Incident Response Plan

Biz-Tech Services > Incident Response Plan
  1. Incidents may include
    1. system malfunctions or overloads
    2. human errors
    3. non-compliance with policies or guidelines
    4. breaches of physical security arrangements
    5. uncontrolled system changes
    6. malfunctions of software or hardware
    7. anomalous system events
    8. access violations
    9. information system failures and loss of service
    10. malicious code
    11. denial of service attacks
    12. errors resulting from incomplete or inaccurate business data
    13. breaches of confidentiality and integrity
    14. misuse of information systems
  2. The person who discovers the incident will notify the IT Manager.
  3. The IT Manager will log: (a) The name of the caller. (b) Time of the call. (c) Contact information about the caller.  (d) The nature of the incident.  (e) What equipment or persons were involved? (f) Location of equipment or persons involved. (g) How the incident was detected.  (h) When the event was first noticed that supported the idea that the incident occurred.
  4. The IT Manager will perform an initial assessment of the issue. 
  5. The incident will be categorized into the highest applicable level of one of the following categories:
    1. Category one – A threat to safety – Priority High
      1. Notify all staff members using intercom
      2. Notify Police by calling 911 to request assistance
      3. Notify company managers and above by phone
    2. Category two – A threat to sensitive data – Priority High
      1. Notify company managers and above by phone call and provide summary of information collected by incident response team, follow-up by email
      2. Notify company attorney
      3. Engage IT security consultant
      4. Also see section Notify external entities
    3. Category three – A threat to computer systems – Priority Medium
      1. Notify company managers and above by phone call and provide summary of information collected by incident response team, follow-up by email
      2. Engage IT security consultant
      3. Also see section Notify external entities
    4. Category four – A disruption of services – Priority Medium
      1. Notify company managers and above by phone call and provide summary of information collected by incident response team, follow-up by email
      2. Engage IT security consultant
      3. Also see section Notify external entities
    5. Category five – Violation of company policy – Priority Low
      1. Notify company President by email with summary of incident
  6. The IT Manager will take immediate action basing on the initial incident assessment:
    1. Worm/Virus/Spyware/Malware response
      1. Prevent spread by turning off router/switches or otherwise disable network
      2. Execute scan on all servers and workstations to locate infection
    2. System failure
      1. Contact hardware vendor for repair, or, contact hosting support
    3. Active intrusion response
      1. For hosted servers, disable remote access or shutdown server
      2. For local network, unplug connection to public internet
    4. System abuse
      1. Disable access for user involved in the abuse
    5. Property theft response
      1. Determine data that might have been stolen
    6. Denial of service response
      1. Determine IP addresses involved in the attack
      2. Adjust firewall to block traffic from the offending IP addresses
  7. The IT Manager will call a meeting of the incident response team and determine a response strategy.
    1. Is the incident still in progress?
    2. What data or property is threatened and how critical is it?
    3. What is the impact on the business should the attack succeed? Minimal, serious, or critical?
    4. What system or systems are targeted, where are they located physically and on the network?
    5. Is the incident inside the trusted network?
    6. Is the response urgent?
    7. Can the incident be quickly contained?
    8. Will the response alert the attacker and do we care?
    9. What type of incident is this? Example: virus, worm, intrusion, abuse, damage.
  8. Notify external entities if applicable
    1. Notify hosting company if hosted servers or workstations were involved
    2. The police and other appropriate agencies if prosecution of the intruder is possible.
    3. Insurance company if a theft was involved
    4. If Amazon data is involved
      1. Inform Amazon via email to 3p-security@amazon.com within 24 hours of detecting any security incidents, provide summary of incident.
      2. Do not notify any regulatory authority, nor any customer, on behalf of Amazon unless Amazon specifically requests in writing that we do so.
      3. Amazon reserves the right to review and approve the form and content of any notification before it is provided to any party, unless such notification is required by law, in which case Amazon reserves the right to review the form and content of any notification before it is provided to any party. Developers must inform Amazon within 24 hours when their data is being sought in response to legal process or by applicable law.
  9. Response team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization.
  10. Response team members will restore the affected system(s) to the uninfected state. They may do any or more of the following:
    1. Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this.
    2. Make users change passwords if passwords may have been sniffed.
    3. Be sure the system has been hardened by turning off or uninstalling unused services.
    4. Be sure the system is fully patched.
    5. Be sure real time virus protection and intrusion detection is running.
    6. Be sure the system is logging the correct events and to the proper level.
  11. Documentation—the following shall be documented:
    1. How the incident was discovered.
    2. The category of the incident.
    3. How the incident occurred, whether through email, firewall, etc.
    4. Where the attack came from, such as IP addresses and other related information about the attacker.
    5. What the response plan was.
    6. What was done in response?
    7. Whether the response was effective.
  12. Evidence Preservation—make copies of logs, email, and other communication. Keep lists of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in case of an appeal.
  13. Assess damage and cost—assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts.
  14. Review response and update policies—plan and take preventative steps so the intrusion can’t happen again.
    1. Consider whether an additional policy could have prevented the intrusion.
    2. Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future.
    3. Was the incident response appropriate? How could it be improved?
    4. Was every appropriate party informed in a timely manner?
    5. Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved?
    6. Have changes been made to prevent a re-infection? Have all systems been patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.?
    7. Have changes been made to prevent a new and similar infection?
    8. Should any security policies be updated?
    9. What lessons have been learned from this experience?
  15. Response team members will recommend changes to prevent the occurrence from happening again or infecting other systems. Upon management approval, the changes will be implemented.
  16. Preventing incidents before they happen
    1. Host Security. All hosts should be hardened appropriately using standard configurations. In addition to keeping each host properly patched, hosts should be configured to follow the principle of least privilege—granting users only the privileges necessary for performing their authorized tasks. Hosts should have auditing enabled and should log significant security-related events.
    2. Network Security. The network perimeter should be configured to deny all activity that is not expressly permitted. This includes securing all connection points, such as virtual private networks (VPNs) and dedicated connections to other organizations.
    3. Malware Prevention. Software to detect and stop malware should be deployed throughout the organization.
    4. Log monitoring.  Software to detect possible security incidents in log files should be deployed throughout the organization.
    5. User Awareness and Training. Users should be made aware of policies and procedures regarding appropriate use of networks, systems, and applications.