Incident Management Policy - Incident Management

Incident Identification

Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents that an employee might recognize in their day-to-day activities include, but are not limited to:

  • Theft, damage, or unauthorized access (e.g., unauthorized logins, papers missing from their desk, broken locks, missing log files, alert from a security guard, video evidence of a break-in, or unscheduled/unauthorized physical entry)

  • Fraud – Inaccurate information within databases, logs, files, or paper records

  • Abnormal system behavior (e.g., unscheduled system reboot, unexpected messages, abnormal errors in system log files or on terminals)

  • Security event notifications (e.g., file integrity alerts, intrusion detection alarms, physical security alarms such as fire alarms, environmental alarms, and natural disaster alerts)

All employees, regardless of job responsibilities, should be aware of the potential incident identifiers and who to notify in these situations. In all cases, every employee should report incidents per the instructions under 3.2 Reporting and Incident Declaration Procedures unless they are assigned other activities within the incident response plan.

Reporting and Incident Declaration Procedures

The Information Security Department should be notified immediately of any suspected or real security incidents involving Business computing assets, particularly any critical system. If it is unclear as to whether a situation should be considered a security incident, the Information Security Department should be contacted to evaluate the situation.

Except steps outlined below, any investigative or corrective action must be taken only by Information Security Department personnel or under the oversight of Information Security Department personnel, to assure the integrity of the incident investigation and recovery process. When faced with a potential situation you should do the following:

  • If the incident involves a compromised computer system:

  • Do not alter the state of the computer system.

  • The computer system should remain on and all currently running computer programs left as is. Do not shut down the computer or restart the computer.

  • Immediately disconnect the computer from the network by removing the network cable from the back of the computer.

  • Reporting the security incident.

  • Contact the Information Security Department to report any suspected or actual incidents.

  • No one should communicate with anyone outside of their supervisor(s) or the Information Security Department about any details or generalities surrounding any suspected or actual incident. All communications with law enforcement or the public will be coordinated by the Information Security Department.

  • Document any information you know while waiting for the Information Security Department to respond to the incident. This must include the date, time, and the nature of the incident if known. Any information you can provide will aid in responding appropriately.

Incident Severity Classification

The Information Security Department will first attempt to determine if the security incident justifies a formal incident response.

In cases where a security incident does not require an incident response, the situation will be forwarded to the appropriate area of IT to ensure that all technical support services required are rendered.

The following descriptions should be used to determine what response the Information Security Department will take.

  • Level 1 – One instance of potentially unfriendly activity (e.g., finger, unauthorized telnet, port scan, corrected virus detection, unexpected performance peak, etc.).

  • Level 2 – One instance of a clear attempt to obtain unauthorized information or access (e.g., attempted download of secure password files, attempt to access restricted areas, single computer successful virus infection on a non-critical system, unauthorized vulnerability scan, etc.) or a second Level 1 attack.

  • Level 3 – Serious attempt or actual breach of security (e.g., multi-pronged attack, denial of service attempt, virus infection of a critical system or the network, successful buffer/stack overflow, successful unauthorized access to sensitive or critical data or systems, broken lock, stolen papers, etc.) or a second Level 2 attack.

Any Level 1-type incident occurring against systems storing sensitive or confidential data or originating from unauthorized internal systems is classified as a Level 2.

Incident Response

Typical Response

Responses can include or proceed through the following stages: identification, severity classification, containment, eradication, recovery, and root cause analysis resulting in improvement of security controls. The following actions should be taken by the Information Security Department once an incident has been identified and classified.

  • Level 1 – Contain and Monitor

  1. If possible, record the user, IP address, and domain of the intruder.

  2. Utilize approved technology controls to temporarily or permanently block the intruder’s access.

  3. Maintain vigilance for future break-in attempts from this user or IP address.

  • Level 2 – Contain, Monitor, and Warn

  1. Collect and protect information associated with the intrusion.

  2. Utilize approved technology controls to temporarily or permanently block the intruder’s access.

  3. Research the origin of the connection.

  4. Contact the Business internet service provider (ISP) and ask for more information regarding the attempt and intruder.

  5. Research potential risks related to intrusion method attempted and re-evaluate for higher classification and incident containment, eradication, and recovery as described for Level 3 incident classifications.

  6. Upon identification, inform the malicious use of our knowledge of their actions and warn of future recriminations if the attempt is repeated. If an employee is a malicious user, Management should work with Human Resources to address the acceptable use violation appropriately.

  • Level 3 – Contain, Eradicate, Recover, and perform Root Cause Analysis

  1. Contain the intrusion and decide what action to take. Consider unplugging the network cables, applying highly restrictive access control lists (ACL), deactivating or isolating the switch port, deactivating the user ID, terminating the user’s session/change password, etc.

  2. Collect and protect information associated with the intrusion via offline methods. If a forensic investigation is required, the Information Security Department will work with legal and Management to identify appropriate forensic specialists.

  3. Notify Management of the situation and maintain notification of progress at each following step.

  4. Eliminate the intruder's means of access and any related vulnerabilities.

  5. Research the origin of the connection.

  6. Contact ISP and ask for more information regarding the attempt and intruder, reminding them of their responsibility to assist in this regard.

  7. Research potential risks related to or damage caused by the intrusion method used.

Root Cause Analysis and Lessons Learned

Not more than one week following the incident, members of the Information Security Department and all affected parties will meet to review the results of the investigation conducted to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Review other security controls to determine their appropriateness for the current risks. Any identified areas in which the plan, policy, or security control can be made more effective or efficient, must be updated accordingly.

Plan Testing and Training

At least once a year, a mock incident will be initiated to facilitate testing of the current plan. The exact incident to be tested will be at the discretion of the Information Security Department. Once complete, a follow-up session, as detailed above, will be held.

All Business employees that could have an active role in incident response will be part of the test process. 

Training regarding incident response responsibilities should be performed regularly to ensure employees’ readiness for tests and actual incidents.

Automated Security System Notification

All automated intrusion detection systems within the Business environment, including intrusion detection sensors and file integrity checking systems, will be configured to automatically notify the Information Security Department of any potential compromises or attacks.

An engineer with the Information Security Department must be available on a 24/7 basis to initiate the incident response plan if warranted.