THIS IS A SAMPLE! Feel free to use or modify it for your own use! Want a Policies and Procedures Wiki like this? Sign up for a Staff.Wiki trial by clicking here.

Security Incident Management

Definitions 

Security incident: Refers to an adverse event in an information system, and/or network, or the threat of the occurrence of such an event. Incidents can include, but are not limited to, unauthorized access, malicious code, network probes, and denial of service attacks. 

Overview 

Security Incident Management at (^Company^) is necessary to detect security incidents, determine the magnitude of the threat presented by these incidents, respond to these incidents, and if required, notify (^Company^) members of the breach. 

Purpose 

This policy defines the requirement for reporting and responding to incidents related to (^Company^) information systems and operations. Incident response provides (^Company^) with the capability to identify when a security incident occurs. If monitoring were not in place, the magnitude of harm associated with the incident would be significantly greater than if the incident were noted and corrected.

This policy applies to all information systems and information system components of (^Company^). Specifically, it includes: 

  1. Mainframes, servers, and other devices that provide centralized computing capabilities. 
  2. Devices that provide centralized storage capabilities. 
  3. Desktops, laptops, and other devices that provide distributed computing capabilities. 
  4. Routers, switches, and other devices that provide network capabilities. 
  5. Firewalls, Intrusion Detection/Prevention (IDP) sensors, and other devices that provide dedicated security capabilities. 

In the event a breach of member’s information occurs, (^Company^) is required by Wisconsin state law to notify the individual(s) as described in Wisconsin Statute Section 895.507(2).

Policy Detail

Program Organization 

Computer Emergency Response Plans

(^Company^) management must prepare, periodically update, and regularly test emergency response plans that provide for the continued operation of critical computer and communication systems in the event of an interruption or degradation of service. For example, Charter connectivity is interrupted or an isolated malware discovery. 

Incident Response Plan Contents 

The (^Company^) incident response plan must include roles, responsibilities, and communication strategies in the event of a compromise, including notification of relevant external partners. Specific areas covered in the plan include: 

  • Specific incident response procedures
  • Business recovery and continuity procedures 
  • Data backup processes 
  • Analysis of legal requirements for reporting compromises o Identification and coverage for all critical system components o Reference or inclusion of incident response procedures from relevant external partners, e.g., payment card issuers, suppliers 

Incident Response Testing
 

  • At least once every year, the IT Department must utilize simulated incidents to mobilize and test the adequacy of response.
  • Where appropriate, tests will be integrated with testing of related plans (Business Continuity Plan, Disaster Recovery Plan, etc.) where such plans exist. The results of these tests will be documented and shared with key stakeholders. 

Incident Response and Recovery

A security incident response capability will be developed and implemented for all information systems that house or access (^Company^) controlled information. The incident response capability will include a defined plan and will address the seven stages of incident response: 

  1. Preparation
  2. Detection
  3. Analysis
  4. Containment
  5. Eradication 
  6. Recovery 
  7. Post-Incident Activity 

To facilitate incident response operations, responsibility for incident handling operations will be assigned to an incident response team. If an incident occurs, the members of this team will be charged with executing the incident response plan. To ensure that the team is fully prepared for its responsibilities, all team members will be trained in incident response operations on an annual basis. 

Incident response plans will be reviewed and, where applicable, revised on an annual basis. The reviews will be based upon the documented results of previously conducted tests or live executions of the incident response plan. Upon completion of plan revision, updated plans will be distributed to key stakeholders. 

Intrusion Response Procedures

The IT Department must document and periodically revise the Incident Response Plan with intrusion response procedures. These procedures must include the sequence of actions that staff must take in response to a suspected information system intrusion, who has the authority to perform what responses, and what resources are available to assist with responses. All staff expected to follow these procedures must be periodically trained in and otherwise acquainted with these procedures. 


Malicious Code Remediation

Steps followed will vary based on scope and severity of a malicious code incident as determined by Information Security Management. They may include but are not limited to: malware removal with one or more tools, data quarantine, permanent data deletion, hard drive wiping, or hard drive/media destruction. 


Data Breach Management

(^Company^) management should prepare, test, and annually update the Incident Response Plan that addresses policies and procedures for responding in the event of a breach of sensitive customer data. 

Incident Response Plan Evolution

The Incident Response Plan must be updated to reflect the lessons learned from actual incidents. 

The Incident Response Plan must be updated to reflect developments in the industry.

Program Communication 


Reporting to Third Parties

Unless required by law or regulation to report information security violations to external authorities, senior management, in conjunction with legal representatives, the Security Officer, and the VP of IT must weigh the pros and cons of external disclosure before reporting these violations.

If a verifiable information systems security problem, or a suspected but likely information security problem, has caused third party private or confidential information to be exposed to unauthorized persons, these third parties must be immediately informed about the situation.

If sensitive information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties, both its Owner and the Security Officer must be notified immediately.

Display of Incident Reporting Contact Information

(^Company^) contact information and procedures for reporting information security incidents must be prominently displayed in public communication mediums such as bulletin boards, break rooms, newsletters, and the intranet. 

Member Notification

The notification will be conducted and overseen by (^Company^)’s Director of Risk Management. The notification should contain, at a minimum, the following elements: 

  1. Recommendations for the member to protect him/herself 
  2. Contact information for the Federal Trade Commission 
  3. Contact information for the credit bureaus

Want a Policies & Procedures Wiki like this? Sign up and try Staff.Wiki by clicking here.

Next Topic:
© Copyright 2024 WorkflowFirst Software LLC
v6.0.0.14090
Up Since 4/12/2024 11:49:28 PM