mine and and cause ca use tocircumstances be e) e)ecu ecuted ted tothe thae normalized appro appropri priat ate e#secure$ activ activiti ities esstate! and and processes to e quicly restore Recommended activities addressing Unauthorized (ccess and Unauthorized (cquisition are described in %"orrective 3easures 0 (ppendi) 7*! "orrective measures are designed with the primary ob1ectives of: Secure the processing environment o Restore the processing environment to its normalized state o ,. +losure The IRT will stay actively engaged throughout the life of the Incident to assess the progress;status of all containment and corrective measures and determine at what point the incident incident can be consider considered ed resolved! resolved! Recomme Recommendat ndations ions for improvemen improvements ts to processes, policies, procedures, etc! will e)ist beyond the activities required for incident resolution and should not delay closing the Incident!
8. Re#uired (ocumentation (ocumentation of Incident = IRT Meetin&s (ll Incident activities, activities, from receipt of the initial report through Post0Inciden Post0Incidentt Review, are to be documented! documented! The IRT 6ead 6ead is responsible responsible for ensuring all even events ts are recorded, assembling these records in preparation and performance of the post0incident review, and ensuring ensuring all records are preserved preserved for review! review! IRT memb members ers may be employed in these efforts! ?! 7eneral 7eneral overvi overview ew of of the the Incide Incident nt Summary of the Incident providing a general description of events, appro)imate timelines, parties involved, resolution of the incident, e)ternal notifications required, and recommendations for prevention and remediation! 8! etailed etailed review review of the the Inci Incident dent!! escription of Incident events, indicating specific timelines, personnel involved, hours spent on various activities, impact to "lient, < rd Party and user communities #e!g!, system not available, business continuity issues$, ensuing discussions, decisions and assignments made, problems encountered, successful and unsuccessful activities, notifications required or recommended, steps taen for containment and remediation, recommendations for prevention and remediation #short0term and long0term$, identification of policy and procedure gaps, results of post0incident review!
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 D .& 89
Information Security Incident Response Protocol <! Ret ete ent ntiion (ll relevant relevant documentation documentation will be retained retained by IRT 6ead for archival archival in a central central repository! (ccess to the documentation and repository is typically restricted to IRT membership and University (dministration!
8I. PostIncident Review ( incident0related incident0 related activities activities is a are required require d element of oparticipants! f this protocol! protocol! (ll members members of review the IRTofprimary and secondary teams recommended ?! is isc cussio ssion n The IRT 6ead will host a Post0Incident Review after each Incident has been resolvedF this discussion should be scheduled within 80< wees of the Incident2s remediation! The review is an e)amination of the Incident and all related activities and events! (ll activities performed relevant to the Incident should be reviewed w with ith an eye towards improving the over0all incident response process! 8! Reco Recomm mmen enda dati tion ons s The IRT2s recommendations on changes to policy, process, safeguards, etc! are both an input to and by0product of this review! %&i) the problem, not the blame* is the focus of this activity! activity! (ll discussion, recommendations and assignments are to be documented for distribution to the IRT and (dministration, and follow0up by IRT 6ead! <! &ollow llow0u 0up p The IRT 6ead will follow0up with the "lient and < rd Party or other parties, as required and appropriate!
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 ?E .& 89
Information Security Incident Response Protocol
8II. )ppendices ( ' Process Process &low > ' Primary and (lternate "ontact 6ist " ' -otification Tree ' Incident Severity 4 ' Incident (ssessment "heclist & ' Incident "ontainment (ctivities 7 ' "orrective 3easures + ' 7uidelines for +elp es and -." Personnel
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 ?? .& 89
Information Security Incident Response Protocol Process -low
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
)ppendi; )
P(74 ?8 .& 89
Information Security Incident Response Protocol Primary and )lternate +ontact 7ist
(epartment or -unction
Primary +ontact
)ppendi; *
)lternate +ontact
?! In Info forrma mati tion on an and d Systems Security ;"ompliance 8! "o "omp mput utin ing g Ser Servi vice ces s
<! Tech chno nolo logy gy Supp Suppor ortt Services
9! Teleco lecomm mmuni unica cati tion ons s and -etwor Services @!
3anagement Services
A! (udi (uditi ting ng epa epart rtme ment nt
B! .f .ffi fice ce of 7e 7ene nera rall "ounsel
C! Un Univ iver ersi sity ty P Pol olic ice e
D! Un Univ iver ersi sity ty Rela Relati tion ons s ?E! isa isaster ster Recov Recovery ery G >usiness "ontinuity Planning
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 ?< .& 89
3otification Tree Tree
)ppendi; +
Information Security Incident Response Protocol Incident Severity
Severity
)ppendi; (
Symptoms
?
(! -etwor or system outage with significant impact to the user population or operation of the University! >! +igh prob probabil ability ity of of propaga propagation tion!! "! Probable Probable or actual actual release release or compromise compromise of sensitive sensitive data #financial records, personal data, passwords, etc!$ ! Requires immediate remedial remedial action to prevent prevent further further compromise of data and adverse impact to networ or other entities! 4! -otification -otification of entities entities outside outside of the the University University is required required!!
8
(! Some adverse impact to the operation of the University! >! (dverse effects effects are localized localized or contained, contained, or minimal minimal ris of propagation! "! -o apparent apparent release release or compromise compromise of sensitive sensitive data! data! ! Remedial but not not immediate immediate action action is is required! required! 4! -otification -otification of entities within the University University is required! required!
<
(! 3inimal impact to small segment of user population or operation of University! >! "ompletely "ompletely localized, localized, with with few individuals individuals affected, affected, and presenting little or no ris to other entities! "! -o loss or co compro mpromise mise of sensit sensitive ive data! data! ! Reme Remedial dial action action is requ required ired!! 4! Individ Individual ual notific notificatio ation n is required required!!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 ?@ .& 89
Information Security Incident Response Protocol Incident )ssessment +hec$list
)ppendi; ,
The activities described in this checlist are designed to assist in the initial assessment process performed and;or conducted by the IRT 6ead! "ompletion of this checlist is essential for any incident that calls for the e)ecution of the (ssessment Information Security Incident Response Protocol! to.nce theall IRT is assembled, the "heclist is reviewed for completion ensure pertinent facts are established! ). (escription of of Incident ata relevant to the Incident should be collected for use in the process of Incident determination! (?! Record the current current date and time! (8! Provide a brief descriptio description n of the Incident! Incident! (<! /ho discovered discovered the the IncidentH IncidentH Provide name and and contact contact information! information! (9! Indicate when the the incident incident occurred occurred and when it was discovered! discovered! (@! +ow was was the Incident Incident discovered discoveredH H (A! escribe the evidence evidence that that substantiates substantiates or or corroborates corroborates the the Incident Incident #e!g!, eye0witness, time0stamped logs, screenshots, video footage, hardcopy, etc!$! (B! Identify all nown nown parties with nowledge nowledge of the the Incident Incident as of current date and time! (C! +ave all all parties with nowledge nowledge of the Incident Incident been been informed informed to treat treat information about the Incident as %sensitive or confidential*H *. Types Types of Information% Systems and Media Provide information on the nature of the data that is relevant to the Incident! >?! Provide details on the nature of the data #e!g!, #e!g!, student information, research data, credit card information, SS-s, etc!$! >8! oes the information #if compromised$ constitute a violation of regulatory requirements #e!g!, &4RP(, +IP((, +IP((, PIP (ct$ or University policyH escribe what is nown! ><! /as the compromised information maintained by a University "lient or a < rd PartyH Provide details!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 ?A .& 89
Information Security Incident Response Protocol >9! +ow was the information heldH Identify the the types of information systems and;or the media on which the information was stored #e!g!, hardcopy, laptop, "0Rom, etc!$! >@! If the information was held electronically, was the data encrypted or otherwise disguised or protected #e!g!, redacted, partial strings, password required, etc!$H If so, describe measures taen! >A! If a "lient held the information: 0 4stablish the "lient point of contact! 0 (ssign responsibility to IRT member to contact the "lient! >B! If a <rd Party held the information: 0 Identify the individual within the University who best represents the < rd Party! If there is no suitable University contact, an IRT member will be assigned responsibility for directly contacting the <rd Party! 0 (ssign responsibility to IRT member to contact that individual! 0 IRT member will wor with the University contact or < rd Party to obtain a copy of any contract or confidentiality agreement and ascertain what nowledge of the Incident the <rd Party might have and what action if any has been taen! >C! /ho currently holds evidence of the IncidentH Provide name and contact information! >D! /hat steps are required or being taen to preserve ev evidence idence of the IncidentH escribe! +. Ris$:,;posure (ttempt to to determine determine to what what e)tent ris and;or and;or e)posure e)posure is presented by this Incident! "?! "an we reasonably determine the ris or e)posureH "8! To what what degree are we certain that the data has or has not been releasedH "<! o we have contact with someone who has %firsthand* nowledge of the circumstance #e!g!, the owner of a stolen laptop$H Provide name and contact information! "9! /hat firsthand nowledge have have we determinedH escribe what is nown! "@! "an we identify and do we have contact with the party that received the data or caused the compromiseH escribe what is nown!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 ?B .& 89
Information Security Incident Response Protocol "A! Identify the impacted parties, if possible! (re they University "lients "lients or < rd PartiesH Provide estimated number, if nown! "B! /hat is the ris or e)posure to the UniversityH UniversityH escribe! "C! /hat is the ris or e)posure to the "lientH escribe! "D! /hat is the ris or e)posure to the <rd PartyH escribe! "?E! "an we determine to what e)tent news outlets may now of this IncidentH escribe! (. 3e;t Steps etermine what information or action is required to better assess or address this Incident! ?! o we have enough information to establish the category and severity of the IncidentH 0 If %yes*, declare the Incident category and severity! 0 If %no*, describe what else might be required! 8! If additional data collection data is required, assign responsibility to IRT member for collection and reporting to IRT! <! Is there any deadline or reporting requirement #self0imposed or regulatory$ we need to addressH Provide details! 9! >ased on current nowledge, nowledge, do we require resources of the Secondary TeamH Te amH If so, determine the maeup and assign responsibility for contact to IR IRT T members! @! /hat communications need to be establishedH Provide details! A! (re there any immediate issues that have not been addressedH escribe! B! Recap all all wor and responsibility responsibility assignments! C! /hen do we meet again to follow0upH Provide details!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 ?C .& 89
Information Security Incident Response Protocol Incident +ontainment )ctivities
)ppendi; -
The IRT will determine and e)ecute the appropriate activities and processes required to quicly contain and minimize the immediate impact to the University, "lient and <rd Party! "ontainment are designed o "ounteractactivities the immediate threat with the primary ob1ectives of: o Prevent propagation or e)pansion of the incident 3inimize actual and potential damage o o Restrict nowledge of the incident to authorized personnel Preserve information relevant to the incident o ). +ontainment )ctivities )ctivities 'nauthoried )ccess (ctivities (ctivitie s that may be required required to contain contain the the threat presented presented to systems systems where where unauthorized access may have occurred! (?! isconnect isconnect the system system or appliance appliance from from the networ networ or or access to other systems! (8! Isolate the the affected affected IP address from the networ! networ! (<! Power off the appliance#s$, appliance#s$, if unable unable to otherwise otherwise isolate! isolate! (9! isable the affected affected applicatio application#s$! n#s$! (@! iscontinue iscontinue or disable disable remote remote access! access! (A! Stop services services or close ports ports that are contributing contributing to to the incident! incident! (B! Remove drives or media nown nown or suspecte suspected d to be compromise compromised! d! (C! /here possible, possible, capture capture and and preserve preserve system, system, appliance appliance and application application logs, networ flows, drives and removable media for review! (D! -otify IR IR Te Team of status status and any any action taen! *. +ontainment )ctivities )ctivities 'nauthoried )c#uisition (ctivities (ctivitie s that may be required required to contain contain the the threat presented presented to assets assets where where unauthorized acquisition may have occurred!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 ?D .& 89
Information Security Incident Response Protocol >?! Identify missing or compromised assets! >8! 7ather, remove, recover and secure sensitive materials to prevent further loss or access! ><! Power down, recycle or remove equipment nown to be compromised! >9! /here possible, secure the premises for possible analysis by local management and law enforcement! >@! 7ather and secure any evidence of illegal entry for review by local management and law enforcement! >A! /here possible, record identities of all parties w who ho were a possible witness to events! >B! Preserve 3arloc, camera logs and sign0in logs for review by local management and law enforcement! >C! -otify IR Team Team of disposition disposition of assets and any action taen!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 8E .& 89
Information Security Incident Response Protocol +orrective Measures
)ppendi; >
The IRT will determine and cause the e)ecution of the appropriate activities and processes required to quicly restore circumstances to a normalized #secure$ state! "orrective measures are designed with the primary ob1ectives of: o o
Secure the processing environment Restore the processing environment to its normalized state
). +orrective Measures ? 'nauthoried )ccess (ctivities (ctivitie s that may be required required to return return conditions conditions from unauthorized access to a normalized and secure processing state! (?! "hange passwords;pas passwords;passphrases sphrases on all local local user and administrator administrator accounts accounts or otherwise disable the accounts as appropriate! (8! "hange passwords;pas passwords;passphrases sphrases for all administrat administrator or accounts accounts where where the account uses the same password;passphrase across multiple appliances or systems #servers, firewalls, routers$! (<! Rebuild systems to to a secure secure state! state! (9! Restore systems with data data nown nown to be of high integrity integrity!! (@! (pply (pply .S and and application application patches patches and and updates! updates! (A! 3odify access access control control lists as deemed deemed appropriate! appropriate! (B! Implement IP filtering filtering as deemed deemed appropriate appropriate!! (C! 3odify;implement 3odify;implement firewall firewall rulesets rulesets as deemed appropria appropriate! te! (D! 4nsure anti0virus anti0virus is enabled enabled and current! current! (?E! 3ae all personnel personnel %security %security aware*! aware*! (??!! 3onitor;scan (?? 3onitor;scan systems systems to ensure ensure problems problems have have been resolved! resolved! (?8! -otify IR Team eam of status status and any any action taen!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 8? .& 89
Information Security Incident Response Protocol *. +orrective Measures ? 'nauthoried )c#uisition (ctivities (ctivitie s that may be required required to return return conditions conditions from an unauthorized acquisition to a normalized and secure processing state! >?! Retrieve or restore assets where possible! >8! Store all sensitive materials in a secure manner #e!g!, locable cabinets or storage areas;container$! ><! Install;replace locs and issue eys only to authorized personnel! >9! Restore security devices and;or apparatus to woring condition! >@! Remove and retain unauthorized equipment from networ;area! >A! Implement physical security devices and improvements #e!g!, equipment cables, alarms$ as deemed appropriate! >B! 3ae all all personnel %security aware*! >C! -otify IR Team Team of status and any action taen!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 88 .& 89
Information Security Incident Response Protocol >uidelines for @elp(es$ and 3 3+ Pe Personnel
)ppendi; @
Primary b1ective The primary ob1ective is to determine if the problem being reported is a security incident! In most instances, the problem being reported will not constitute an incident as defined within the protocol #see efinitions ' Information Security Incident 0 "ategories$! -o set of questions will address every circumstanceF previous e)perience with an individual and intuition may be relied upon to help determine if an incident has occurred! Support personnel are accountable for asing the questions about an incident, maing a reasonable attempt at determining if an incident has occurred, recording facts and responses to questions, and forwarding pertinent information to the responsible parties! Problem Reportin& &amiliarity with this protocol2s definitions will assist support personnel in maing a determination if a security incident has occurred! Individuals reporting problems and;or incidents should be informed as to the reason for the questions #i!e!, the University is attempting to determine if sensitive data is at ris or compromised$ and all individuals should be encouraged to openly discuss the problem being reported! (ny information information provided provided by an individual individual that that helps in in the determinatio determination n is of considerable valueF the individual2s cooperation is critical, greatly appreciated and should be recognized! In#uiries &or those individuals who may be reporting a security incident, questions that might be ased include but are not limited to: /ere -etIs and;or passwords accessed or releasedH o /ere Social Security -umbers stored or processedH o o o o o
/ere medical records of individuals present or accessedH /ere credit card numbers or financial information disclosedH id physical theft of computer equipment occurH /as %foreign* or unauthorized equipment connected to the networH
(iscovery and Reportin& If the answers to the inquiries indicate that an incident may have occurred, support personnel should assume that an incident has actually occurred and perform the following activities: .btain and record the contact information for the individual reporting the problem o #name, telephone numbers, e0mail address$ o Record relevant information about the incident #e!g!, time;date of suspected occurrence, type of information compromised, location of the compromise$ IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 8< .& 89
Information Security Incident Response Protocol o
o o
Inform the individual to e)pect contact from a member of the Incident Response Team Request the individual to treat the incident as a confidential matter "ontact the Telecommunications and -etwor Services #T-S$ %on call* engineer for further assistance!
,scalation The T-S %on call* engineer is responsible for maing an early determination if an incident has occurred or might be indicated! If the engineer believes an incident has occurred, might be indicated, or unsure, the IRT 6ead or (lternate should be contacted immediately, using the department2s notification procedures!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6
P(74 89 .& 89
