Item | Value |
Organization | Information Dynamics India |
Document Name | Incident Management Policy |
Classification | Internal |
Compliance Reference To: | ISO 27001:2013 and ISO 20000:2011 |
Date | Version | Prepared By |
1st November 2018 | 1.1 | Information Dynamics |
29th December 2019 | 1.2 | Information Dynamics |
24th December 2020 | 1.3 | Manivannan |
24th December 2021 | 1.4 | Deepak |
26th December 2022 | 1.5 | Deepak |
Reviewed By | Version | Date | Signature |
Soundar | 1.2 | 29th December 2019 | |
Soundar | 1.3 | 26th December 2020 | |
Soundar | 1.4 | 26th December 2021 | |
Soundar | 1.5 | 26th December 2022 |
An Incident Response Plan is required in order to bring needed resources together in an organized manner to deal with an adverse event related to the safety and security of Organization’s Business & Information Assets. This adverse event may be malicious code attack, unauthorized access to Organizational systems, unauthorized utilization of Organization services in denial of service attacks, general misuse of systems, or hoaxes.
The purpose of Incident Response Team is to:
Protect Organizational Information assets,
Provide a central organization to handle incidents
Comply with (government or other) regulations,
Prevent the use of Organizational system in attacks against other systems (which could cause us to incur legal liability),
Minimize the potential for negative exposure.
ISO 27001:2013 Domain Reference: A.16 – Information Security Incident Management
ISO 27001:2013 Reference | |
A.16.1.1 | Responsibilities and procedures |
A.16.1.2 | Reporting information security events |
A.16.1.3 | Reporting information security weaknesses |
A.16.1.4 | Assessment of and decision on information security events |
A.16.1.5 | Response to information security incidents |
A.16.1.6 | Learning from information security incidents |
A.16.1.7 | Collection of evidence |
ISO 20000:2011 Domain Reference: 6.6.3 – Information security changes and incidents
The scope of the policy will be applicable to all activities under the scope statement of Information Dynamics.
Security incidents will be classified according to incident categories and severity of incident. Incident response will be based on classification.
Incident Categories
The following categories will be used to describe IT security incidents at Information Dynamics. A single incident may have several different categories.
Confidential data exposure
Customer Account details
Credit Card information
Identity theft
Other
Criminal activity/investigation
Search warrant or other court order
Litigation hold request (ala e-Discovery)
Online theft, fraud
Threatening communication
Pornography
Physical theft, break-in
Denial of Service
Single or distributed (DoS or DDoS)
Inbound or outbound
Digital Millennium Copyright Act (DMCA) violation (if exists)
Official DMCA notification from copyright owner or legal representative
Illegal distribution of copyrighted or licensed material (movies, music, software, games)
Illegal possession of copyrighted or licensed material
Malicious code activity
Worm, virus, Trojan
Botnet
Keylogger
Rootkit
Policy violation
The Organization’s policy violation
Violation of student code of conduct
Personnel action/investigation
Reconnaissance activity
Port scanning
Other vulnerability scanning
Unauthorized monitoring
Rogue server or service
Rogue file/FTP server for music, movies, pirated software, etc.
Phishing scam web server
Botnet controller
Spam source
Spam relay
Spam host
Computer on a block list
Spear Phishing
Scam e-mail targeting a relatively large number of <Name of the Organization> e-mail addresses
Unauthorized access
Abuse of access privileges
Unauthorized access to data
Unauthorized login attempts
Brute force password cracking attempts
Stolen password(s)
Un-patched vulnerability
Vulnerable operating system
Vulnerable application
Vulnerable web site/service
Weak or no password on an account
Web defacement
Defacement of web site
Inappropriate post to Bank’s comments/blog section
Redirected web site
Un-authorized network access
Wire-less
Rogue LAN connection
Wire-tapping
No Incident or False-positive
When investigation of suspicious activity finds no evidence of a security incident
Incident Severity
An incident will be categorized as one of three severity levels. These severity levels are based on the impact to the organization and can be expressed in terms of financial impact, impact to manufacturing, impact to sales, impact to company’s image or impact to trust by company customers, etc. Following table provides a listing of the severity levels and a definition/description of each severity level.
Severity Level | Description | SLA (in Hrs) |
Low | Incident where the impact is minimal. Examples are harmless email SPAM, isolated Virus infections, etc. | 72 |
Medium | Incident where the impact is significant. Examples are a delayed ability to order or manufacture [Product Name], delayed delivery of critical electronic mail or EDI transfers, | 48 |
etc. | ||
High | Incident where the impact is severe. Examples are a disruption to the manufacturing or sales processes, company’s proprietary of confidential information has been compromised, a virus or worm has become wide spread and is affecting over 30 percent of the employees, or Executive management has reported it. | 24 |
Six stages of response are described below:
Preparation
One of the most important facilities to a response plan is to know-how to use it once it is in place. Knowing how to respond to an incident BEFORE it occurs can save valuable time and effort in the long run.
Identification
Identify whether or not an incident has occurred. If one has occurred, the response team can take the appropriate actions. The approach to the Identification Stage involves:
Validating the incident
If an incident has occurred, identify its nature
Identifying and protecting the evidence
Logging and reporting the event or incident.
When a staff member notices a suspicious anomaly in data, a system, or the network, he or she begins this identification process or immediately notify the concerned person(s).
Containment
It involves in limiting the scope and magnitude of an incident. Because so many incidents observed currently involve malicious code, incidents can spread rapidly. This can cause massive destruction and loss of information. As soon as an incident is recognized, immediately begin working on containment. A decision on the operational status of the compromised system itself will be made. Whether this system should be:
Shut down entirely
Disconnected from the network or
Be allowed to continue to run in its normal operational status (so that any activity on the system can be monitored) will depend on the risk to assets threatened by the incident.
Eradication
Removing the cause of the incident can be a difficult process. It can involve virus removal, conviction of perpetrators, or dismissing employees. Should follow good practices:
Determine the Cause and Symptoms
Use information gathered during the containment phase and collect additional information. If a single attack method cannot be determined list and rank the possibilities.
Improve Defenses
Implement appropriate protection techniques such as firewalls and/or router filters, moving the system to a new name/IP address, or in extreme cases, porting the machine's functions to a more secure operating system.
Perform Vulnerability Analysis
Use of vulnerability analysis tool to scan for vulnerable systems that are connected to affected systems.
Recovery and Closure
Restoring a system to its normal business status is essential. Information Security Office reviews the tracking system and closes tickets when appropriate.
Once a restore has been performed, it is also important to verify that the restore operation was successful and that the system is back to its normal condition.
Follow-up
Some incidents require considerable time and effort. It is little wonder, then, that once the incident appears to be terminated there is little interest in devoting any more effort to the incident. Performing follow-up activity is, however, one of the most critical activities in the response procedure. This follow-up can support any efforts to prosecute those who have broken the law. This includes changing any company policies that may need to be narrowed down or be changed altogether.
To adequately respond to an intrusion or incident, predetermined teams will participate depending on the incident characteristics. As the situation develops and the impact becomes more significant, the various teams will be called to contribute. Figure 1 depicts the Incident Response organization.
Whenever the impact of the incident increases (severity level increases) the escalation process will be invoked to involve all appropriate resources. Incidents should be handled at the lowest escalation level that is capable of responding to the incident with as few resources as possible in order to reduce the total impact, and to keep tight control. Following table defines the escalation levels with the associated team involvement.
Escalation Level | Affected Team(s) | Description |
0 | Technical Assessment Team | Normal Operations. Engineering groups monitoring for alerts from various sources |
1 | A threat has been discovered. Determine defensive action to take. Message employees of required actions if necessary. | |
2 | A threat has manifested itself. Determine course of action for containment and eradication. Message employees of required actions if necessary. | |
3 | Threat is wide spread or impact is significant. Determine course of action for containment and eradication. Message employees. Prepare to take legal action for financial |
Technical Assessment Team
Incident Response Coordinator
Communication Team
Incident Response Management
Incident Response Coordinator
Technical Assessment Team
Technical Support Team
Communications Team
Incident Response Management
Incident Response Coordinator
Extended Team
Technical Assessment Team
Technical Support Team
Communications Team
restitution etc. |
Incident Response Support Team
The Incident Response Process is an escalation process where as the impact of the incident becomes more significant or wide spread, the escalation level increases bringing more resources to bear on the problem. At each escalation level, team members who will be needed at the next higher level of escalation are alerted to the incident so that they will be ready to respond if and when they are needed.
A person(s) must be formally assigned the responsibility to create and distribute security incident response and escalation procedures to the necessary personnel.
Area Responsible : Information Dynamics
Manager : Anoop / Shaik
Information Security Team : Finny / Soundar/Linda
CAUTION: No staff member, except the designated Information Security personal has authority to discuss any security incident with any person(s) outside of Information Dynamics.
The incident response plan must include at a minimum the following
Roles, responsibilities, and communication strategies in the event of a compromise.
Coverage and responses for all critical system components.
Notification, at a minimum, of credit card associations and acquirers.
Strategy for business continuity post compromise reference or inclusion of incident response procedures from card associations.
Analysis of legal requirements for reporting compromises.
Data Backup and Recovery of Critical systems
The incident response plan must define an incident escalation process. It should pre-define the personnel responsible for immediate incident response and the persons to whom the incident should be escalated incase of incident remaining unresolved.
[Reference: Section7. Incident Response Process]
The incident response plan must be tested at least once annually. All testing results must be documented and the incident response plan must be changed depending on the testing results.
[Reference: Doc - <Security Incident Management Test Plan Procedure_v1]
There should be designated security personnel who should be available 24/7 to respond to unauthorized activity, critical IDS alerts, and/or reports of unauthorized critical system or content file changes.
Area Responsible : Information Dynamics
Manager : Mani/ Shaik
Information Security Team : Soundar/ Linda
The staff providing incident response must be appropriately trained to respond to security breaches. Training requirements must be accessed on the basis of incident response plan testing and performance of incident response personnel.
An alerting mechanism must be in place to notify the incident response personnel. The alerts to be sent to incident response personnel must include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems.
Typical symptoms of computer security incidents include any or all of the following:
A system alarm or similar indication from an intrusion detection tool
Suspicious entries in system or network accounting
Accounting discrepancies
Repeated unsuccessful logon attempts
Unexplained, new user accounts
Unexplained new files or unfamiliar file names
Unexplained modifications to file lengths and/or dates, especially in system executable files
Unexplained attempts to write to system files or changes in system files
Unexplained modification or deletion of data
Denial/disruption of service or inability of one or more users to login to an account
System crashes
Poor system performance
Operation of a program or sniffer device to capture network traffic
Remote requests for information about systems or users (e.g., social engineering)
Unusual time of usage (many computer security incidents occur during non-working hours)
An indicated last time of usage of a user account that does not correspond to the actual last time of usage for that user
Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program, an escalation in disk usage by a single account )
There must exist a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. Annual Security Incident Response Test Procedure can be used for this purpose. Any lesson-learned during the test phase must be incorporated into the Production Procedure.
A list of contact information of the incident response personnel should be maintained. The contact information must enable to contact them 24/7.
1. Internal information security group/officer and incident response team
Tel: 044 - 22641261 & email - officer@cybercellchennai.com
Detection of any rogue wireless device(s) is considered as a Critical Incident. Following action must be taken immediately
The head of the network infrastructure and the network team must be alerted.
A physical walkthrough must be conducted to identify the physical location of the access point.
The wireless access point/device must be disconnected from the organization network.
The wireless access point/device logs must be recovered from the device to analyze the network traffic for any possible cardholder data breach.
Incident Response Matrix
Incident Severity | Characteristics (one or more condition present determines the severity) | Response Time | Incident Manager | Whom to notify |
High | 1) Significant adverse impact on a large number of systems and/or people | 4 Hours | Information Security Manager | IS Team |
2) Threatens confidential data | ||||
3) Adversely impacts a critical enterprise system or service | ||||
4) Significant and immediate threat to human safety | ||||
5) High probability of propagating to a large number of other systems on or off bank's premises and causing significant disruption | ||||
Medium | 1) Adversely impacts a moderate number of systems and/or people | 8 Hours | Information Security Manager | IS Team |
2) Adversely impacts a non-critical enterprise system or service | ||||
3) Adversely impacts a departmental scale system or service | ||||
4) Moderate risk of propagating and causing further disruption | ||||
Low | 1) Adversely impacts a very small number of non-critical individual systems, services, or people | 16 Hours | Information Security Manager | IS Team |
2) Little risk of propagation and further disruption |
Information Security incident management procedure
Incident Response Process
Incident User Training
Security Incident management Test plan procedure