Information Security Incident Management
Introduction
This policy covers incident management of Information Security Breaches.
Preparation
This policy covers the outline of requirements to ensure that we are ready to respond to incidents rapidly and minimise the impact of any issues or malicious activity. The policy outlines the formulation and activities of the Computer Incident Response Team (CIRT).
- Policy – All employees, subcontractors, consultants and relevant stakeholders are to be made of aware of the policy if they are handling information for or on behalf of us
- Response Plan – A response plan checklist is to be stored prominently in the document management system and a backup copy on a separate and disconnected system
- Communications – Relevant points of contact for data breaches are to be kept in two disconnected locations, notification timelines and methods must be followed
- Documentation – A timeline log of actions must be maintained to track all developments and actions for the purpose of evidence
- Team – The team should be formed with a range of disciplines, a minimum of three
- Access control – Anyone dealing with the information must have the appropriate clearances and permissions to handle the information
- Tools – Only approved software tools can be used
Identification
The CIRT will collate and note all activities, reports and information that lead up to the incident. This is done to collate evidence but also to segregate affected business areas from unaffected ones. This will enable other parts of the the business to continue functioning.
Containment
All affected articles, devices, components are to be separated and marked accordingly so that they are not used accidentally. Any further testing, management etc are to be done in a containerised environment.
Eradication
Devices should be thoroughly cleaned and that all content is removed and rechecked to ensure that so malicious content remains.
Recovery
Back up files are to be check for malicious files before being restored to prevent re-infection. The CIRT must identify:
- last safe backup
- method of testing and validation
- duration of monitoring after backup
- tools to monitor and evaluate system behaviour
Lessons Learned
Lessons learned are to be provided in a report within 2 weeks of the completion of the incident to capture what went wrong, why, the impact, what was done, areas for improvement, what the CIRT did well, what could be improved and how a summary.
Incident handlers checklist
- Preparation
- are all members aware of the policy
- are Point of Contact accessible
- Is an incident log established
- Identification
- where did the incident occur
- who reported it
- how was is discovered
- are there any other areas compromised and what is the impact
- what is the scope of impact
- what is the business impact
- has the source been located
- Containment
- Short term
- can the system be isolated
- are all affected systems isolated from non affected systems
- System backup
- have forensic copies been taken
- are they secure and separate
- Long term containment
- Can the system be taken offline
- if not, can it been contained temporarily
- Short term
- Eradication
- can patches be deployed
- has all malware been removed
- Recovery
- are patches installed
- what time/day can systems be restored
- how long will systems be monitored
- Lessons Learned
- Has all documentation been written
- Has the report been distributed and key learnings shared