Incident Response Policy

Overview

A security incident can come in many forms: a malicious attacker gaining access to the network, a virus or other malware infecting computers, or even a stolen laptop containing confidential data. A well-thought-out Incident Response Policy is critical to successful recovery from an incident. This policy covers all incidents that may affect the security and integrity of the company's information assets, and outlines steps to take in the event of such an incident.

Purpose

This policy is intended to ensure that the company is prepared if a security incident were to occur. It details exactly what must occur if an incident is suspected, covering both electronic and physical security incidents. Note that this policy is not intended to provide a substitute for legal advice, and approaches the topic from a security practices perspective.

Scope

The scope of this policy covers all information assets owned or provided by the company, whether they reside on the corporate network or elsewhere.

Policy

Types of Incidents

A security incident, as it relates to the company's information assets, can take one of two forms. For the purposes of this policy a security incident is defined as one of the following:

  • Electronic: This type of incident can range from an attacker or user accessing the network for unauthorized/malicious purposes, to a virus outbreak, to a suspected Trojan or malware infection.

  • Physical: A physical IT security incident involves the loss or theft of a laptop, mobile device, Smartphone, tablet, portable storage device, or other digital apparatus that may contain company information. 

 

Preparation

Work done prior to a security incident is arguably more important than work done after an incident is discovered. The most important preparation work, obviously, is maintaining good security controls that will prevent or limit damage in the event of an incident. This includes technical tools such as firewalls, intrusion detection systems, authentication, and encryption; and non-technical tools such as good physical security for laptops and mobile devices.

Additionally, prior to an incident, the company must ensure that the following is clear to IT personnel:

  • What actions to take when an incident is suspected.

  • Who is responsible for responding to an incident.

The company must have discussions with an IT Security company that offers incident response services before such an incident occurs in order to prepare an emergency service contract. This will ensure that high-end resources are quickly available during an incident.

Finally, the company should review any industry or governmental regulations that dictate how it must respond to a security incident (specifically, loss of customer data), and ensure that its incident response plans adhere to these regulations.

 

Confidentiality

All information related to an electronic or physical security incident must be treated as confidential information until the incident is fully contained. This will serve both to protect employees' reputations (if an incident is due to an error, negligence, or carelessness), and to control the release of information to the media and/or customers.

 

Electronic Incidents

When an electronic incident is suspected, the company's goal is to recover as quickly as possible, limit the damage done, secure the network, and preserve evidence of the incident. The following steps should be taken in order:

  1. Before an incident occurs, the company must work out a response scenario with a qualified IT Security consultant that includes emergency access to high-end expertise.

  2. Report the incident to the company’s designated IT contact.

  3. Remove the compromised device from the network by unplugging or disabling its network connection. Do not power down the machine.

  4. Disable the compromised account(s) as appropriate.

  5. Physically secure the compromised system.

  6. Contact the security consultant for emergency response. If prosecution of the incident is desired, chain-of-custody and preservation of evidence are critical.

  7. Create a detailed event log documenting each step taken during this process.

  8. Determine how the attacker gained access and disable this access.

  9. Rebuild the system using new hardware.

  10. Restore any needed data from the last known good backup and put the system back online.

  11. Take actions, as possible, to ensure that the vulnerability (or similar vulnerabilities) will not reappear.

  12. Notify applicable authorities if prosecution is desired and possible based on the evidence collected.

  13. Reflect on the incident. What can be learned? How did the Incident Response team perform? Was the policy adequate? What could be done differently?

  14. Update the Incident Response plan and policy if needed to reflect changes in process that should be implemented to better manage future incidents.

  15. Perform a vulnerability assessment to spot any other vulnerabilities before they can be exploited.

 

Physical Incidents

Physical security incidents are challenging, since often the only actions that can be taken to mitigate the incident must be done in advance. This makes preparation critical. One of the best ways to prepare is to mandate the use of strong encryption to secure data on mobile devices. Applicable policies, such as those covering encryption and confidential data, should be reviewed.

Physical security incidents are most likely the result of a random theft or inadvertent loss by a user, but they must be treated as if they were targeted at the company.

The company must assume that such a loss will occur at some point, and periodically survey a random sampling of laptops and mobile devices to determine the risk if one were to be lost or stolen.

  1. Response: stablish the severity of the incident by determining the data stored on the missing device. This can often be done by referring to a recent backup of the device. Two important questions must be answered:

    1. Was confidential data involved?

      • If not, refer to "Loss Contained" below.

      • If confidential data was involved, refer to "Data Loss Suspected" below.

    2. Was strong encryption used?

      • If strong encryption was used, refer to "Loss Contained" below.

      • If not, refer to "Data Loss Suspected" below.

  2. Loss Contained: First, change any usernames, passwords, account information, wireless network keys, passphrases, etc., that were stored on the system. Notify the designated IT contact. Replace the lost hardware and restore data from the last backup. Notify the applicable authorities if a theft has occurred.

  3. Data Loss Suspected: 

    • First, notify the executive team so that the company can evaluate and prepare a response.

    • Change any usernames, passwords, account information, wireless keys, passphrases, etc., that were stored on the system. Replace the lost hardware and restore data from the last backup. Notify the applicable authorities as needed if a theft has occurred and follow disclosure guidelines specified in the notification section.

    • Review procedures to ensure that risk of future incidents is reduced by implementing stronger physical security controls.

 

Notification

If an electronic or physical security incident is suspected to have resulted in the loss of third-party or customer data, follow applicable regulations and/or industry breach disclosure laws and append the regulations to this policy.

 

Managing Risk

Managing risk of a security incident or data loss is the primary reason to create and maintain a comprehensive security policy. Risks can come in many forms: electronic risks like data corruption, computer viruses, hackers, or malicious users; or physical risks such as loss/theft of a device, hardware failure, fire, or a natural disaster. Protecting critical data and systems from these risks is of paramount importance to the company.

Risk Assessment

As part of the risk management process, the company must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the company's critical or confidential information. The process must include the following steps:

  1. Scope the assessment. Determine both the physical and logical boundaries of the assessment.

  2. Gather information. Determine what confidential or critical information is maintained by the company. Determine how this information is secured.

  3. Identify threats. Determine what man-made and natural events could affect the company's electronic information.

  4. Identify Vulnerabilities. After threats have been identified, determine the company's exposure to each threat. External assessments may be useful here, as covered in the Network Security Policy.

  5. Assess Security Controls. After vulnerabilities have been cataloged, determine the efficiency of the company's security controls in mitigating that vulnerability.

  6. Determine the potential impact of each vulnerability being exploited. Would the event result in loss of confidentiality, loss of integrity, or loss of availability of the information?

  7. Determine the company's level of risk. Based on the information gathered in the previous steps, make a determination to the company's level of risk of each event.

  8. Recommend security controls. Security controls that will mitigate the identified risks are evaluated during this step. Consider cost, operational impact, and effectiveness of each control.

  9. Document the risk assessment results. The final step is to document the risk assessment, including the results of each step.

Risk Management Program

A formal risk management program must be implemented to cover any risks known to the company (which should be identified through a risk assessment), and insure that reasonable security measures are in place to mitigate any identified risks to a level that will ensure the continued security of the company's confidential and critical data.

 

Applicability of Other Policies

This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

Enforcement

This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

Definitions

  • Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored.

  • Incident  An event that threatens or compromises the operational security and data integrity of the company.

  • Malware Short for "malicious software." A software application designed with malicious intent. Viruses and Trojans are common examples of malware.

  • Mobile Device A portable device that can be used for certain applications and data storage. Examples are PDAs or Smartphones.

  • PDA Stands for Personal Digital Assistant. A portable device that stores and organizes personal information, such as contact information, calendar, and notes.

  • Smartphone A mobile telephone that offers additional applications, such as PDA functions and email.

  • Trojan Also called a "Trojan Horse." An application that is disguised as something innocuous or legitimate, but harbors a malicious payload. Trojans can be used to covertly and remotely gain access to a computer, log keystrokes, or perform other malicious or destructive acts.

  • Virus Also called a "Computer Virus." A replicating application that attaches itself to other data, infecting files similar to how a virus infects cells. Viruses can be spread through email or via network-connected computers and file systems.

(843) 371-0037

109 Bee St, Charleston, SC 29401, USA

©2020 by Lowcountry Center for Veterans Research.