enterprise security office forum november 20th 2008 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Incident Response Policy PowerPoint Presentation
Download Presentation
Incident Response Policy

Loading in 2 Seconds...

play fullscreen
1 / 49

Incident Response Policy - PowerPoint PPT Presentation

  • Uploaded on

Enterprise Security Office Forum November 20th, 2008. Incident Response Policy. Welcome. Theresa Masse, State CISO. Agenda. Policy Overview Roles and Responsibilities Resources For Agencies Agency Panel Questions. Incident Response Policy. Why do we need it?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Incident Response Policy' - saxon

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Theresa Masse, State CISO


Policy Overview

Roles and Responsibilities

Resources For Agencies

Agency Panel


incident response policy
Incident Response Policy

Why do we need it?

Increasing value of information

Increasing risk to information

Increasing penalties for failure to safeguard


2005 Legislature

HB3145 -> ORS 182.122

policy goals
Policy Goals

Develop Statewide Incident Response (IR)

Develop Agency Incident Response

Incident Reporting

Timely Response Coordination

Data Collection

what information is covered by policy
What Information Is Covered by Policy?
  • All Information:
    • Electronic
    • Written
    • Verbal
key policy elements incident
Key Policy Elements: Incident

What is an “incident” we should report?

Defined in Policy

Remember Policy Goals!

Will reporting this incident help?

Four Key Elements:

Involves security of information

Is unwanted or unexpected

Shows harm or significant threat of harm

Requires non-routine response

key policy elements incident1
Key Policy Elements: Incident

Common pitfall for IR plan authors

Incident vs. “SB583 Breach”

Information Security Incident

PII Exposure, per OCITPA (aka SB583)

All Breaches are Incidents

Not all Incidents are Breaches

key policy elements responsibilities
Key Policy Elements: Responsibilities

State Incident Response Team (SIRT)

State Data Center (SDC)


sirt responsibilities
SIRT Responsibilities

Statewide Incident Response Program

Policy, Plan, Procedures, Reporting

Data Aggregation and Reporting

Incident Response – When will the SIRT respond?


Statewide Impact

Agency Assistance Required

SB583 Breaches

Incident Forensics Capabilities

sdc responsibilities
SDC Responsibilities

Monitoring, Alerting

Incident Response

State Wide Area Network (WAN)

SDC-hosted Infrastructure

agency responsibilities
Agency Responsibilities

Agencies are responsible for their own information

Agency IR Capabilities

Policy, Plan, Procedures

Agency Information Incidents

Detection, Response, Follow-up, Protection

SIRT Point of Contact

Assist SIRT

agencies need to
Agencies Need To:

Create or Adopt Policy

Develop Plan

Develop Capabilities

Create Procedures

Assign Point of Contact

Policy Compliance Date May 1, 2009

ir is not just it
“IR” Is Not Just “IT”

IR Requires Agency Business Participation

Not all information is electronic

Business drives response

Incident detection happens anywhere in agency – not just in IT department

resources for agencies
Resources For Agencies

Website overview

Plan Template

Educational Resources

Qualified Vendors List

Point of Contact Form

Potential IR workshops

ir website
IR Website
  • http://www.oregon.gov/DAS/EISPD/ESO/SIRT.shtml
ir plan template
IR Plan Template
  • http://www.oregon.gov/DAS/EISPD/ESO/docs/SIRT/IncidentResponsePlanTemplate.doc
educational resources
Educational Resources

Carnegie Mellon CERT


SANS Institute


InfoSec Institute


master services contract
Master Services Contract

Qualified Vendors List

Incident Response


Breach Services

Currently in DAS Procurement


agency point of contact
Agency Point of Contact
  • This form (available on our website) needs to be completed for every agency and given to the SIRT
guest speakers
Guest Speakers

Agency Experiences Developing Incident Response Capabilities

Bret West – DAS

Richard Rylander – DOJ

bret west operations division administrator department of administrative services
Bret West,

Operations Division Administrator

Department of Administrative Services

Incident Response Policy and Plan Development
das incident response policy and plan development
DAS Incident Response Policy and Plan Development

The assignment:

Develop and implement DAS’ internal incident response program

The timeframe:

Concurrently with development and adoption of the statewide Enterprise Security Office IRP policy

Why concurrently?

To inform ESO policy/plan development

das incident response policy and plan development1
DAS Incident Response Policy and Plan Development


Engaged DAS IT Management Council

Governing body for DAS internal IT

Made up of representatives from all DAS divisions

Good mix of division administrators/staff; technical/non-technical; management/classified

Established subcommittee to work through details

Discussed roles and responsibilities of IT staff vs. data owners

das incident response policy and plan development2
DAS Incident Response Policy and Plan Development


Presented draft policy, plan and informational flyer to IT Management Council

Identified changes needed through robust council discussion

Presented final package to DAS Executive Team for adoption

das incident response policy and plan development3
DAS Incident Response Policy and Plan Development



Ensuring stakeholder engagement

Clearly delineating roles and responsibilities

DAS Ops (internal) vs. SDC and ESO (external)

Data owners vs. IT staff


Resuming business operations

das incident response policy and plan development4
DAS Incident Response Policy and Plan Development

Path to Success

Used ESO templates for the policy, plan and awareness flyer

Engaged business partners and executive team

Realized that the plan would evolve with experience

Identified gaps in staffing/skill sets

Work with agency communications team to roll out the policy

guest speakers part ii
Guest Speakers – Part II

Agency Experiences Developing Incident Response Capabilities

Bret West – DAS

Richard Rylander – DOJ

richard rylander security coordinator department of justice
Richard Rylander

Security Coordinator

Department of Justice

DOJ Security Incident Response

Incident Types




Incident data



incident types
Incident Types

Malware and Spyware Infection

Viruses and Worms Infection/Outbreak

Breach of Acceptable Use Policy

Breach of security policy or procedures

Loss or theft of physical or electronic media

Data Loss


Who owns incident response?



Information Technology

Who is responsible for incident response?

Roles and responsibilities

Communications Plan



Business Concerns


Incident impact

Notification requirements


Law enforcement

  • Business Concerns – cont’d
    • Data Loss
      • Physical or electronic
    • Financial Loss
    • Legal requirements
    • Loss of productivity

Information Technology Concerns

What data was compromised?

Physical or electronic

How was the data compromised?

How many systems were affected?

Was the data loss preventable?

Was there inside involvement?

Was there outside involvement?

Was the data encrypted?


Create an incident response process flow

Create a responsibility matrix

Create a communications plan

incident response flow diagram
Incident Response Flow Diagram

Incident Detection

Recovery (document)

CSC Notified


Collect Evidence (document)

Determine Business Impact (document)

CSC Contacts SIRT Member Based on Incident Location

Forensic Duplication of Data (as required)

Apply Corrective Actions

SIRT Member Conducts Initial Investigation


Property Loss?

Monitor Systems

Isolate & Contain (as necessary)

Security Incident?



Property Loss Policy


Return System(s) to Normal Operation

Update Risk Management

Continue Investigation/ Determine Response


Risk Management


Identify Lesson(s) Learned (document)

Response (document)

Implement Improvements or Corrections from Lesson(s) Learned


Develop Final Report


Notify CIO


Communications (internal)

Deliver findings to CIO & Management

Communications (external)

Close Security Incident

develop a responsibility matrix
Develop a Responsibility Matrix

Report Detect/Monitor Evaluate Containment Communicate Respond/Correct Recover Document

Chief Information Officer R I I/C/R I/C I/C/R I/C I I/C/R

IS Management R I I/C/R I/C I/C/R I/C I I/C/R

Security Officer R C/R I/C/R I/C I/C I/C I I/C/R

Network Security Administrator R C/R I/C/R C/R I/C/R I/C/R I/CR I/C/R

Network Administrator R C/R I/C/R C/R I/C/R I/C/R I/C/R I/C/R

Network Services Team R C/R I/C/R C/R I/C I/C/R I/C/R I/C/R

Mainframe Team R C/R I/C/R C/R I/C/R I/C/R I/C/R I/C/R

Desktop Services Team R C/R I/C I/C I/C I/C/R I/C/R I/C/R

Customer Services Team R C/R I/C I/C I/C I/C I/C I/C/R

Application Development Team R C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R

Division Management R C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R

All DOJ Employees R C/R n/a I/C I/C I I I/C

Risk ManagementIII/C/R I/C/R I/C/R I/C I/C I/C/R

State Data Center (SDC related)RI/C/RI/C/RI/C/RI/C/RI/C/RI/C/RI/C/R

R = Responsible C = Contributes I = Informed

incident response mistakes1
Incident Response Mistakes

Failure to mitigate the risk

Shut down the attack point. Do not get caught up in ‘fire fighting’ mode.

Isolate and prevent the incident from spreading unless there is a reason to permit the attack to continue.

Do not underestimate the scope of the incident.

incident response mistakes2
Incident Response Mistakes

Failure to learn from past incidents

Modify security controls and training materials to reflect lessons learned.

Failure to document incident procedures

Provide communication plan.

Provide reporting and documentation requirements.

Document all incidents in detail.

oregon incidents 2008
Oregon Incidents 2008

Nov. 1, 2008 Veterans Affairs Medical Center (Portland, OR) 1,600

Personal information, including some Social Security numbers, of

patients at the Veterans Affairs Medical Center in Portland was

inadvertently posted on a public Web site.

June 4, 2008 Oregon State University (Corvallis, OR) 4,700

The Oregon State Police are investigating the theft of personal

information from online customers of the OSU Bookstore who used

credit cards to purchase items.

April 28, 2008 Hough, MacAdam & Wartnik (North Bend, OR) 500

A notebook computer was stolen from a locked vehicle. The

notebook's hard drive may have contained names, Social Security numbers,

and other personal information.

Mar. 6, 2008 Cascade Healthcare Community (Prineville, OR) 11,500

A computer virus may have exposed to outside eyes the names, credit card

numbers, dates of birth and home addresses individuals who donated to

Cascade Healthcare Community.


notable incidents
Notable Incidents


94,000,000 TJX Companies Inc. 01/17/2007

40,000,000 CardSystems 06/19/2005

(Visa, MasterCard, American Express)

30,000,000 America Online 06/24/2004

26,500,000 U.S. Department of Veterans Affairs 05/22/2006

25,000,000 HM Revenue and Customs 11/20/2007

17,000,000 T-Mobile, Deutsche Telekom 10/06/2008

12,500,000 Archive Systems Inc. 05/07/2008

Bank of New York Mellon

11,000,000 GS Caltex 09/06/2008

8,637,405 Dai Nippon Printing Company 03/12/2007

8,500,000 Certegy Check Services Inc. 03/07/2007

Fidelity National Information Services

Source: http://datalossdb.org

benefits of incident response
Benefits of Incident Response

User Awareness

Defined responsibilities

Defined response procedure

Defined Incident Response Policy

Defined communications plan

Measurable results


Define responsibilities

Identify areas of challenge

Identify and create key documents

Communications Plan

Document in detail

Use resources available for assistance


NIST – National Institute of Standards and

Technology (http://csrc.nist.gov/)

SANS Institute (http://www.sans.org/)

US-CERT (http://www.us-cert.gov/)

RFC 2350 (http://www.ietf.org/rfc)

Richard Rylander

Oregon Department of Justice