IT Incident Management Plan

(March 31, 2015 Version 0.1)

Contents
1
2

DocumentRevisionControl......................................................................................2
EffectiveDate............................................................................................................2
3.2 Address..............................................................................................................................3
3.3 Reporting...........................................................................................................................3
4.1 Objectives...............................................................................................................4
5
GovernanceModel....................................................................................................4
6
IncidentManagementProcess..................................................................................5
6.1 Preparation.........................................................................................................................6
The preparation stage involves incident handling planning and training
activities designed to provide adequate capabilities to prevent and detect
incidents..................................................................................................................................6
6.2 Identification......................................................................................................................7
Categorization.............................................................................................................................7
Prioritization................................................................................................................................8
6.3 Response............................................................................................................................8
6.4. Recovery..............................................................................................................................9
6.5. Post Incident Analysis........................................................................................................10
7
OfficeRolesandResponsibilities............................................................................11
Appendix A Definitions.........................................................................................................12
Appendix B Summary of Office Obligations.........................................................................13
Appendix C Evidence Preservation.......................................................................................14
Step 1:.......................................................................................................................................14
Step 2.........................................................................................................................................15
Step 3.........................................................................................................................................15
Appendix D Incident Categorization.....................................................................................16
Appendix E Incident Report Template...................................................................................17

1 DocumentRevisionControl
Revision
0.1

Date
3/30/2015

Summary of Revisions Made

Changes Made By
(Name)

InitialVersion

2 EffectiveDate
This plan takes effect on March 31, 2015. It will be reviewed on a yearly basis
and modified as appropriate.

3 Introduction
3.1 Purpose
This document delineates the policies and procedures for Information
Technology Incident Management, as well as Companys process-level plans
for managing incidents on critical technology platforms and the
telecommunications infrastructure. Our mission is to ensure information
system uptime, data integrity and availability, and business continuity.

3.2 Scope
This Plan applies to all Company's offices and subsidiaries subject to the
Policy and addresses:

Threats, vulnerabilities, and incidents within an IT environment that

affect or may affect service to Company operations, security or privacy
of information or confidence;

Incidents within an IT environment requiring an integrated response;

Networks classified secure and below.

3.3 Reporting
This version of the plan requires employees/departments/offices to report IT
incidents to the IT Department using the OTRS tool or any other
communication method in case access to OTRS is impossible.

3.4 Communication
The IT incident management departmental operating procedures referenced
herein will be provided to HR for inclusion in the standard policies/plan
library.

4 Context
The occurrence of Information Technology (IT) incidents involving Company's
networks and infrastructure can have a significant impact on Company
operations, services delivered to customers and, consequently, confidence in
Company The ability to detect and respond to incidents in a coordinated and
consistent fashion is essential to maintaining Company operations and
services and to ensure the confidentiality, integrity and availability of
Company's information and IT assets.
The Company Information Technology Incident Management Plan provides an
operational framework for the management of IT security incidents and

events that could have or have had an impact on Company information

technology infrastructure.

4.1 Objectives
The following are the objectives of this plan.
Enhanced situational awareness across the Company;

Improved coordination and incident management planning within the

Company;

Timely resolution of incidents that affect Company services and

operations;

Informed decision making and associated incident mitigation and

response;

A shared sense of responsibility and partnership among the Company

IT and customer's Information Technology Security areas;

Improved shared Company knowledge and expertise;

Enhanced confidence in Company.

4.2 Assumptions
The following assumptions were made during the development of
this Plan:
Current mandates and responsibilities will be respected;
IT security incidents related to the disclosure of personal information or
private communications will follow established privacy procedures
according the country law;
In addition if the incident is considered a crime, particulars should be
reported to the country Enforcement Agency as applicable.

5 GovernanceModel
During a serious incident, the timely engagement of senior management is
key to a strong and effective response. The governance model of the IMP
identifies the senior management committees and managers who will be
engaged when severity and trigger criteria are met.
Guidance provided by the committees and managers of the IMP governance
structure will cover both short- and long-term activities for more serious
incidents. Short-term activities are event-driven and are carried out during
the mitigation of a threat or vulnerability or the response to or recovery from
an incident. These activities require a prompt and coherent response. Longerterm activities involve post incident analysis and lessons learned, which will
allow the IT Management to provide longer-term strategic leadership,
direction, and governance related to security and IT respectively.
The engagement of the following committees and officials will be based on
the circumstances and gravity of each situation. <to be completed>

6 IncidentManagementProcess
The incident management process will consist of the following five defined
stages (see Figure 1): the stages "preparation" and "identification" are
integral components to an effective incident management plan that must be
in place and kept up to date to be properly prepared for managing an
incident. The other three stages, "response", "recovery" and "post incident
analysis" will be the focus of the governing structure.

Figure 1: Stages of Incident Management Process

The responsibilities of departments related to incident management process

are documented for each of the stages in the following sections. A summary
of responsibilities for all stages of the incident management process is
summarized in Appendix B.

6.1 Preparation
The preparation stage involves incident handling planning and training
activities designed to provide adequate capabilities to prevent and detect
incidents.
At a minimum:
1. Develop and practice incident handling planning and training
activities and exercises to enable identification and effective response
2. Ensure the response plan and communications procedures are well
known and easily accessible to all involved personnel, and reviewed
and updated (as required) both periodically and following an incident.
3. Identify critical systems (Business and Operations) to better identify
injury and impact levels when reporting an event or incident.
4. Integrate the processes of the IMP into the Office Security, Business
Continuity and IT contingency plans.
5. Ensure awareness and response training is available to all
employees commensurate with the current and emergent threat
landscape.
6. Ensure provision of appropriate training and awareness of incident
identification, incident management policy, and procedures to IT staff,
so that all individuals involved understand their role and
responsibilities related to incidents.
7. Ensure that standard measures are defined in advance for rapid
implementation as required.
8. Monitor and manage software, hardware and firmware configurations
including versions numbers and patch levels in a departmental
database to ensure that departments are able to identify vulnerabilities

and act accordingly.

9. Take reasonable measures to ensure the preservation and protection
of evidence (see Appendix C).

6.2 Identification
The identification stage consists of the detection of an event suspected of
being an IT security incident, advising Information Technology
representatives for the affected systems (who will perform the initial
assessment to determine if it is an actual incident), and determining the
impact, severity, and probable cause of the suspected incident.
As a minimum, Offices will:
1. Carry out monitoring and intrusion detection activities (e.g. track
and analyze threats, vulnerabilities, events via logs from various
sources such as firewalls or Intrusion Detection Systems, which may
affect IT systems). This should also include a proactive vulnerability
management process using standard frameworks such as the National
Institute of Standards and Technology's Common Vulnerability Scoring
System;
2. Once it is determined that an event has the potential or has been
confirmed to be an incident, send an initial incident report using OTRS
and when further information becomes available, submit an updated
incident report;
3. Preserve evidence as outlined In Appendix C.
The incident information must be reported to the OTRS no later than one (1)
hour after the detection of an incident. The OTRS tool should be used to
report the incident. In the incident report, reporter must assign a level of
injury and impact severity. Appendix D should be used as a guideline to
categorize the level.
If relevant, affected offices should attempt to correlate multiple incident
reports to identify those that are related to a single incident.

If the IT security area notifies an office of a significant event, offices will be

requested to confirm if the event is in fact an incident. Offices then must
respond by reporting the incident using the OTRS tool.
The IT security area may trigger the Incident Management process if they
detect an incident involving one or more offices.

Categorization
The affected office shall assign a category to the confirmed or suspected
incident using the chart provided in Appendix D.

Prioritization
Affected offices shall prioritize based on the incidents' potential impact.
Impact is the effect of the incident on the organization's objectives and
mission based on the following factors:
Technical impact (current and future): The current negative
effects of the incident and likely future effects. For example, malware
spreading within one regional office has an immediate local impact, but
if the malware spreads across the CompanyN, it could affect operations
throughout the organization; and
Criticality of affected resources: The criticality of the Information
system (IS) resources that are or could be affected by the incident.
Critical systems have been identified through the Business Impact
Assessments and other business continuity activities.

6.3 Response
Once an event is received from an affected office, partner, or customer, the
Incidence Response Team (IRT) will send an acknowledgment of receipt. If it
is determined to be an incident the IRT will assess the information received
to determine whether the incident is of an IT or cyber nature, and provide
appropriate mitigation advice and guidance to the affected office(s) and will
alert other offices of the threat and how to protect against it. If the incident is
of a cyber-security nature, the IRT will also provide this information to IT
security for analysis. The IRT will also provide a summary of incidents on a

regular basis for situational awareness.

Based on the incident categorization (Appendix D), the incident will be
handled accordingly as indicated below.
If deemed low risk:
The information will be logged and the circumstances monitored as
an integral part of situational awareness. It will also be reviewed
against previous events (even those deemed low risk).
If deemed medium to high risk:
If the incident is deemed to be non-cyber in nature, the information
will be provided to the management team for review and action if
warranted.
The information will be provided to IT security as to ensure the
management of security incidents is effectively coordinated within
offices.
The information will be passed to the business unit for an
assessment. If an investigation is deemed necessary the countrys law
enforcement agency will be informed immediately.
If an incident has implications for a customer, the information will be
passed to the corresponding partner so the customer can be informed
immediately.
While an investigation is ongoing, the investigating party may provide
information to IRT and/or the Cyber Response Unit (CRU) for mitigation
purposes.
The CRU will proceed according to standard operating procedures.
The CRU's main goal is to provide mitigation advice to the affected office(s)
and to alert other offices of the threat and how to protect against it.
If containment cannot be achieved at the office level, the IRT will lead the
containment effort as per established procedures.
At any time offices may update their incident report to provide additional
information to the IRT or to request further mitigation advice.

Threat and vulnerability events will be escalated by the IRT to the CRU when
there is a high risk to Company.
The Management Team is the decision-making group that is convened to
advise and intervene when attempts to restore services have not produced
expected results or when no action taken/conceived can provide for the
continuity of operations and rapid recovery of services. The Management
Team has the authority to make important decisions necessary in a crisis:
activation of a disaster recovery service, approval of special budgets, etc. In
addition, if mitigation requires additional resources, the Management Team
will be called upon to review the CRU's action plan and act accordingly.

6.4.Recovery
Most incidents will require recovery actions to restore systems and services
to normal operations and preventative actions to avoid recurrence. Recovery
actions may include restoration of systems from original media or images,
installation of patches and immediate mitigation actions to prevent
reoccurrence. System/service recovery should be conducted in a manner
that preserves the integrity of the system to assist with an in-depth
analysis/investigation of the incident.
The recovery process should align with internal processes such as: Incident
Management, Problem Management, Change Management, Configuration
Management, and Release Management.
Prior to reconnecting affected systems or restoring services, incident
handlers shall ensure that reinstating the system or service will not result in
another incident.
As a minimum, offices will:
1.
Respond to IRT electronic information products as requested.
(Cyber flashes, RFI, etc.);
2.
Insofar as possible, implement any relevant mitigating measures
as recommended / mandated by the IRT, IT security or IT Management;
3.
Provide situation report updates during the incident phases and
provide a final notification to the IRT when normal operations have

resumed to close the OTRS ticket.

6.5.PostIncidentAnalysis
Post-analysis of incidents is vital for learning and continuously improving
Company safeguards and response plans and procedures. Reviewing the
incident recording of lessons learned, recommending changes in processes,
procedure, and developing long-term capability improvement solutions are
crucial for a successful preparation phase.
For every major incident that occurs:
Offices will perform a post incident analysis, which summarizes the impact
of the incident and identifies:
safeguard deficiencies;
measures to prevent similar incidents;
measures to reduce the impact of a recurrence;
Improvements to incident-handling procedures and relating policies;
review of the preparation phase in terms of the response of the
incident; and
lessons learned.
Affected offices will provide the IRT a post-incident summary report.
ITmanagementwill close the post-incident analysis phase of the IT IMP based
on the implementation of mitigating measures and actions.
For multi-office incidents, IT management will lead post-incident
analysis and will lead implementation of identified changes / improvements.

7 OfficeRolesandResponsibilities
This section identifies roles and responsibilities within offices relevant to the
IT IMP.
The IT Security Officer is responsible for:

 Establishing reporting requirements for IT security incidents that align

with the requirements established in the IT IMP as part of a coordinated
approach to the management of office security incidents.
The IT Security Coordinator is responsible for:
Ensuring that effective processes for the management IT security
incidents are developed, documented, approved, promulgated and
implemented within the department, and that the effectiveness of
these processes is monitored; and
Reporting on detected IT security incidents in accordance with the
requirements established by the ITSO.
Security practitioners and Operational IT Staff are responsible for:
Responding to IT Security incidents in accordance with the processes
and procedures established by the department.
All office employees are responsible for:
Reporting real or suspected IT security incidents or other suspicious
activity to office managers, in accordance with the processes and
procedures established by Company.

AppendixADefinitions
Cyber Incident
A deliberate IT incident that is state-sponsored or is utilizing a non-publicly
known exploit.
Event
An event is an observable change to the normal behavior of a system,
environment, process, workflow or person. An event can feed into an incident
but the opposite is not true.
Incident Handler
The person appointed or responsible to lead all stages of incident handling.
The incident handler will be the contact person to throughout the incident life
cycle.
IT Incidents
Incidents are understood to be any event or collection of events which may
affect the confidentiality, integrity, or availability of an information system
including components, or an event or collection of events which may violate
information system policies or the law. Incidents can originate internally or
externally and can be caused deliberately or accidentally. Incidents include
privacy breaches, which are a collection, use, disclosure, access, disposal, or
storage of personal/customer information, whether accidental or deliberate,
that is not authorized.

AppendixBSummaryofOfficeObligations
Offices will develop and practice incident handling training activities and
exercises to enable identification and effective response.
Offices will ensure the response plan and communications procedures are
well known and easily accessible to all IT personnel, and reviewed and
updated (as required) both periodically and following an incident.
Offices will identify their critical systems (Business and Operations) to
better identify injury and impact levels when reporting an event or incident.
Offices will integrate the processes of the IMP into their office Security,
Business Continuity, IT contingency plans.
Offices will ensure awareness and response training is available to all
employees commensurate with, the current and emergent threat landscape.
Offices will ensure provision of appropriate training and awareness of
incident identification, incident management policy, and procedures to IT
staff, so that all individuals involved understand their role and responsibilities
related to incidents.
Offices will ensure that standard measures are defined in advance for rapid
implementation as required.
Offices will monitor and manage software, hardware and firmware
configurations including versions numbers and patch level in a database to
ensure that are able to identify vulnerabilities and act accordingly.
Offices will take reasonable measures to ensure the preservation and
protection of evidence (see Appendix C).
Offices will carry out monitoring and intrusion detection activities (e.g.
track and analyze threats, vulnerabilities, events via logs from various
sources such as firewalls or Intrusion Detection Systems). This should also
include a proactive vulnerability management process using standard
frameworks such as the National Institute of Standards and Technology's
Common Vulnerability Scoring System.
Offices will contact IT for assistance in characterizing potentially suspicious

events.
Offices will, once it is determined that an event has the potential or has
been confirmed to be an incident, fill an initial incident report using OTRS
and when further information becomes available, add the information to the
incident report.
Offices will provide situation report updates during the incident phases and
provide a final notification to the when normal operations have resumed.
After normal operation have resumed, the incident must be closed in OTRS.
Offices will perform a post analysis, which summarizes the impact of the
incident and identifies:
safeguard deficiencies;
measures to prevent similar incidents;
measures to reduce the impact of a recurrence;
Improvements to incident-handling procedures and relating policies;
review preparation phase in terms of the response of the incident;
and
lessons learned.
Affected offices will provide a post-incident summary report.

AppendixCEvidencePreservation
The following is an overview of basic evidence preservation for IT personnel.
Step1:
When an incident has been identified, the incident handlers must:
Ensure that the affected machine(s) is no longer accessible to non-authorized
personnel (i.e. only accessible to incident handlers - preservation of the
chain of custody).
Ensure that no attempts are made to explore the content of the affected

machine(s) or to recover data from it. The incident handlers must also
document:
When was the incident discovered?
How was the incident discovered?
Who discovered the incident?
Step2
The incident handler needs to preserve the evidence by taking the following
actions:
Ensure that the affected machine(s) remains in a Live State so that
the live memory can be collected.
Record of all processes running on the affected machine(s).
Record all physical connections from the affected machine(s) to all
other devices.
Record all IP addresses and wireless connections to and from the
affected machine(s) across the network.
Preserve all traffic logs (firewall, IDS, IPS, HIDS, etc.) to and from the
affected machine(s) across the network.
When disconnecting the affected machine(s) from the network
carefully monitor processes to ensure that the hard drive is not being
erased. If information is being deleted immediately turn off the power.
Step3
After preserving the network logs and protecting the evidentiary chain of
custody, the incident handlers should take the following actions:
Record of all actions relating to the collection, preservation, access,
storage and/or transfer of digital evidence.
Prepare a network diagram with the IP addresses of all the affected
machine(s) and all other relevant network nodes.
Prepare, date and sign detailed notes on all actions taken during the

course of the incident response.

Communicate all observations made and actions taken to law
enforcement investigators.
Incident handlers must ensure that they have the legal authority to
collect and preserve all information gathered during the incident
response process. They are also responsible for all actions taken
with respect to digital evidence.

AppendixDIncidentCategorization
Step 1: Define the injury level and sector with the guide below.
Injury Level

Sector

Low

Image and

Limited or no loss of

customer

image or negative

confidence with

impact on Company

Company

reputation

Infrastructure /
Provision of
Services
Productivity /
Financial

Medium
Moderate loss of image
or negative impact on
Company reputation

High
Significant loss of
image or negative
impact on Company
reputation

Limited or no negative Moderate negative

Significant negative

effect on critical

effect on critical

effect on critical

infrastructure or

infrastructure or

infrastructure or

provision of services.

provision of services

provision of services.

Limited or no negative Moderate negative

Significant negative

effect on productivity

effect on productivity

effect on productivity or

or finances.

or finances

finances.

Step 2: Define the Impact of the Incident with the guide below.
Impact Level Description
Low

Impacts a single workstation, mobile /portable device

Incident impacts 1-4% of users

Impact Level Description

Unclassified information impacted
Impacts one server or an administrator account is involved
Impacts many (10+) workstations, mobile / portable devices (or one of a
Medium

high profile manager)

Incident impacts 5-9% of users
Protected or confidential information impacted
Impacts infrastructure device such as a router.
Impacts two or more servers. (or one E-mail server)

High

Incident impacts 10% or more of users

Critical information impacted (to be reported via secure methods only)
Privacy breach

AppendixEIncidentReportTemplate
For assistance filing an Incident Report using OTRS contact the local IT
department.