Upload
asterix01ar
View
230
Download
0
Embed Size (px)
Citation preview
8/18/2019 Incident Management Policy
1/18
T ncident Management Plan
(March 31, 2015 – Version 0.1)
Contents1 Document Revision Control......................................................................................2
2 Effective Date............................................................................................................2
3.2 Address..............................................................................................................................33.3 Reporting...........................................................................................................................3
4.1 Objectives...............................................................................................................4
5 Governance Model....................................................................................................4
6 Incident Management Process..................................................................................5
6.1 Preparation.........................................................................................................................6 The preparation stage involves incident handling planning and trainingactivities designed to provide adequate capabilities to prevent and detectincidents..................................................................................................................................66.2 Identification......................................................................................................................7Categorization.............................................................................................................................7
Prioritization................................................................................................................................86.3 Response............................................................................................................................86.4. Recovery..............................................................................................................................96.. Post Incident Ana!ysis........................................................................................................1"
7 Office Roles and Responsibilities............................................................................11
Appendi# A $ %efinitions.........................................................................................................12Appendi# & $ '())ary of *ffice *+!igations.........................................................................13Appendi# C $ ,vidence Preservation.......................................................................................14'tep 1-.......................................................................................................................................14'tep 2.........................................................................................................................................1'tep 3.........................................................................................................................................1
Appendi# % $ Incident Categorization.....................................................................................16Appendi# , $ Incident Report e)p!ate...................................................................................17
8/18/2019 Incident Management Policy
2/18
1 Document Revision Control
Revision Date Summary of Revisions MadeChanges Made By
(Name)
0.1 3/30/2015 Initial Version
2 Effective Date
This plan takes efect on March 31, 215. !t "ill be revie"ed on a #earl# basis
and $odi%ed as appropriate.
3 Introduction
3.1 Purpose
This docu$ent delineates the policies and procedures &or !n&or$ation
Technolog# !ncident Manage$ent, as "ell as 'o$pan#(s process)level plans
&or $anaging incidents on critical technolog# plat&or$s and the
teleco$$unications in&rastructure. *ur $ission is to ensure in&or$ation
s#ste$ upti$e, data integrit# and availabilit#, and business continuit#.
8/18/2019 Incident Management Policy
3/18
3.2 Scope
This +lan applies to all 'o$pan#s o-ces and subsidiaries subect to the
+olic# and addresses/
• Threats, vulnerabilities, and incidents "ithin an !T environ$ent that
afect or $a# afect service to 'o$pan# operations, securit# or privac#
o& in&or$ation or con%dence0
• !ncidents "ithin an !T environ$ent requiring an integrated response0
• et"orks classi%ed secure and belo".
3.3 Reporting
This version o& the plan requires e$plo#eesdepart$entso-ces to report !T
incidents to the !T epart$ent using the *T4 tool or an# other
co$$unication $ethod in case access to *T4 is i$possible.
3.4 Communication
The !T incident $anage$ent depart$ental operating procedures re&erenced
herein "ill be provided to 4 &or inclusion in the standard policiesplan
librar#.
4 Context
The occurrence o& !n&or$ation Technolog# !T8 incidents involving 'o$pan#s
net"orks and in&rastructure can have a signi%cant i$pact on 'o$pan#operations, services delivered to custo$ers and, consequentl#, con%dence in
'o$pan# The abilit# to detect and respond to incidents in a coordinated and
consistent &ashion is essential to $aintaining 'o$pan# operations and
services and to ensure the con%dentialit#, integrit# and availabilit# o&
'o$pan#s in&or$ation and !T assets.
The 'o$pan# !n&or$ation Technolog# !ncident Manage$ent +lan provides an
operational &ra$e"ork &or the $anage$ent o& !T securit# incidents and
8/18/2019 Incident Management Policy
4/18
events that could have or have had an i$pact on 'o$pan# in&or$ation
technolog# in&rastructure.
4.1 Objectives
The &ollo"ing are the obectives o& this plan.
• 9nhanced situational a"areness across the 'o$pan#0
• !$proved coordination and incident $anage$ent planning "ithin the
'o$pan#0
• Ti$el# resolution o& incidents that afect 'o$pan# services and
operations0
• !n&or$ed decision $aking and associated incident $itigation and
response0
• : shared sense o& responsibilit# and partnership a$ong the 'o$pan#
!T and custo$ers !n&or$ation Technolog# ecurit# areas0
• !$proved shared 'o$pan# kno"ledge and e;pertise0
• 9nhanced con%dence in 'o$pan#.
4.2 Assumptions
The following assumptions were made during the development of
this Plan:
• 'urrent $andates and responsibilities "ill be respected0
• !T securit# incidents related to the disclosure o& personal in&or$ation or
private co$$unications "ill &ollo" established privac# procedures
according the countr# la"0
• !n addition i& the incident is considered a cri$e, particulars should be
reported to the countr# 9n&orce$ent :genc# as applicable.
8/18/2019 Incident Management Policy
5/18
5 Governance Model
uring a serious incident, the ti$el# engage$ent o& senior $anage$ent is
ke# to a strong and efective response. The governance $odel o& the !M+
identi%es the senior $anage$ent co$$ittees and $anagers "ho "ill be
engaged "hen severit# and trigger criteria are $et.
to be co$pleted?
6 Incident Management Process
The incident $anage$ent process "ill consist o& the &ollo"ing %ve de%ned
stages see @igure 18/ the stages ApreparationA and Aidenti%cationA are
integral co$ponents to an efective incident $anage$ent plan that $ust be
in place and kept up to date to be properl# prepared &or $anaging an
incident. The other three stages, AresponseA, Arecover#A and Apost incident
anal#sisA "ill be the &ocus o& the governing structure.
Figure 1: Stages of Incident Management Process
8/18/2019 Incident Management Policy
6/18
The responsibilities o& depart$ents related to incident $anage$ent process
are docu$ented &or each o& the stages in the &ollo"ing sections. : su$$ar#o& responsibilities &or all stages o& the incident $anage$ent process is
su$$ariBed in :ppendi; C.
6.1 Preparation
The preparation stage involves incident handling planning and trainingactivities designed to provide adequate capabilities to prevent and detectincidents.
At a minimum/
1. evelop and practice incident handling planning and training
activities and e;ercises to enable identi%cation and efective response
2. 9nsure the response plan and co$$unications procedures are "ell
kno"n and easil# accessible to all involved personnel, and revie"ed
and updated as required8 both periodicall# and &ollo"ing an incident.
3. !denti critical s#ste$s Cusiness and *perations8 to better identi
inur# and i$pact levels "hen reporting an event or incident.
D. !ntegrate the processes o& the !M+ into the *-ce ecurit#, Cusiness
'ontinuit# and !T contingenc# plans.
5. 9nsure a"areness and response training is available to all
e$plo#ees co$$ensurate "ith the current and e$ergent threat
landscape.
6. 9nsure provision o& appropriate training and a"areness o& incident
identi%cation, incident $anage$ent polic#, and procedures to !T staf,
so that all individuals involved understand their role andresponsibilities related to incidents.
7. 9nsure that standard $easures are de%ned in advance &or rapid
i$ple$entation as required.
E. Monitor and $anage so&t"are, hard"are and %r$"are con%gurations
including versions nu$bers and patch levels in a depart$ental
database to ensure that depart$ents are able to identi vulnerabilities
8/18/2019 Incident Management Policy
7/18
and act accordingl#.
F. Take reasonable $easures to ensure the preservation and protection
o& evidence see :ppendi; '8.
6.2 Identification
The identi%cation stage consists o& the detection o& an event suspected o&
being an !T securit# incident, advising !n&or$ation Technolog#
representatives &or the afected s#ste$s "ho "ill per&or$ the initial
assess$ent to deter$ine i& it is an actual incident8, and deter$ining the
i$pact, severit#, and probable cause o& the suspected incident.
As a minimum, !ces will:
1. 'arr# out $onitoring and intrusion detection activities e.g. track
and anal#Be threats, vulnerabilities, events via logs &ro$ various
sources such as %re"alls or !ntrusion etection #ste$s, "hich $a#
afect !T s#ste$s8. This should also include a proactive vulnerabilit#
$anage$ent process using standard &ra$e"orks such as the ational!nstitute o& tandards and Technolog#s 'o$$on Gulnerabilit# coring
#ste$0
2. *nce it is deter$ined that an event has the potential or has been
con%r$ed to be an incident, send an initial incident report using *T4
and "hen &urther in&or$ation beco$es available, sub$it an updated
incident report0
3. +reserve evidence as outlined !n :ppendi; '.
The incident in&or$ation $ust be reported to the *T4 no later than one 18
hour a&ter the detection o& an incident. The *T4 tool should be used to
report the incident. !n the incident report, reporter $ust assign a level o&
inur# and i$pact severit#. :ppendi; should be used as a guideline to
categoriBe the level.
!& relevant, afected o-ces should atte$pt to correlate $ultiple incident
reports to identi those that are related to a single incident.
http://www.tbs-sct.gc.ca/sim-gsi/sc-cs/docs/itimp-pgimti/itimp-pgimti04-eng.asp#Toc324324209http://www.tbs-sct.gc.ca/sim-gsi/sc-cs/docs/itimp-pgimti/itimp-pgimti04-eng.asp#Toc324324209
8/18/2019 Incident Management Policy
8/18
!& the !T securit# area noti%es an o-ce o& a signi%cant event, o-ces "ill be
requested to con%r$ i& the event is in &act an incident. *-ces then $ustrespond b# reporting the incident using the *T4 tool.
The !T securit# area $a# trigger the !ncident Manage$ent process i& the#
detect an incident involving one or $ore o-ces.
Categorization
The afected o-ce shall assign a categor# to the con%r$ed or suspected
incident using the chart provided in :ppendi; .
Prioritization
:fected o-ces shall prioritiBe based on the incidents potential i$pact.
!$pact is the efect o& the incident on the organiBations obectives and
$ission based on the &ollo"ing &actors/
• Technical impact "current and future#: The current negative
efects o& the incident and likel# &uture efects. @or e;a$ple, $al"are
spreading "ithin one regional o-ce has an i$$ediate local i$pact, but
i& the $al"are spreads across the 'o$pan#, it could afect operationsthroughout the organiBation0 and
• Criticalit$ of a%ected resources: The criticalit# o& the !n&or$ation
s#ste$ !8 resources that are or could be afected b# the incident.
'ritical s#ste$s have been identi%ed through the Cusiness !$pact
:ssess$ents and other business continuit# activities.
6.3 Response
*nce an event is received &ro$ an afected o-ce, partner, or custo$er, the
!ncidence 4esponse Tea$ !4T8 "ill send an ackno"ledg$ent o& receipt. !& it
is deter$ined to be an incident the !4T "ill assess the in&or$ation received
to deter$ine "hether the incident is o& an !T or c#ber nature, and provide
appropriate $itigation advice and guidance to the afected o-ces8 and "ill
alert other o-ces o& the threat and ho" to protect against it. !& the incident is
o& a c#ber)securit# nature, the !4T "ill also provide this in&or$ation to !T
securit# &or anal#sis. The !4T "ill also provide a su$$ar# o& incidents on a
8/18/2019 Incident Management Policy
9/18
regular basis &or situational a"areness.
Cased on the incident categoriBation :ppendi; 8, the incident "ill be
handled accordingl# as indicated belo".
If deemed low ris& /
• The in&or$ation "ill be logged and the circu$stances $onitored as
an integral part o& situational a"areness. !t "ill also be revie"ed
against previous events even those dee$ed lo" risk8.
If deemed medium to high ris&:
• !& the incident is dee$ed to be non)c#ber in nature, the in&or$ation
"ill be provided to the $anage$ent tea$ &or revie" and action i&
"arranted.
• The in&or$ation "ill be provided to !T securit# as to ensure the
$anage$ent o& securit# incidents is efectivel# coordinated "ithin
o-ces.
• The in&or$ation "ill be passed to the business unit &or an
assess$ent. !& an investigation is dee$ed necessar# the countr#(s la"en&orce$ent agenc# "ill be in&or$ed i$$ediatel#.
• !& an incident has i$plications &or a custo$er, the in&or$ation "ill be
passed to the corresponding partner so the custo$er can be in&or$ed
i$$ediatel#.
• Hhile an investigation is ongoing, the investigating part# $a# provide
in&or$ation to !4T andor the '#ber 4esponse Init '4I8 &or $itigation
purposes.
The '4I "ill proceed according to standard operating procedures.
The '4Is $ain goal is to provide $itigation advice to the afected o-ces8
and to alert other o-ces o& the threat and ho" to protect against it.
!& contain$ent cannot be achieved at the o-ce level, the !4T "ill lead the
contain$ent efort as per established procedures.
:t an# ti$e o-ces $a# update their incident report to provide additional
in&or$ation to the !4T or to request &urther $itigation advice.
8/18/2019 Incident Management Policy
10/18
Threat and vulnerabilit# events "ill be escalated b# the !4T to the '4I "hen
there is a high risk to 'o$pan#.
The Manage$ent Tea$ is the decision)$aking group that is convened to
advise and intervene "hen atte$pts to restore services have not produced
e;pected results or "hen no action takenconceived can provide &or the
continuit# o& operations and rapid recover# o& services. The Manage$ent
Tea$ has the authorit# to $ake i$portant decisions necessar# in a crisis/
activation o& a disaster recover# service, approval o& special budgets, etc. !n
addition, i& $itigation requires additional resources, the Manage$ent Tea$
"ill be called upon to revie" the '4Is action plan and act accordingl#.
6.4. Recovery
Most incidents "ill require recover# actions to restore s#ste$s and services
to nor$al operations and preventative actions to avoid recurrence. 4ecover#
actions $a# include restoration o& s#ste$s &ro$ original $edia or i$ages,
installation o& patches and i$$ediate $itigation actions to prevent
reoccurrence. #ste$service recover# should be conducted in a $anner
that preserves the integrit# o& the s#ste$ to assist "ith an in)depth
anal#sisinvestigation o& the incident.
The recover# process should align "ith internal processes such as/ !ncident
Manage$ent, +roble$ Manage$ent, 'hange Manage$ent, 'on%guration
Manage$ent, and 4elease Manage$ent.
+rior to reconnecting afected s#ste$s or restoring services, incident
handlers shall ensure that reinstating the s#ste$ or service "ill not result in
another incident.
As a minimum, o!ces will:
1. 4espond to !4T electronic in&or$ation products as requested.
'#ber Jashes, 4@!, etc.80
2. !nso&ar as possible, i$ple$ent an# relevant $itigating $easures
as reco$$ended $andated b# the !4T, !T securit# or !T Manage$ent0
3. +rovide situation report updates during the incident phases and
provide a %nal noti%cation to the !4T "hen nor$al operations have
8/18/2019 Incident Management Policy
11/18
resu$ed to close the *T4 ticket.
6.5. Post Incident Analysis
+ost)anal#sis o& incidents is vital &or learning and continuousl# i$proving
'o$pan# sa&eguards and response plans and procedures. 4evie"ing the
incident recording o& lessons learned, reco$$ending changes in processes,
procedure, and developing long)ter$ capabilit# i$prove$ent solutions are
crucial &or a success&ul preparation phase.
@or ever# $aor incident that occurs/
!ces will per&or$ a post incident anal#sis, "hich su$$ariBes the i$pact
o& the incident and identi%es/
• sa&eguard de%ciencies0
• $easures to prevent si$ilar incidents0
• $easures to reduce the i$pact o& a recurrence0
• !$prove$ents to incident)handling procedures and relating policies0
• revie" o& the preparation phase in ter$s o& the response o& theincident0 and
• lessons learned.
A%ected o!ces will provide the !4T a post)incident su$$ar# report.
IT management will close the post)incident anal#sis phase o& the !T !M+ based
on the i$ple$entation o& $itigating $easures and actions.
For multi'o!ce incidents, IT management will lead post)incident
anal#sis and "ill lead i$ple$entation o& identi%ed changes i$prove$ents.
7 Office Roles and Responsibilities
This section identi%es roles and responsibilities "ithin o-ces relevant to the
!T !M+.
The IT Securit$ !cer is responsible &or/
8/18/2019 Incident Management Policy
12/18
• 9stablishing reporting require$ents &or !T securit# incidents that align
"ith the require$ents established in the !T !M+ as part o& a coordinatedapproach to the $anage$ent o& o-ce securit# incidents.
The IT Securit$ Coordinator is responsible &or/
• 9nsuring that efective processes &or the $anage$ent !T securit#
incidents are developed, docu$ented, approved, pro$ulgated and
i$ple$ented "ithin the depart$ent, and that the efectiveness o&
these processes is $onitored0 and
• 4eporting on detected !T securit# incidents in accordance "ith the
require$ents established b# the !T*.
Securit$ practitioners and perational IT Sta% are responsible &or/
• 4esponding to !T ecurit# incidents in accordance "ith the processes
and procedures established b# the depart$ent.
All o!ce emplo$ees are responsible &or/
• 4eporting real or suspected !T securit# incidents or other suspicious
activit# to o-ce $anagers, in accordance "ith the processes andprocedures established b# 'o$pan#.
8/18/2019 Incident Management Policy
13/18
Appendix A – Definitions
C$(er Incident
: deliberate !T incident that is state)sponsored or is utiliBing a non)publicl#
kno"n e;ploit.
)vent
:n event is an observable change to the nor$al behavior o& a s#ste$,
environ$ent, process, "orkJo" or person. :n event can &eed into an incidentbut the opposite is not true.
Incident *andler
The person appointed or responsible to lead all stages o& incident handling.
The incident handler "ill be the contact person to throughout the incident li&e
c#cle.
IT Incidents
!ncidents are understood to be an# event or collection o& events "hich $a#
afect the con%dentialit#, integrit#, or availabilit# o& an in&or$ation s#ste$
including co$ponents, or an event or collection o& events "hich $a# violate
in&or$ation s#ste$ policies or the la". !ncidents can originate internall# or
e;ternall# and can be caused deliberatel# or accidentall#. !ncidents include
privac# breaches, "hich are a collection, use, disclosure, access, disposal, or
storage o& personalcusto$er in&or$ation, "hether accidental or deliberate,
that is not authoriBed.
8/18/2019 Incident Management Policy
14/18
Appendix B – Summary of Office Obligations
!ces will develop and practice incident handling training activities and
e;ercises to enable identi%cation and efective response.
!ces will ensure the response plan and co$$unications procedures are
"ell kno"n and easil# accessible to all !T personnel, and revie"ed and
updated as required8 both periodicall# and &ollo"ing an incident.
!ces will identi their critical s#ste$s Cusiness and *perations8 to
better identi inur# and i$pact levels "hen reporting an event or incident.
!ces will integrate the processes o& the !M+ into their o-ce ecurit#,
Cusiness 'ontinuit#, !T contingenc# plans.
!ces will ensure a"areness and response training is available to all
e$plo#ees co$$ensurate "ith, the current and e$ergent threat landscape.
!ces will ensure provision o& appropriate training and a"areness o&
incident identi%cation, incident $anage$ent polic#, and procedures to !T
staf, so that all individuals involved understand their role and responsibilities
related to incidents.!ces will ensure that standard $easures are de%ned in advance &or rapid
i$ple$entation as required.
!ces will $onitor and $anage so&t"are, hard"are and %r$"are
con%gurations including versions nu$bers and patch level in a database to
ensure that are able to identi vulnerabilities and act accordingl#.
!ces will take reasonable $easures to ensure the preservation and
protection o& evidence see :ppendi; '8.
!ces will carr# out $onitoring and intrusion detection activities e.g.
track and anal#Be threats, vulnerabilities, events via logs &ro$ various
sources such as %re"alls or !ntrusion etection #ste$s8. This should also
include a proactive vulnerabilit# $anage$ent process using standard
&ra$e"orks such as the ational !nstitute o& tandards and Technolog#s
'o$$on Gulnerabilit# coring #ste$.
!ces will contact !T &or assistance in characteriBing potentiall# suspicious
8/18/2019 Incident Management Policy
15/18
events.
!ces will, once it is deter$ined that an event has the potential or has
been con%r$ed to be an incident, %ll an initial incident report using *T4
and "hen &urther in&or$ation beco$es available, add the in&or$ation to the
incident report.
!ces will provide situation report updates during the incident phases and
provide a %nal noti%cation to the "hen nor$al operations have resu$ed.
:&ter nor$al operation have resu$ed, the incident $ust be closed in *T4.
!ces will per&or$ a post anal#sis, "hich su$$ariBes the i$pact o& the
incident and identi%es/
• sa&eguard de%ciencies0
• $easures to prevent si$ilar incidents0
• $easures to reduce the i$pact o& a recurrence0
• !$prove$ents to incident)handling procedures and relating policies0
• revie" preparation phase in ter$s o& the response o& the incident0
and
• lessons learned.
A%ected o!ces will provide a post)incident su$$ar# report.
Appendix C – Evidence Preservation
The &ollo"ing is an overvie" o& basic evidence preservation &or !T personnel.
Step 1:
Hhen an incident has been identi%ed, the incident handlers $ust/
9nsure that the afected $achines8 is no longer accessible to non)authoriBed
personnel i.e. onl# accessible to incident handlers ) preservation o& the
chain o& custod#8.
9nsure that no atte$pts are $ade to e;plore the content o& the afected
8/18/2019 Incident Management Policy
16/18
$achines8 or to recover data &ro$ it. The incident handlers $ust also
docu$ent/
• Hhen "as the incident discoveredK
• o" "as the incident discoveredK
• Hho discovered the incidentK
Step 2
The incident handler needs to preserve the evidence b# taking the &ollo"ing
actions/
• 9nsure that the afected $achines8 re$ains in a =ive tate so that
the live $e$or# can be collected.
• 4ecord o& all processes running on the afected $achines8.
• 4ecord all ph#sical connections &ro$ the afected $achines8 to all
other devices.
• 4ecord all !+ addresses and "ireless connections to and &ro$ the
afected $achines8 across the net"ork.
• +reserve all tra-c logs %re"all, !, !+, !, etc.8 to and &ro$ the
afected $achines8 across the net"ork.
• Hhen disconnecting the afected $achines8 &ro$ the net"ork
care&ull# $onitor processes to ensure that the hard drive is not being
erased. !& in&or$ation is being deleted i$$ediatel# turn of the po"er.
Step 3
:&ter preserving the net"ork logs and protecting the evidentiar# chain o&
custod#, the incident handlers should take the &ollo"ing actions/
• 4ecord o& all actions relating to the collection, preservation, access,
storage andor trans&er o& digital evidence.
• +repare a net"ork diagra$ "ith the !+ addresses o& all the afected
$achines8 and all other relevant net"ork nodes.
• +repare, date and sign detailed notes on all actions taken during the
8/18/2019 Incident Management Policy
17/18
course o& the incident response.
• 'o$$unicate all observations $ade and actions taken to la"
en&orce$ent investigators.
Incident handlers must ensure that the$ have the legal authorit$ to
collect and preserve all information gathered during the incident
response process+ The$ are also responsi(le for all actions ta&en
with respect to digital evidence+
Appendix D – Incident Categorization
Step 1/ e%ne the inur# level and sector "ith the guide belo".
SectorInjury Level
Lo Medium !igh
Image and
customer
confidence ith
Com"any
Limited or no loss of
image or negative
im"act on Com"any
re"utation
/oderate !oss of i)age
or negative i)pact on
Co)pany rep(tation
'ignificant !oss of
i)age or negative
i)pact on Co)pany
rep(tation
Infrastructure #
$rovision of
Services
Limited or no negative
effect on critical
infrastructure or
"rovision of services%
/oderate negative
effect on critica!
infrastr(ct(re or
provision of services
'ignificant negative
effect on critica!
infrastr(ct(re or
provision of services.
$roductivity #
&inancial
Limited or no negative
effect on "roductivity
or finances%
/oderate negative
effect on prod(ctivity
or finances
'ignificant negative
effect on prod(ctivity or
finances.
Step : e%ne the !$pact o& the !ncident "ith the guide belo".
Im"act Level Descri"tion
Lo • Im"acts a single or'station moile #"ortale device
• Incident i)pacts 104 of (sers
8/18/2019 Incident Management Policy
18/18
Im"act Level Descri"tion
• nc!assified infor)ation i)pacted
Medium
• Im"acts one server or an administrator account is involved
• I)pacts )any 1"5 orstations )o+i!e porta+!e devices or one of a
:ig: profi!e )anager5
• Incident i)pacts 09 of (sers
•
Protected or confidentia! infor)ation i)pacted
!igh
• Im"acts infrastructure device such as a router%
• I)pacts to or )ore servers. or one ,0)ai! server5
• Incident i)pacts 1" or )ore of (sers
• Critica! infor)ation i)pacted to +e reported via sec(re )et:ods on!y5
• Privacy +reac:
Appendix E – Incident Report Template
@or assistance %ling an !ncident 4eport using *T4 contact the local !T
depart$ent.