Chapter 17: Incident Response Policy
Chapter Overview:
This chapter reviews incident response capabilities and introduces an example Incident Response Policy. The chapter beginswith a brief overview of incident response capabilities and an introduction to NIST Special Publication 800-61 and concludes with an example Incident Response Policy. Incident Response is a field unto itself and a detailed review of its principles, processes, and approach is beyond the scope of this book. This chapter shows the importance of incident response capabilities, introduces additional references and shows how Incident Response relates to Terminal Server.
Even with the most sophisticated, state of the art security systems and effective policies, security incidents will occur. The most common security incidents are viruses, malware, laptop theft and employee network abuse. Less common security events are denial of service attacks, sabotage, intellectual proprietary theft, fraud and system penetration from external sources. Sooner or later, every organization will need to respond to a security incident. A quick, well orchestrated response will minimize loss and damage; in contrast, a poor response could result in financial, legal, and public relations problems.
An Incident Response Policy is used to define how an organization responds to security incidents. It isan action oriented policy that isused to provide guidance to quickly detect security incidents, minimize loss, mitigate exploited weaknesses and rapidly restore services. The majority of the Enterprise Architecture policies reviewed in this book have been passive policies that provide guidance with appropriate systems usage, technology standards, system design, system configurations and auditing. An Incident Response Policy is an action oriented policy that requires quick and efficient execution in order to protect an organization’s assets.
In regards to Terminal Server, security incidents typically occur within a Terminal Server user session. An example of some of the incidents that originate from Terminal Server user sessions are malware infection, network abuse, sabotage, intellectual proprietary theft and fraud. These types of security incidents are typically discovered by technical or administrative security control, an audit or an employee. When one of these security incidents is detected, an Incident Response Policy is the primary administrative control used to mitigate the damage.
Organizations that must comply with regulatory mandates must undergo regular audits to validate incident response capabilities. A number of widely adopted guidelines can be used to assist organizations in understanding how to implement incident response capabilities. Two examples ofguidelines are ISO/IEC 17799 section 13 and NIST Special Publication 800-61.
The NIST Special Publication 800-61 is a free, 148-paged Computer Security Incident Handling Guide which containseight chapters and ten appendixes. The goal of NIST Special Publication 800-61 is to assist organizations to establish computer security incident response capabilities. It is an in-depth document that is widely adopted and used in both the public and private sectors to implement incident response capabilities.
List 17.1 shows NIST Special Publication 800-61 areas of focus:
- Organizing a computer security incident response capability.
- Establishing incident response policies and procedures.
- Structuring an incident response team.
- Handling incidents from initial preparation through the post-incident lessons learned phase.
- Handling specific types of incidents.
The following Incident Response Policy defines how an organization responds to security incidents. The example policy starts with a Purpose and Scope statement and then proceeds with the policy. This policy is intended for informational purposes only.
Purpose
This purpose of this policy is to define a formal reporting and response procedure to be followed when responding to security incidents. Implementing formal reporting and response procedures ensures that information security events are communicated in a manner allowing timely corrective action to be made while applying a consistent approach to the management of information security incidents.
Scope
This policy applies to all employees and non-employees working for or with <Company Name>.
Policy
A security incident is described as one or more of the following conditions:
- Any potential violation of Federal law, State law, or <Company Name> policy involving an Information Technology (IT) asset.
- A breach, attempted breach or other unauthorized access to <Company Name’s> IT asset.
- Any Internet worm, virus, Denial of Service (DoS) attack or related incident.
- Any change in a computer system that disables or defeats security precautions.
- Any failure in network or computer systems that disrupts IT services.
- Any employee or non-employee who violates policy.
Reporting a Security Incident
Employees and non-employees working for or with <Company Name> will immediately report the following:
- A security incident that involves unauthorized physical access to a building or secure location, physical threat, imminent danger or personal safety issue.
- An actual or suspected security incident that involves unauthorized access to information systems, such as:
Excluding the steps outlined below, it is essential that all investigative or corrective action be taken only by InfoSec personnel. When faced with a potential security incident, employees and non-employees should do the following if the incident involves a compromised computer system:
- Do not alter the state of the computer system.
- The computer system should remain on and all currently running computer programs should be left as is.
- Do not shutdown or restart the computer.
- Immediately disconnect the computer from the network by removing the cable from the back of the computer.
- Report the security incident to InfoSec.
InfoSec Contacts:
<Names and Phone Numbers>
Response
InfoSec staff will first determine if the Security Incident justifies a formal incident response. In cases where a Security Incident does not require an incident response, the situation will be forwarded to the appropriate area of operations to ensure that all technology support services required are rendered.
An incident response may range from getting a critical system back online, gathering evidence, taking appropriate legal action against individual(s), or in some cases notifying appropriate ISP's or other third parties of inappropriate activity originating from their network.
Any contacts or attempted contacts from the media regarding an incident should be redirected to the marketing/communication department.
Policy Review
This policy will be reviewed annually.
Compliance
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Reference
NIST Special Publication 800-61
NIST Handbook Chapter 12
ISO/IEC 17799 section 13
The example Incident Response Policy shows how a policy is used to define how an organization responds to security incidents.
This chapter discussed incident response capabilities and concluded with an example Incident Response Policy.
- Even with the most sophisticated, state of the art security systems and effective policies, security incidents will occur.
- The most common security incidents are viruses, malware, laptop theft and employee network abuse.
- Less common security events are denial of service attacks, sabotage, intellectual proprietary theft, fraud and system penetration from external sources.
- Sooner or later, every organization will need to respond to a security incident. A quick, well orchestrated response will minimize loss and damage in contrast to a poor response that could result in financial and public relations problems.
- An Incident Response Policy is an action oriented policy that isused to provide guidance quickly to detect security incidents, minimize loss, mitigate exploited weaknesses and rapidly restore services.
- ISO/IEC 17799 section 13 and NIST Special Publication 800-61 provide guidance on how to implement incident response capabilities.
The next chapter will introduce Vulnerability Assessments and an example Audit Vulnerability Scan Policy.
Resources:
NIST Special Publication 800-61
ISO/IEC 17799 section 13
CERT® Coordination Center Incident Reporting Guidelines
http://www.cert.org/tech_tips/incident_reporting.html
