The Breezy Incident Management policy will govern and guide the decisions and actions taken in the course of Breezy's service operations failures which cause, or may cause, an interruption to, or a reduction in, the quality of service.
The scope of this policy applies to all incidents reported by Breezy employees, vendors and third party contract personnel (consultants/contractors) regarding IT Infrastructure hardware, software, system components, virtual components, cloud components, networks, services, documents, and processes.
Information security incidents reported to Breezy by a client, or any individual/entity not covered above, shall be documented, via the IRT Incident Report Form, by the employee receiving the information security incident notification.
Incident detection can be the most difficult phase of the incident response process. In many cases, though, it is obvious a security incident has occurred. For example, a website has been defaced or a user account was logged into while the actual user was out on vacation. In other cases, it is not as easy to determine if a security incident occurred. Here are some ways to find out about a potential security incident:
As the general rule, if you suspect something, say something to your immediate manager.
All Breezy employees, contractors and vendors are responsible for immediately reporting security violations, incidents, or unusual or suspicious system activity via the IRT Incident Report Form. Incident reports are then sent to the Breezy Information Security Manager to determine appropriate response actions to investigate and resolve the incident. If warranted, the Information Security Manager will activate the Breezy Incident Response Team (IRT) and the LTG Help Desk. All incident data is captured on the IRT Incident Report Form. The CEO, is the only individual authorized to contact law enforcement.
Upon notification of a security incident via the IRT Incident Report Form, the Information Security Manager will determine appropriate course actions and, if warranted, invoke the Breezy Incident Response Team (IRT) and the LTG Help Desk. The IRT, if employed, is then ultimately responsible for managing the resolution process including user or system notification, and escalation action or follow-up action, and post-incident reporting.
Once the incident is deemed “contained” or “closed”, Breezy personnel may be required to recover systems involved in the incident. The overall goal of the recovery process is to restore the system to a more secure state than the original. This means not only restoring the data and applications as required, but also ensuring the original vulnerability involved in the incident has been remediated.
Additionally, as part of system recovery, all system and user passwords should be changed following an incident.
Much of the evidence on information resources is volatile and may be deleted or overwritten during normal system operations. At a minimum, all system logs must be copied immediately to offline storage. This will ensure these logs are preserved and are not deleted either through normal operations or deliberately by the intruder. If feasible, a complete backup of the compromised system should be made and secured. This will preserve the condition of the system as of the time of the compromise and also prevent the intruder from erasing files.
The Information Security Manager should copy the log files and create a backup of the compromised system if possible. Users should not access the affected system unless they have the expertise to perform these functions or they risk damaging or deleting evidence. All operational activities conducted by the Information Security Manager or Incident Response Team must be fully documented and kept in a log file (hard copy or soft copy) so the documentation log can be used if needed during legal proceedings.
Computer Forensics involves the prioritizations, identification of potential evidence, and preservation and analysis of the information surrounding the computer security incident. As a first responder, the Breezy Incident Response Team (IRT) leader will determine when computer forensics need to be performed on a compromised information resource. Breezy may need to employ a third-party expert to gather, preserve, and analyze the evidence. Improper handling of evidence can eliminate any chance of legal recourse for Breezy. Forensic principles for evidence handling must be adhered to. These principles include but are not limited to: