Incident Response Policy
description
Transcript of Incident Response Policy
![Page 1: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/1.jpg)
Incident Response Policy
Enterprise Security Office Forum
November 20th, 2008
![Page 2: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/2.jpg)
2
Welcome
Theresa Masse, State CISO
![Page 3: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/3.jpg)
3
Agenda
Policy Overview
Roles and Responsibilities
Resources For Agencies
Agency Panel
Questions
![Page 4: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/4.jpg)
4
Incident Response Policy
Why do we need it? Increasing value of information
Increasing risk to information
Increasing penalties for failure to safeguard PCI, HIPAA, OCITPA (aka SB583)
2005 Legislature HB3145 -> ORS 182.122
![Page 5: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/5.jpg)
5
Policy Goals
Develop Statewide Incident Response (IR)
Develop Agency Incident Response
Incident Reporting
Timely Response Coordination
Data Collection
![Page 6: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/6.jpg)
6
What Information Is Covered by Policy?
All Information:
Electronic
Written
Verbal
![Page 7: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/7.jpg)
7
Key Policy Elements: IncidentWhat is an “incident” we should report?
Defined in Policy Remember Policy Goals!
Will reporting this incident help?
Four Key Elements: Involves security of information Is unwanted or unexpected Shows harm or significant threat of harm Requires non-routine response
![Page 8: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/8.jpg)
8
Key Policy Elements: IncidentCommon pitfall for IR plan authors
Incident vs. “SB583 Breach”
Information Security Incident
PII Exposure, per OCITPA (aka SB583)
All Breaches are Incidents
Not all Incidents are Breaches
![Page 9: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/9.jpg)
9
Key Policy Elements: ResponsibilitiesState Incident Response Team (SIRT)
State Data Center (SDC)
Agencies
![Page 10: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/10.jpg)
10
SIRT Responsibilities
Statewide Incident Response Program Policy, Plan, Procedures, Reporting
Data Aggregation and Reporting Incident Response – When will the SIRT
respond? Multi-Agency Statewide Impact Agency Assistance Required SB583 Breaches
Incident Forensics Capabilities
![Page 11: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/11.jpg)
11
SDC Responsibilities
Monitoring, Alerting Incident Response
State Wide Area Network (WAN) SDC-hosted Infrastructure
![Page 12: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/12.jpg)
12
Agency Responsibilities
Agencies are responsible for their own information
Agency IR Capabilities Policy, Plan, Procedures
Agency Information Incidents Detection, Response, Follow-up, Protection
SIRT Point of ContactAssist SIRT
![Page 13: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/13.jpg)
13
SDC Response Chart
![Page 14: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/14.jpg)
14
Agency Response Chart
![Page 15: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/15.jpg)
15
Agencies Need To:
Create or Adopt Policy
Develop Plan
Develop Capabilities
Create Procedures
Assign Point of Contact
Policy Compliance Date May 1, 2009
![Page 16: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/16.jpg)
16
“IR” Is Not Just “IT”
IR Requires Agency Business Participation
Not all information is electronic
Business drives response
Incident detection happens anywhere in agency – not just in IT department
![Page 17: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/17.jpg)
17
Resources For Agencies
Website overview
Plan Template
Educational Resources
Qualified Vendors List
Point of Contact Form
Potential IR workshops
![Page 18: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/18.jpg)
18
IR Website http://www.oregon.gov/DAS/EISPD/ESO/SIRT.shtml
![Page 19: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/19.jpg)
19
IR Plan Template
http://www.oregon.gov/DAS/EISPD/ESO/docs/SIRT/IncidentResponsePlanTemplate.doc
![Page 20: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/20.jpg)
20
Educational Resources
Carnegie Mellon CERT
http://www.cert.org/work/training.html
SANS Institute
http://www.sans.org/sans_training.php
InfoSec Institute
http://infosecinstitute.com/courses/security_training_courses.html
![Page 21: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/21.jpg)
21
Master Services Contract
Qualified Vendors List
Incident Response
Forensics
Breach Services
Currently in DAS Procurement
ETA...
![Page 22: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/22.jpg)
22
Agency Point of Contact This form (available on our website) needs to be
completed for every agency and given to the SIRT
![Page 23: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/23.jpg)
23
Guest Speakers
Agency Experiences Developing Incident Response Capabilities
Bret West – DAS
Richard Rylander – DOJ
![Page 24: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/24.jpg)
Incident Response Policy and Plan Development
Bret West,Operations Division Administrator
Department of Administrative Services
![Page 25: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/25.jpg)
DAS Incident Response Policy and Plan DevelopmentThe assignment:
Develop and implement DAS’ internal incident response program
The timeframe: Concurrently with development and adoption
of the statewide Enterprise Security Office IRP policy
Why concurrently? To inform ESO policy/plan development
![Page 26: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/26.jpg)
DAS Incident Response Policy and Plan Development
Process Engaged DAS IT Management Council
Governing body for DAS internal IT Made up of representatives from all DAS
divisions Good mix of division administrators/staff;
technical/non-technical; management/classified Established subcommittee to work through
details Discussed roles and responsibilities of IT staff
vs. data owners
![Page 27: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/27.jpg)
DAS Incident Response Policy and Plan DevelopmentProcess
Presented draft policy, plan and informational flyer to IT Management Council
Identified changes needed through robust council discussion
Presented final package to DAS Executive Team for adoption
![Page 28: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/28.jpg)
DAS Incident Response Policy and Plan DevelopmentChallenges
Timeline
Ensuring stakeholder engagement
Clearly delineating roles and responsibilities
DAS Ops (internal) vs. SDC and ESO (external)
Data owners vs. IT staff
Communication/Reporting
Resuming business operations
![Page 29: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/29.jpg)
DAS Incident Response Policy and Plan DevelopmentPath to Success
Used ESO templates for the policy, plan and awareness flyer
Engaged business partners and executive team
Realized that the plan would evolve with experience
Identified gaps in staffing/skill sets Work with agency communications team to roll
out the policy
![Page 30: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/30.jpg)
30
Guest Speakers – Part II
Agency Experiences Developing Incident Response Capabilities
Bret West – DAS
Richard Rylander – DOJ
![Page 31: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/31.jpg)
DOJ Security Incident Response
Richard RylanderSecurity Coordinator
Department of Justice
![Page 32: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/32.jpg)
32
Agenda
Incident Types
Challenges
Planning
Mistakes
Incident data
Benefits
Resources
![Page 33: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/33.jpg)
33
Incident Types
Malware and Spyware Infection
Viruses and Worms Infection/Outbreak
Breach of Acceptable Use Policy
Breach of security policy or procedures
Loss or theft of physical or electronic media
Data Loss
![Page 34: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/34.jpg)
34
Challenges
Who owns incident response? Management Employees Information Technology
Who is responsible for incident response? Roles and responsibilities
Communications PlanEscalation
![Page 35: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/35.jpg)
35
Challenges
Business Concerns
Reporting
Incident impact
Notification requirements
Media
Law enforcement
![Page 36: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/36.jpg)
36
Challenges
Business Concerns – cont’d
Data Loss
Physical or electronic
Financial Loss
Legal requirements
Loss of productivity
![Page 37: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/37.jpg)
37
Challenges
Information Technology Concerns What data was compromised?
Physical or electronic
How was the data compromised? How many systems were affected? Was the data loss preventable? Was there inside involvement? Was there outside involvement? Was the data encrypted?
![Page 38: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/38.jpg)
38
Planning
Create an incident response process flow
Create a responsibility matrix
Create a communications plan
![Page 39: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/39.jpg)
39
Incident Response Flow Diagram
Incident Detection
CSC Notified
CSC Contacts SIRT Member Based on Incident Location
SIRT Member Conducts Initial
Investigation
Forensic Duplication of Data (as required)
Continue Investigation/ Determine Response
(document)
Response (document)
Communications (internal)
Communications (external)
Recovery (document)
Determine Business Impact (document)
Collect Evidence (document)
Monitor Systems Isolate & Contain (as necessary)
Deliver findings to CIO & Management
Security Incident?
Close Security Incident
No
Yes
Concurrent
Notify CIO
Escalate
No
Yes
Apply Corrective Actions
Property Loss?
No
Yes
Property Loss Policy
Risk ManagementNotification
Update Risk Management
Return System(s) to Normal Operation
Identify Lesson(s) Learned (document)
Implement Improvements or Corrections from Lesson(s) Learned
Develop Final Report
![Page 40: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/40.jpg)
40
Develop a Responsibility Matrix
Report Detect/Monitor Evaluate Containment Communicate Respond/Correct Recover Document
Chief Information Officer R I I/C/R I/C I/C/R I/C I I/C/R
IS Management R I I/C/R I/C I/C/R I/C I I/C/R
Security Officer R C/R I/C/R I/C I/C I/C I I/C/R
Network Security Administrator R C/R I/C/R C/R I/C/R I/C/R I/CR I/C/R
Network Administrator R C/R I/C/R C/R I/C/R I/C/R I/C/R I/C/R
Network Services Team R C/R I/C/R C/R I/C I/C/R I/C/R I/C/R
Mainframe Team R C/R I/C/R C/R I/C/R I/C/R I/C/R I/C/R
Desktop Services Team R C/R I/C I/C I/C I/C/R I/C/R I/C/R
Customer Services Team R C/R I/C I/C I/C I/C I/C I/C/R
Application Development Team R C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R
Division Management R C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R
All DOJ Employees R C/R n/a I/C I/C I I I/C
Risk Management I I I/C/R I/C/R I/C/R I/C I/C I/C/R
State Data Center (SDC related) R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R
R = Responsible C = Contributes I = Informed
![Page 41: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/41.jpg)
41
Incident Response Mistakes
![Page 42: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/42.jpg)
42
Incident Response MistakesFailure to mitigate the risk
Shut down the attack point. Do not get caught up in ‘fire fighting’ mode.
Isolate and prevent the incident from spreading unless there is a reason to permit the attack to continue.
Do not underestimate the scope of the incident.
![Page 43: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/43.jpg)
43
Incident Response MistakesFailure to learn from past incidents
Modify security controls and training materials to reflect lessons learned.
Failure to document incident procedures Provide communication plan.
Provide reporting and documentation requirements.
Document all incidents in detail.
![Page 44: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/44.jpg)
44
Oregon Incidents 2008 Nov. 1, 2008 Veterans Affairs Medical Center (Portland, OR) 1,600Personal information, including some Social Security numbers, of patients at the Veterans Affairs Medical Center in Portland wasinadvertently posted on a public Web site.
June 4, 2008 Oregon State University (Corvallis, OR) 4,700The Oregon State Police are investigating the theft of personalinformation from online customers of the OSU Bookstore who usedcredit cards to purchase items.
April 28, 2008 Hough, MacAdam & Wartnik (North Bend, OR) 500A notebook computer was stolen from a locked vehicle. Thenotebook's hard drive may have contained names, Social Security numbers,and other personal information.
Mar. 6, 2008 Cascade Healthcare Community (Prineville, OR) 11,500A computer virus may have exposed to outside eyes the names, credit cardnumbers, dates of birth and home addresses individuals who donated toCascade Healthcare Community.
http://www.privacyrights.org
![Page 45: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/45.jpg)
Notable Incidents
Records Organization Date
94,000,000TJX Companies Inc. 01/17/200740,000,000CardSystems 06/19/2005
(Visa, MasterCard, American Express)30,000,000America Online 06/24/200426,500,000U.S. Department of Veterans Affairs 05/22/200625,000,000HM Revenue and Customs 11/20/200717,000,000T-Mobile, Deutsche Telekom 10/06/200812,500,000Archive Systems Inc. 05/07/2008
Bank of New York Mellon11,000,000GS Caltex 09/06/20088,637,405 Dai Nippon Printing Company 03/12/20078,500,000 Certegy Check Services Inc. 03/07/2007
Fidelity National Information Services
Source: http://datalossdb.org
![Page 46: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/46.jpg)
46
Benefits of Incident ResponseUser Awareness
Defined responsibilities
Defined response procedure
Defined Incident Response Policy
Defined communications plan
Measurable results
![Page 47: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/47.jpg)
47
Summary
Define responsibilities
Identify areas of challenge
Identify and create key documents
Communications Plan
Document in detail
Use resources available for assistance
![Page 48: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/48.jpg)
48
Resources
NIST – National Institute of Standards and
Technology (http://csrc.nist.gov/)
SANS Institute (http://www.sans.org/)
US-CERT (http://www.us-cert.gov/)
RFC 2350 (http://www.ietf.org/rfc)
Richard RylanderOregon Department of [email protected]
![Page 49: Incident Response Policy](https://reader035.fdocuments.in/reader035/viewer/2022062315/56815001550346895dbdcceb/html5/thumbnails/49.jpg)
49
Questions?