1 / 49

Incident Response Policy

Enterprise Security Office Forum November 20th, 2008. Incident Response Policy. Welcome. Theresa Masse, State CISO. Agenda. Policy Overview Roles and Responsibilities Resources For Agencies Agency Panel Questions. Incident Response Policy. Why do we need it?

saxon
Download Presentation

Incident Response Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Security Office Forum November 20th, 2008 Incident Response Policy

  2. Welcome Theresa Masse, State CISO

  3. Agenda Policy Overview Roles and Responsibilities Resources For Agencies Agency Panel Questions

  4. Incident Response Policy Why do we need it? Increasing value of information Increasing risk to information Increasing penalties for failure to safeguard PCI, HIPAA, OCITPA (aka SB583) 2005 Legislature HB3145 -> ORS 182.122

  5. Policy Goals Develop Statewide Incident Response (IR) Develop Agency Incident Response Incident Reporting Timely Response Coordination Data Collection

  6. What Information Is Covered by Policy? • All Information: • Electronic • Written • Verbal

  7. Key Policy Elements: Incident What is an “incident” we should report? Defined in Policy Remember Policy Goals! Will reporting this incident help? Four Key Elements: Involves security of information Is unwanted or unexpected Shows harm or significant threat of harm Requires non-routine response

  8. Key Policy Elements: Incident Common pitfall for IR plan authors Incident vs. “SB583 Breach” Information Security Incident PII Exposure, per OCITPA (aka SB583) All Breaches are Incidents Not all Incidents are Breaches

  9. Key Policy Elements: Responsibilities State Incident Response Team (SIRT) State Data Center (SDC) Agencies

  10. SIRT Responsibilities Statewide Incident Response Program Policy, Plan, Procedures, Reporting Data Aggregation and Reporting Incident Response – When will the SIRT respond? Multi-Agency Statewide Impact Agency Assistance Required SB583 Breaches Incident Forensics Capabilities

  11. SDC Responsibilities Monitoring, Alerting Incident Response State Wide Area Network (WAN) SDC-hosted Infrastructure

  12. Agency Responsibilities Agencies are responsible for their own information Agency IR Capabilities Policy, Plan, Procedures Agency Information Incidents Detection, Response, Follow-up, Protection SIRT Point of Contact Assist SIRT

  13. SDC Response Chart

  14. Agency Response Chart

  15. Agencies Need To: Create or Adopt Policy Develop Plan Develop Capabilities Create Procedures Assign Point of Contact Policy Compliance Date May 1, 2009

  16. “IR” Is Not Just “IT” IR Requires Agency Business Participation Not all information is electronic Business drives response Incident detection happens anywhere in agency – not just in IT department

  17. Resources For Agencies Website overview Plan Template Educational Resources Qualified Vendors List Point of Contact Form Potential IR workshops

  18. IR Website • http://www.oregon.gov/DAS/EISPD/ESO/SIRT.shtml

  19. IR Plan Template • http://www.oregon.gov/DAS/EISPD/ESO/docs/SIRT/IncidentResponsePlanTemplate.doc

  20. Educational Resources Carnegie Mellon CERT http://www.cert.org/work/training.html SANS Institute http://www.sans.org/sans_training.php InfoSec Institute http://infosecinstitute.com/courses/security_training_courses.html

  21. Master Services Contract Qualified Vendors List Incident Response Forensics Breach Services Currently in DAS Procurement ETA...

  22. Agency Point of Contact • This form (available on our website) needs to be completed for every agency and given to the SIRT

  23. Guest Speakers Agency Experiences Developing Incident Response Capabilities Bret West – DAS Richard Rylander – DOJ

  24. Bret West, Operations Division Administrator Department of Administrative Services Incident Response Policy and Plan Development

  25. DAS Incident Response Policy and Plan Development The assignment: Develop and implement DAS’ internal incident response program The timeframe: Concurrently with development and adoption of the statewide Enterprise Security Office IRP policy Why concurrently? To inform ESO policy/plan development

  26. DAS Incident Response Policy and Plan Development Process Engaged DAS IT Management Council Governing body for DAS internal IT Made up of representatives from all DAS divisions Good mix of division administrators/staff; technical/non-technical; management/classified Established subcommittee to work through details Discussed roles and responsibilities of IT staff vs. data owners

  27. DAS Incident Response Policy and Plan Development Process Presented draft policy, plan and informational flyer to IT Management Council Identified changes needed through robust council discussion Presented final package to DAS Executive Team for adoption

  28. DAS Incident Response Policy and Plan Development Challenges Timeline Ensuring stakeholder engagement Clearly delineating roles and responsibilities DAS Ops (internal) vs. SDC and ESO (external) Data owners vs. IT staff Communication/Reporting Resuming business operations

  29. DAS Incident Response Policy and Plan Development Path to Success Used ESO templates for the policy, plan and awareness flyer Engaged business partners and executive team Realized that the plan would evolve with experience Identified gaps in staffing/skill sets Work with agency communications team to roll out the policy

  30. Guest Speakers – Part II Agency Experiences Developing Incident Response Capabilities Bret West – DAS Richard Rylander – DOJ

  31. Richard Rylander Security Coordinator Department of Justice DOJ Security Incident Response

  32. Agenda Incident Types Challenges Planning Mistakes Incident data Benefits Resources

  33. Incident Types Malware and Spyware Infection Viruses and Worms Infection/Outbreak Breach of Acceptable Use Policy Breach of security policy or procedures Loss or theft of physical or electronic media Data Loss

  34. Challenges Who owns incident response? Management Employees Information Technology Who is responsible for incident response? Roles and responsibilities Communications Plan Escalation

  35. Challenges Business Concerns Reporting Incident impact Notification requirements Media Law enforcement

  36. Challenges • Business Concerns – cont’d • Data Loss • Physical or electronic • Financial Loss • Legal requirements • Loss of productivity

  37. Challenges Information Technology Concerns What data was compromised? Physical or electronic How was the data compromised? How many systems were affected? Was the data loss preventable? Was there inside involvement? Was there outside involvement? Was the data encrypted?

  38. Planning Create an incident response process flow Create a responsibility matrix Create a communications plan

  39. Incident Response Flow Diagram Incident Detection Recovery (document) CSC Notified Concurrent Collect Evidence (document) Determine Business Impact (document) CSC Contacts SIRT Member Based on Incident Location Forensic Duplication of Data (as required) Apply Corrective Actions SIRT Member Conducts Initial Investigation No Property Loss? Monitor Systems Isolate & Contain (as necessary) Security Incident? Yes No Property Loss Policy Yes Return System(s) to Normal Operation Update Risk Management Continue Investigation/ Determine Response (document) Risk Management Notification Identify Lesson(s) Learned (document) Response (document) Implement Improvements or Corrections from Lesson(s) Learned Escalate Develop Final Report Yes Notify CIO No Communications (internal) Deliver findings to CIO & Management Communications (external) Close Security Incident

  40. Develop a Responsibility Matrix Report Detect/Monitor Evaluate Containment Communicate Respond/Correct Recover Document Chief Information Officer R I I/C/R I/C I/C/R I/C I I/C/R IS Management R I I/C/R I/C I/C/R I/C I I/C/R Security Officer R C/R I/C/R I/C I/C I/C I I/C/R Network Security Administrator R C/R I/C/R C/R I/C/R I/C/R I/CR I/C/R Network Administrator R C/R I/C/R C/R I/C/R I/C/R I/C/R I/C/R Network Services Team R C/R I/C/R C/R I/C I/C/R I/C/R I/C/R Mainframe Team R C/R I/C/R C/R I/C/R I/C/R I/C/R I/C/R Desktop Services Team R C/R I/C I/C I/C I/C/R I/C/R I/C/R Customer Services Team R C/R I/C I/C I/C I/C I/C I/C/R Application Development Team R C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R Division Management R C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R All DOJ Employees R C/R n/a I/C I/C I I I/C Risk ManagementIII/C/R I/C/R I/C/R I/C I/C I/C/R State Data Center (SDC related)RI/C/RI/C/RI/C/RI/C/RI/C/RI/C/RI/C/R R = Responsible C = Contributes I = Informed

  41. Incident Response Mistakes

  42. Incident Response Mistakes Failure to mitigate the risk Shut down the attack point. Do not get caught up in ‘fire fighting’ mode. Isolate and prevent the incident from spreading unless there is a reason to permit the attack to continue. Do not underestimate the scope of the incident.

  43. Incident Response Mistakes Failure to learn from past incidents Modify security controls and training materials to reflect lessons learned. Failure to document incident procedures Provide communication plan. Provide reporting and documentation requirements. Document all incidents in detail.

  44. Oregon Incidents 2008 Nov. 1, 2008 Veterans Affairs Medical Center (Portland, OR) 1,600 Personal information, including some Social Security numbers, of patients at the Veterans Affairs Medical Center in Portland was inadvertently posted on a public Web site. June 4, 2008 Oregon State University (Corvallis, OR) 4,700 The Oregon State Police are investigating the theft of personal information from online customers of the OSU Bookstore who used credit cards to purchase items. April 28, 2008 Hough, MacAdam & Wartnik (North Bend, OR) 500 A notebook computer was stolen from a locked vehicle. The notebook's hard drive may have contained names, Social Security numbers, and other personal information. Mar. 6, 2008 Cascade Healthcare Community (Prineville, OR) 11,500 A computer virus may have exposed to outside eyes the names, credit card numbers, dates of birth and home addresses individuals who donated to Cascade Healthcare Community. http://www.privacyrights.org

  45. Notable Incidents RecordsOrganizationDate 94,000,000 TJX Companies Inc. 01/17/2007 40,000,000 CardSystems 06/19/2005 (Visa, MasterCard, American Express) 30,000,000 America Online 06/24/2004 26,500,000 U.S. Department of Veterans Affairs 05/22/2006 25,000,000 HM Revenue and Customs 11/20/2007 17,000,000 T-Mobile, Deutsche Telekom 10/06/2008 12,500,000 Archive Systems Inc. 05/07/2008 Bank of New York Mellon 11,000,000 GS Caltex 09/06/2008 8,637,405 Dai Nippon Printing Company 03/12/2007 8,500,000 Certegy Check Services Inc. 03/07/2007 Fidelity National Information Services Source: http://datalossdb.org

  46. Benefits of Incident Response User Awareness Defined responsibilities Defined response procedure Defined Incident Response Policy Defined communications plan Measurable results

  47. Summary Define responsibilities Identify areas of challenge Identify and create key documents Communications Plan Document in detail Use resources available for assistance

  48. Resources NIST – National Institute of Standards and Technology (http://csrc.nist.gov/) SANS Institute (http://www.sans.org/) US-CERT (http://www.us-cert.gov/) RFC 2350 (http://www.ietf.org/rfc) Richard Rylander Oregon Department of Justice richard.rylander@state.or.us

  49. Questions?

More Related