SIF 3: Introduction to Space Innovation Forum 3, Kiruna 19th-20th October 2016
Incident Response Policy Enterprise Security Office Forum November 20th, 2008.
-
Upload
sophia-harper -
Category
Documents
-
view
213 -
download
0
Transcript of Incident Response Policy Enterprise Security Office Forum November 20th, 2008.
Incident Response Policy
Enterprise Security Office Forum
November 20th, 2008
2
Welcome
Theresa Masse, State CISO
3
Agenda
Policy Overview
Roles and Responsibilities
Resources For Agencies
Agency Panel
Questions
4
Incident Response Policy
Why do we need it? Increasing value of information
Increasing risk to information
Increasing penalties for failure to safeguard PCI, HIPAA, OCITPA (aka SB583)
2005 Legislature HB3145 -> ORS 182.122
5
Policy Goals
Develop Statewide Incident Response (IR)
Develop Agency Incident Response
Incident Reporting
Timely Response Coordination
Data Collection
6
What Information Is Covered by Policy?
All Information:
Electronic
Written
Verbal
7
Key Policy Elements: IncidentWhat is an “incident” we should report?
Defined in Policy Remember Policy Goals!
Will reporting this incident help?
Four Key Elements: Involves security of information Is unwanted or unexpected Shows harm or significant threat of harm Requires non-routine response
8
Key Policy Elements: IncidentCommon pitfall for IR plan authors
Incident vs. “SB583 Breach”
Information Security Incident
PII Exposure, per OCITPA (aka SB583)
All Breaches are Incidents
Not all Incidents are Breaches
9
Key Policy Elements: ResponsibilitiesState Incident Response Team (SIRT)
State Data Center (SDC)
Agencies
10
SIRT Responsibilities
Statewide Incident Response Program Policy, Plan, Procedures, Reporting
Data Aggregation and Reporting Incident Response – When will the SIRT
respond? Multi-Agency Statewide Impact Agency Assistance Required SB583 Breaches
Incident Forensics Capabilities
11
SDC Responsibilities
Monitoring, Alerting Incident Response
State Wide Area Network (WAN) SDC-hosted Infrastructure
12
Agency Responsibilities
Agencies are responsible for their own information
Agency IR Capabilities Policy, Plan, Procedures
Agency Information Incidents Detection, Response, Follow-up, Protection
SIRT Point of ContactAssist SIRT
13
SDC Response Chart
14
Agency Response Chart
15
Agencies Need To:
Create or Adopt Policy
Develop Plan
Develop Capabilities
Create Procedures
Assign Point of Contact
Policy Compliance Date May 1, 2009
16
“IR” Is Not Just “IT”
IR Requires Agency Business Participation
Not all information is electronic
Business drives response
Incident detection happens anywhere in agency – not just in IT department
17
Resources For Agencies
Website overview
Plan Template
Educational Resources
Qualified Vendors List
Point of Contact Form
Potential IR workshops
18
IR Website http://www.oregon.gov/DAS/EISPD/ESO/SIRT.shtml
19
IR Plan Template
http://www.oregon.gov/DAS/EISPD/ESO/docs/SIRT/IncidentResponsePlanTemplate.doc
20
Educational Resources
Carnegie Mellon CERT
http://www.cert.org/work/training.html
SANS Institute
http://www.sans.org/sans_training.php
InfoSec Institute
http://infosecinstitute.com/courses/security_training_courses.html
21
Master Services Contract
Qualified Vendors List
Incident Response
Forensics
Breach Services
Currently in DAS Procurement
ETA...
22
Agency Point of Contact This form (available on our website) needs to be
completed for every agency and given to the SIRT
23
Guest Speakers
Agency Experiences Developing Incident Response Capabilities
Bret West – DAS
Richard Rylander – DOJ
Incident Response Policy and Plan Development
Bret West,Operations Division Administrator
Department of Administrative Services
DAS Incident Response Policy and Plan DevelopmentThe assignment:
Develop and implement DAS’ internal incident response program
The timeframe: Concurrently with development and adoption
of the statewide Enterprise Security Office IRP policy
Why concurrently? To inform ESO policy/plan development
DAS Incident Response Policy and Plan Development
Process Engaged DAS IT Management Council
Governing body for DAS internal IT Made up of representatives from all DAS
divisions Good mix of division administrators/staff;
technical/non-technical; management/classified Established subcommittee to work through
details Discussed roles and responsibilities of IT staff
vs. data owners
DAS Incident Response Policy and Plan DevelopmentProcess
Presented draft policy, plan and informational flyer to IT Management Council
Identified changes needed through robust council discussion
Presented final package to DAS Executive Team for adoption
DAS Incident Response Policy and Plan DevelopmentChallenges
Timeline
Ensuring stakeholder engagement
Clearly delineating roles and responsibilities
DAS Ops (internal) vs. SDC and ESO (external)
Data owners vs. IT staff
Communication/Reporting
Resuming business operations
DAS Incident Response Policy and Plan DevelopmentPath to Success
Used ESO templates for the policy, plan and awareness flyer
Engaged business partners and executive team
Realized that the plan would evolve with experience
Identified gaps in staffing/skill sets Work with agency communications team to roll
out the policy
30
Guest Speakers – Part II
Agency Experiences Developing Incident Response Capabilities
Bret West – DAS
Richard Rylander – DOJ
DOJ Security Incident Response
Richard RylanderSecurity Coordinator
Department of Justice
32
Agenda
Incident Types
Challenges
Planning
Mistakes
Incident data
Benefits
Resources
33
Incident Types
Malware and Spyware Infection
Viruses and Worms Infection/Outbreak
Breach of Acceptable Use Policy
Breach of security policy or procedures
Loss or theft of physical or electronic media
Data Loss
34
Challenges
Who owns incident response? Management Employees Information Technology
Who is responsible for incident response? Roles and responsibilities
Communications PlanEscalation
35
Challenges
Business Concerns
Reporting
Incident impact
Notification requirements
Media
Law enforcement
36
Challenges
Business Concerns – cont’d
Data Loss
Physical or electronic
Financial Loss
Legal requirements
Loss of productivity
37
Challenges
Information Technology Concerns What data was compromised?
Physical or electronic
How was the data compromised? How many systems were affected? Was the data loss preventable? Was there inside involvement? Was there outside involvement? Was the data encrypted?
38
Planning
Create an incident response process flow
Create a responsibility matrix
Create a communications plan
39
Incident Response Flow Diagram
Incident Detection
CSC Notified
CSC Contacts SIRT Member Based on Incident Location
SIRT Member Conducts Initial
Investigation
Forensic Duplication of Data (as required)
Continue Investigation/ Determine Response
(document)
Response (document)
Communications (internal)
Communications (external)
Recovery (document)
Determine Business Impact (document)
Collect Evidence (document)
Monitor Systems Isolate & Contain (as necessary)
Deliver findings to CIO & Management
Security Incident?
Close Security Incident
No
Yes
Concurrent
Notify CIO
Escalate
No
Yes
Apply Corrective Actions
Property Loss?
No
Yes
Property Loss Policy
Risk ManagementNotification
Update Risk Management
Return System(s) to Normal Operation
Identify Lesson(s) Learned (document)
Implement Improvements or Corrections from Lesson(s) Learned
Develop Final Report
40
Develop a Responsibility Matrix
Report Detect/Monitor Evaluate Containment Communicate Respond/Correct Recover Document
Chief Information Officer R I I/C/R I/C I/C/R I/C I I/C/R
IS Management R I I/C/R I/C I/C/R I/C I I/C/R
Security Officer R C/R I/C/R I/C I/C I/C I I/C/R
Network Security Administrator R C/R I/C/R C/R I/C/R I/C/R I/CR I/C/R
Network Administrator R C/R I/C/R C/R I/C/R I/C/R I/C/R I/C/R
Network Services Team R C/R I/C/R C/R I/C I/C/R I/C/R I/C/R
Mainframe Team R C/R I/C/R C/R I/C/R I/C/R I/C/R I/C/R
Desktop Services Team R C/R I/C I/C I/C I/C/R I/C/R I/C/R
Customer Services Team R C/R I/C I/C I/C I/C I/C I/C/R
Application Development Team R C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R
Division Management R C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R
All DOJ Employees R C/R n/a I/C I/C I I I/C
Risk Management I I I/C/R I/C/R I/C/R I/C I/C I/C/R
State Data Center (SDC related) R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R
R = Responsible C = Contributes I = Informed
41
Incident Response Mistakes
42
Incident Response MistakesFailure to mitigate the risk
Shut down the attack point. Do not get caught up in ‘fire fighting’ mode.
Isolate and prevent the incident from spreading unless there is a reason to permit the attack to continue.
Do not underestimate the scope of the incident.
43
Incident Response MistakesFailure to learn from past incidents
Modify security controls and training materials to reflect lessons learned.
Failure to document incident procedures Provide communication plan.
Provide reporting and documentation requirements.
Document all incidents in detail.
44
Oregon Incidents 2008 Nov. 1, 2008 Veterans Affairs Medical Center (Portland, OR) 1,600Personal information, including some Social Security numbers, of patients at the Veterans Affairs Medical Center in Portland wasinadvertently posted on a public Web site.
June 4, 2008 Oregon State University (Corvallis, OR) 4,700The Oregon State Police are investigating the theft of personalinformation from online customers of the OSU Bookstore who usedcredit cards to purchase items.
April 28, 2008 Hough, MacAdam & Wartnik (North Bend, OR) 500A notebook computer was stolen from a locked vehicle. Thenotebook's hard drive may have contained names, Social Security numbers,and other personal information.
Mar. 6, 2008 Cascade Healthcare Community (Prineville, OR) 11,500A computer virus may have exposed to outside eyes the names, credit cardnumbers, dates of birth and home addresses individuals who donated toCascade Healthcare Community.
http://www.privacyrights.org
Notable Incidents
Records Organization Date
94,000,000TJX Companies Inc. 01/17/200740,000,000CardSystems 06/19/2005
(Visa, MasterCard, American Express)30,000,000America Online 06/24/200426,500,000U.S. Department of Veterans Affairs 05/22/200625,000,000HM Revenue and Customs 11/20/200717,000,000T-Mobile, Deutsche Telekom 10/06/200812,500,000Archive Systems Inc. 05/07/2008
Bank of New York Mellon11,000,000GS Caltex 09/06/20088,637,405 Dai Nippon Printing Company 03/12/20078,500,000 Certegy Check Services Inc. 03/07/2007
Fidelity National Information Services
Source: http://datalossdb.org
46
Benefits of Incident ResponseUser Awareness
Defined responsibilities
Defined response procedure
Defined Incident Response Policy
Defined communications plan
Measurable results
47
Summary
Define responsibilities
Identify areas of challenge
Identify and create key documents
Communications Plan
Document in detail
Use resources available for assistance
48
Resources
NIST – National Institute of Standards and
Technology (http://csrc.nist.gov/)
SANS Institute (http://www.sans.org/)
US-CERT (http://www.us-cert.gov/)
RFC 2350 (http://www.ietf.org/rfc)
Richard RylanderOregon Department of [email protected]
49
Questions?