Professional Documents
Culture Documents
Contents
1
2
DocumentRevisionControl......................................................................................2
EffectiveDate............................................................................................................2
3.2 Address..............................................................................................................................3
3.3 Reporting...........................................................................................................................3
4.1 Objectives...............................................................................................................4
5
GovernanceModel....................................................................................................4
6
IncidentManagementProcess..................................................................................5
6.1 Preparation.........................................................................................................................6
The preparation stage involves incident handling planning and training
activities designed to provide adequate capabilities to prevent and detect
incidents..................................................................................................................................6
6.2 Identification......................................................................................................................7
Categorization.............................................................................................................................7
Prioritization................................................................................................................................8
6.3 Response............................................................................................................................8
6.4. Recovery..............................................................................................................................9
6.5. Post Incident Analysis........................................................................................................10
7
OfficeRolesandResponsibilities............................................................................11
Appendix A Definitions.........................................................................................................12
Appendix B Summary of Office Obligations.........................................................................13
Appendix C Evidence Preservation.......................................................................................14
Step 1:.......................................................................................................................................14
Step 2.........................................................................................................................................15
Step 3.........................................................................................................................................15
Appendix D Incident Categorization.....................................................................................16
Appendix E Incident Report Template...................................................................................17
1 DocumentRevisionControl
Revision
0.1
Date
3/30/2015
Changes Made By
(Name)
InitialVersion
2 EffectiveDate
This plan takes effect on March 31, 2015. It will be reviewed on a yearly basis
and modified as appropriate.
3 Introduction
3.1 Purpose
This document delineates the policies and procedures for Information
Technology Incident Management, as well as Companys process-level plans
for managing incidents on critical technology platforms and the
telecommunications infrastructure. Our mission is to ensure information
system uptime, data integrity and availability, and business continuity.
3.2 Scope
This Plan applies to all Company's offices and subsidiaries subject to the
Policy and addresses:
3.3 Reporting
This version of the plan requires employees/departments/offices to report IT
incidents to the IT Department using the OTRS tool or any other
communication method in case access to OTRS is impossible.
3.4 Communication
The IT incident management departmental operating procedures referenced
herein will be provided to HR for inclusion in the standard policies/plan
library.
4 Context
The occurrence of Information Technology (IT) incidents involving Company's
networks and infrastructure can have a significant impact on Company
operations, services delivered to customers and, consequently, confidence in
Company The ability to detect and respond to incidents in a coordinated and
consistent fashion is essential to maintaining Company operations and
services and to ensure the confidentiality, integrity and availability of
Company's information and IT assets.
The Company Information Technology Incident Management Plan provides an
operational framework for the management of IT security incidents and
4.1 Objectives
The following are the objectives of this plan.
Enhanced situational awareness across the Company;
4.2 Assumptions
The following assumptions were made during the development of
this Plan:
Current mandates and responsibilities will be respected;
IT security incidents related to the disclosure of personal information or
private communications will follow established privacy procedures
according the country law;
In addition if the incident is considered a crime, particulars should be
reported to the country Enforcement Agency as applicable.
5 GovernanceModel
During a serious incident, the timely engagement of senior management is
key to a strong and effective response. The governance model of the IMP
identifies the senior management committees and managers who will be
engaged when severity and trigger criteria are met.
Guidance provided by the committees and managers of the IMP governance
structure will cover both short- and long-term activities for more serious
incidents. Short-term activities are event-driven and are carried out during
the mitigation of a threat or vulnerability or the response to or recovery from
an incident. These activities require a prompt and coherent response. Longerterm activities involve post incident analysis and lessons learned, which will
allow the IT Management to provide longer-term strategic leadership,
direction, and governance related to security and IT respectively.
The engagement of the following committees and officials will be based on
the circumstances and gravity of each situation. <to be completed>
6 IncidentManagementProcess
The incident management process will consist of the following five defined
stages (see Figure 1): the stages "preparation" and "identification" are
integral components to an effective incident management plan that must be
in place and kept up to date to be properly prepared for managing an
incident. The other three stages, "response", "recovery" and "post incident
analysis" will be the focus of the governing structure.
6.1 Preparation
The preparation stage involves incident handling planning and training
activities designed to provide adequate capabilities to prevent and detect
incidents.
At a minimum:
1. Develop and practice incident handling planning and training
activities and exercises to enable identification and effective response
2. Ensure the response plan and communications procedures are well
known and easily accessible to all involved personnel, and reviewed
and updated (as required) both periodically and following an incident.
3. Identify critical systems (Business and Operations) to better identify
injury and impact levels when reporting an event or incident.
4. Integrate the processes of the IMP into the Office Security, Business
Continuity and IT contingency plans.
5. Ensure awareness and response training is available to all
employees commensurate with the current and emergent threat
landscape.
6. Ensure provision of appropriate training and awareness of incident
identification, incident management policy, and procedures to IT staff,
so that all individuals involved understand their role and
responsibilities related to incidents.
7. Ensure that standard measures are defined in advance for rapid
implementation as required.
8. Monitor and manage software, hardware and firmware configurations
including versions numbers and patch levels in a departmental
database to ensure that departments are able to identify vulnerabilities
6.2 Identification
The identification stage consists of the detection of an event suspected of
being an IT security incident, advising Information Technology
representatives for the affected systems (who will perform the initial
assessment to determine if it is an actual incident), and determining the
impact, severity, and probable cause of the suspected incident.
As a minimum, Offices will:
1. Carry out monitoring and intrusion detection activities (e.g. track
and analyze threats, vulnerabilities, events via logs from various
sources such as firewalls or Intrusion Detection Systems, which may
affect IT systems). This should also include a proactive vulnerability
management process using standard frameworks such as the National
Institute of Standards and Technology's Common Vulnerability Scoring
System;
2. Once it is determined that an event has the potential or has been
confirmed to be an incident, send an initial incident report using OTRS
and when further information becomes available, submit an updated
incident report;
3. Preserve evidence as outlined In Appendix C.
The incident information must be reported to the OTRS no later than one (1)
hour after the detection of an incident. The OTRS tool should be used to
report the incident. In the incident report, reporter must assign a level of
injury and impact severity. Appendix D should be used as a guideline to
categorize the level.
If relevant, affected offices should attempt to correlate multiple incident
reports to identify those that are related to a single incident.
Categorization
The affected office shall assign a category to the confirmed or suspected
incident using the chart provided in Appendix D.
Prioritization
Affected offices shall prioritize based on the incidents' potential impact.
Impact is the effect of the incident on the organization's objectives and
mission based on the following factors:
Technical impact (current and future): The current negative
effects of the incident and likely future effects. For example, malware
spreading within one regional office has an immediate local impact, but
if the malware spreads across the CompanyN, it could affect operations
throughout the organization; and
Criticality of affected resources: The criticality of the Information
system (IS) resources that are or could be affected by the incident.
Critical systems have been identified through the Business Impact
Assessments and other business continuity activities.
6.3 Response
Once an event is received from an affected office, partner, or customer, the
Incidence Response Team (IRT) will send an acknowledgment of receipt. If it
is determined to be an incident the IRT will assess the information received
to determine whether the incident is of an IT or cyber nature, and provide
appropriate mitigation advice and guidance to the affected office(s) and will
alert other offices of the threat and how to protect against it. If the incident is
of a cyber-security nature, the IRT will also provide this information to IT
security for analysis. The IRT will also provide a summary of incidents on a
Threat and vulnerability events will be escalated by the IRT to the CRU when
there is a high risk to Company.
The Management Team is the decision-making group that is convened to
advise and intervene when attempts to restore services have not produced
expected results or when no action taken/conceived can provide for the
continuity of operations and rapid recovery of services. The Management
Team has the authority to make important decisions necessary in a crisis:
activation of a disaster recovery service, approval of special budgets, etc. In
addition, if mitigation requires additional resources, the Management Team
will be called upon to review the CRU's action plan and act accordingly.
6.4.Recovery
Most incidents will require recovery actions to restore systems and services
to normal operations and preventative actions to avoid recurrence. Recovery
actions may include restoration of systems from original media or images,
installation of patches and immediate mitigation actions to prevent
reoccurrence. System/service recovery should be conducted in a manner
that preserves the integrity of the system to assist with an in-depth
analysis/investigation of the incident.
The recovery process should align with internal processes such as: Incident
Management, Problem Management, Change Management, Configuration
Management, and Release Management.
Prior to reconnecting affected systems or restoring services, incident
handlers shall ensure that reinstating the system or service will not result in
another incident.
As a minimum, offices will:
1.
Respond to IRT electronic information products as requested.
(Cyber flashes, RFI, etc.);
2.
Insofar as possible, implement any relevant mitigating measures
as recommended / mandated by the IRT, IT security or IT Management;
3.
Provide situation report updates during the incident phases and
provide a final notification to the IRT when normal operations have
6.5.PostIncidentAnalysis
Post-analysis of incidents is vital for learning and continuously improving
Company safeguards and response plans and procedures. Reviewing the
incident recording of lessons learned, recommending changes in processes,
procedure, and developing long-term capability improvement solutions are
crucial for a successful preparation phase.
For every major incident that occurs:
Offices will perform a post incident analysis, which summarizes the impact
of the incident and identifies:
safeguard deficiencies;
measures to prevent similar incidents;
measures to reduce the impact of a recurrence;
Improvements to incident-handling procedures and relating policies;
review of the preparation phase in terms of the response of the
incident; and
lessons learned.
Affected offices will provide the IRT a post-incident summary report.
ITmanagementwill close the post-incident analysis phase of the IT IMP based
on the implementation of mitigating measures and actions.
For multi-office incidents, IT management will lead post-incident
analysis and will lead implementation of identified changes / improvements.
7 OfficeRolesandResponsibilities
This section identifies roles and responsibilities within offices relevant to the
IT IMP.
The IT Security Officer is responsible for:
AppendixADefinitions
Cyber Incident
A deliberate IT incident that is state-sponsored or is utilizing a non-publicly
known exploit.
Event
An event is an observable change to the normal behavior of a system,
environment, process, workflow or person. An event can feed into an incident
but the opposite is not true.
Incident Handler
The person appointed or responsible to lead all stages of incident handling.
The incident handler will be the contact person to throughout the incident life
cycle.
IT Incidents
Incidents are understood to be any event or collection of events which may
affect the confidentiality, integrity, or availability of an information system
including components, or an event or collection of events which may violate
information system policies or the law. Incidents can originate internally or
externally and can be caused deliberately or accidentally. Incidents include
privacy breaches, which are a collection, use, disclosure, access, disposal, or
storage of personal/customer information, whether accidental or deliberate,
that is not authorized.
AppendixBSummaryofOfficeObligations
Offices will develop and practice incident handling training activities and
exercises to enable identification and effective response.
Offices will ensure the response plan and communications procedures are
well known and easily accessible to all IT personnel, and reviewed and
updated (as required) both periodically and following an incident.
Offices will identify their critical systems (Business and Operations) to
better identify injury and impact levels when reporting an event or incident.
Offices will integrate the processes of the IMP into their office Security,
Business Continuity, IT contingency plans.
Offices will ensure awareness and response training is available to all
employees commensurate with, the current and emergent threat landscape.
Offices will ensure provision of appropriate training and awareness of
incident identification, incident management policy, and procedures to IT
staff, so that all individuals involved understand their role and responsibilities
related to incidents.
Offices will ensure that standard measures are defined in advance for rapid
implementation as required.
Offices will monitor and manage software, hardware and firmware
configurations including versions numbers and patch level in a database to
ensure that are able to identify vulnerabilities and act accordingly.
Offices will take reasonable measures to ensure the preservation and
protection of evidence (see Appendix C).
Offices will carry out monitoring and intrusion detection activities (e.g.
track and analyze threats, vulnerabilities, events via logs from various
sources such as firewalls or Intrusion Detection Systems). This should also
include a proactive vulnerability management process using standard
frameworks such as the National Institute of Standards and Technology's
Common Vulnerability Scoring System.
Offices will contact IT for assistance in characterizing potentially suspicious
events.
Offices will, once it is determined that an event has the potential or has
been confirmed to be an incident, fill an initial incident report using OTRS
and when further information becomes available, add the information to the
incident report.
Offices will provide situation report updates during the incident phases and
provide a final notification to the when normal operations have resumed.
After normal operation have resumed, the incident must be closed in OTRS.
Offices will perform a post analysis, which summarizes the impact of the
incident and identifies:
safeguard deficiencies;
measures to prevent similar incidents;
measures to reduce the impact of a recurrence;
Improvements to incident-handling procedures and relating policies;
review preparation phase in terms of the response of the incident;
and
lessons learned.
Affected offices will provide a post-incident summary report.
AppendixCEvidencePreservation
The following is an overview of basic evidence preservation for IT personnel.
Step1:
When an incident has been identified, the incident handlers must:
Ensure that the affected machine(s) is no longer accessible to non-authorized
personnel (i.e. only accessible to incident handlers - preservation of the
chain of custody).
Ensure that no attempts are made to explore the content of the affected
machine(s) or to recover data from it. The incident handlers must also
document:
When was the incident discovered?
How was the incident discovered?
Who discovered the incident?
Step2
The incident handler needs to preserve the evidence by taking the following
actions:
Ensure that the affected machine(s) remains in a Live State so that
the live memory can be collected.
Record of all processes running on the affected machine(s).
Record all physical connections from the affected machine(s) to all
other devices.
Record all IP addresses and wireless connections to and from the
affected machine(s) across the network.
Preserve all traffic logs (firewall, IDS, IPS, HIDS, etc.) to and from the
affected machine(s) across the network.
When disconnecting the affected machine(s) from the network
carefully monitor processes to ensure that the hard drive is not being
erased. If information is being deleted immediately turn off the power.
Step3
After preserving the network logs and protecting the evidentiary chain of
custody, the incident handlers should take the following actions:
Record of all actions relating to the collection, preservation, access,
storage and/or transfer of digital evidence.
Prepare a network diagram with the IP addresses of all the affected
machine(s) and all other relevant network nodes.
Prepare, date and sign detailed notes on all actions taken during the
AppendixDIncidentCategorization
Step 1: Define the injury level and sector with the guide below.
Injury Level
Sector
Low
Image and
Limited or no loss of
customer
image or negative
confidence with
impact on Company
Company
reputation
Infrastructure /
Provision of
Services
Productivity /
Financial
Medium
Moderate loss of image
or negative impact on
Company reputation
High
Significant loss of
image or negative
impact on Company
reputation
Significant negative
effect on critical
effect on critical
effect on critical
infrastructure or
infrastructure or
infrastructure or
provision of services.
provision of services
provision of services.
Significant negative
effect on productivity
effect on productivity
effect on productivity or
or finances.
or finances
finances.
Step 2: Define the Impact of the Incident with the guide below.
Impact Level Description
Low
High
AppendixEIncidentReportTemplate
For assistance filing an Incident Report using OTRS contact the local IT
department.