Security Incident Management
Definitions
Security incident: Refers to an adverse event in an information system, and/or network, or the threat of the occurrence of such an event. Incidents can include, but are not limited to, unauthorized access, malicious code, network probes, and denial of service attacks.
Overview
Security Incident Management at (^Company^) is necessary to detect security incidents, determine the magnitude of the threat presented by these incidents, respond to these incidents, and if required, notify (^Company^) members of the breach.
Purpose
This policy defines the requirement for reporting and responding to incidents related to (^Company^) information systems and operations. Incident response provides (^Company^) with the capability to identify when a security incident occurs. If monitoring were not in place, the magnitude of harm associated with the incident would be significantly greater than if the incident were noted and corrected.
This policy applies to all information systems and information system components of (^Company^). Specifically, it includes:
- Mainframes, servers, and other devices that provide centralized computing capabilities.
- Devices that provide centralized storage capabilities.
- Desktops, laptops, and other devices that provide distributed computing capabilities.
- Routers, switches, and other devices that provide network capabilities.
- Firewalls, Intrusion Detection/Prevention (IDP) sensors, and other devices that provide dedicated security capabilities.
In the event a breach of member’s information occurs, (^Company^) is required by Wisconsin state law to notify the individual(s) as described in Wisconsin Statute Section 895.507(2).
Policy Detail
Program Organization
Computer Emergency Response Plans
(^Company^) management must prepare, periodically update, and regularly test emergency response plans that provide for the continued operation of critical computer and communication systems in the event of an interruption or degradation of service. For example, Charter connectivity is interrupted or an isolated malware discovery.
Incident Response Plan Contents
The (^Company^) incident response plan must include roles, responsibilities, and communication strategies in the event of a compromise, including notification of relevant external partners. Specific areas covered in the plan include:
- Specific incident response procedures
- Business recovery and continuity procedures
- Data backup processes
- Analysis of legal requirements for reporting compromises o Identification and coverage for all critical system components o Reference or inclusion of incident response procedures from relevant external partners, e.g., payment card issuers, suppliers
Incident Response Testing
- At least once every year, the IT Department must utilize simulated incidents to mobilize and test the adequacy of response.
- Where appropriate, tests will be integrated with testing of related plans (Business Continuity Plan, Disaster Recovery Plan, etc.) where such plans exist. The results of these tests will be documented and shared with key stakeholders.
Incident Response and Recovery A security incident response capability will be developed and implemented for all information systems that house or access (^Company^) controlled information. The incident response capability will include a defined plan and will address the seven stages of incident response:
- Preparation
- Detection
- Analysis
- Containment
- Eradication
- Recovery
- Post-Incident Activity
To facilitate incident response operations, responsibility for incident handling operations will be assigned to an incident response team. If an incident occurs, the members of this team will be charged with executing the incident response plan. To ensure that the team is fully prepared for its responsibilities, all team members will be trained in incident response operations on an annual basis.
Incident response plans will be reviewed and, where applicable, revised on an annual basis. The reviews will be based upon the documented results of previously conducted tests or live executions of the incident response plan. Upon completion of plan revision, updated plans will be distributed to key stakeholders.
Intrusion Response Procedures The IT Department must document and periodically revise the Incident Response Plan with intrusion response procedures. These procedures must include the sequence of actions that staff must take in response to a suspected information system intrusion, who has the authority to perform what responses, and what resources are available to assist with responses. All staff expected to follow these procedures must be periodically trained in and otherwise acquainted with these procedures.
Malicious Code Remediation Steps followed will vary based on scope and severity of a malicious code incident as determined by Information Security Management. They may include but are not limited to: malware removal with one or more tools, data quarantine, permanent data deletion, hard drive wiping, or hard drive/media destruction.
Data Breach Management (^Company^) management should prepare, test, and annually update the Incident Response Plan that addresses policies and procedures for responding in the event of a breach of sensitive customer data.
Incident Response Plan Evolution The Incident Response Plan must be updated to reflect the lessons learned from actual incidents.
The Incident Response Plan must be updated to reflect developments in the industry.
Program Communication
Reporting to Third Parties Unless required by law or regulation to report information security violations to external authorities, senior management, in conjunction with legal representatives, the Security Officer, and the VP of IT must weigh the pros and cons of external disclosure before reporting these violations.
If a verifiable information systems security problem, or a suspected but likely information security problem, has caused third party private or confidential information to be exposed to unauthorized persons, these third parties must be immediately informed about the situation.
If sensitive information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties, both its Owner and the Security Officer must be notified immediately.
Display of Incident Reporting Contact Information (^Company^) contact information and procedures for reporting information security incidents must be prominently displayed in public communication mediums such as bulletin boards, break rooms, newsletters, and the intranet.
Member Notification The notification will be conducted and overseen by (^Company^)’s Director of Risk Management. The notification should contain, at a minimum, the following elements:
- Recommendations for the member to protect him/herself
- Contact information for the Federal Trade Commission
- Contact information for the credit bureaus