Incident Management Policy (A.16.1)

Objectives

  • Restore normal service operation(s) as quickly as possible
  • Minimize the adverse impact on business operations
  • Ensure agreed levels of service quality are maintained
  • Ensure standardized methods and procedures are used for efficient and prompt response, analysis, documentation, ongoing management and reporting of incidents
  • Increase visibility and communication of incidents to business and IT support staff
  • Enhance business perception of IT through use of a professional approach in quickly resolving and communicating incidents when they occur
  • Align Incident Management activities and priorities with those of the business
  • Maintain user satisfaction with the quality of IT services

Scope

The Breezy Incident Management policy will govern and guide the decisions and actions taken in the course of Breezy's service operations failures which cause, or may cause, an interruption to, or a reduction in, the quality of service.

The scope of this policy applies to all incidents reported by Breezy employees, vendors and third party contract personnel (consultants/contractors) regarding IT Infrastructure hardware, software, system components, virtual components, cloud components, networks, services, documents, and processes.

Information security incidents reported to Breezy by a client, or any individual/entity not covered above, shall be documented, via the IRT Incident Report Form, by the employee receiving the information security incident notification.

Policy

Incident Detection

Incident detection can be the most difficult phase of the incident response process. In many cases, though, it is obvious a security incident has occurred. For example, a website has been defaced or a user account was logged into while the actual user was out on vacation. In other cases, it is not as easy to determine if a security incident occurred. Here are some ways to find out about a potential security incident:

  • Users – Users, including systems administrators, are often the first to notice a problem with an information resource. For example, a user may complain their login no longer works or when they logged in, the system showed they had logged in while they were out on vacation. System administrators normally notice an information resource was compromised when they see the system start to slow down or notice more users logged in than they normally see, or they notice a new or unauthorized process running.
  • System Alert or IDS / IPS Alert – Breezy has auditing turned on for all information resources processing sensitive information as well as strategically placed network and host-based intrusion detection systems (IDS). Ideally what happens is the audit log or the IDS shows an attempted or successful intrusion has occurred.

As the general rule, if you suspect something, say something to your immediate manager.

Incident Reporting

All Breezy employees, contractors and vendors are responsible for immediately reporting security violations, incidents, or unusual or suspicious system activity via the IRT Incident Report Form. Incident reports are then sent to the Breezy Information Security Manager to determine appropriate response actions to investigate and resolve the incident. If warranted, the Information Security Manager will activate the Breezy Incident Response Team (IRT) and the LTG Help Desk. All incident data is captured on the IRT Incident Report Form. The CEO, is the only individual authorized to contact law enforcement.

Incident Response

Upon notification of a security incident via the IRT Incident Report Form, the Information Security Manager will determine appropriate course actions and, if warranted, invoke the Breezy Incident Response Team (IRT) and the LTG Help Desk. The IRT, if employed, is then ultimately responsible for managing the resolution process including user or system notification, and escalation action or follow-up action, and post-incident reporting.

Incident Recovery

Once the incident is deemed “contained” or “closed”, Breezy personnel may be required to recover systems involved in the incident. The overall goal of the recovery process is to restore the system to a more secure state than the original. This means not only restoring the data and applications as required, but also ensuring the original vulnerability involved in the incident has been remediated.

Additionally, as part of system recovery, all system and user passwords should be changed following an incident.

Secure Evidence

Much of the evidence on information resources is volatile and may be deleted or overwritten during normal system operations. At a minimum, all system logs must be copied immediately to offline storage. This will ensure these logs are preserved and are not deleted either through normal operations or deliberately by the intruder. If feasible, a complete backup of the compromised system should be made and secured. This will preserve the condition of the system as of the time of the compromise and also prevent the intruder from erasing files.

The Information Security Manager should copy the log files and create a backup of the compromised system if possible. Users should not access the affected system unless they have the expertise to perform these functions or they risk damaging or deleting evidence. All operational activities conducted by the Information Security Manager or Incident Response Team must be fully documented and kept in a log file (hard copy or soft copy) so the documentation log can be used if needed during legal proceedings.

Computer Forensics

Computer Forensics involves the prioritizations, identification of potential evidence, and preservation and analysis of the information surrounding the computer security incident. As a first responder, the Breezy Incident Response Team (IRT) leader will determine when computer forensics need to be performed on a compromised information resource. Breezy may need to employ a third-party expert to gather, preserve, and analyze the evidence. Improper handling of evidence can eliminate any chance of legal recourse for Breezy. Forensic principles for evidence handling must be adhered to. These principles include but are not limited to:

  • Rule of Best Evidence – Every effort should be made to extract information as close to the form in which it existed at the time it was discovered. Backups should be made and log files exported to non-writable media as soon as possible.
  • Chain of Evidence – The principle where evidence must be completely accounted for from discovery to disposition.
  • Contamination – The handling procedures should be designed so there is no risk of contaminations, alteration, or appearance of potential contamination.
  • Investigation and Analysis – Are performed to fill out details of the incident. This activity attempts to determine the cause, ramifications, and process to follow, to fix the problem. The process is designed for both immediate and future prevention strategies.

Responsibilities

  • The IRT Incident Report Form is the first point of contact for all Breezy personnel. The IRT Incident Report Form will assist in identifying the potential security incident and initiate appropriate procedural action. The form notifies the Breezy Information Security Manager of any information security incident. If warranted, the Information Security Manager notifies the Breezy Incident Response Team and the LTG Help Desk.
  • The Breezy Incident Response Team (IRT) has clearly defined roles and responsibilities for escalating and resolving computer security incidents. The Information Security Manager plays a key role as the leader of the Incident Response Team and periodically reviews the incident response procedures to ensure they remain up-to-date. The IRT, if employed, is then ultimately responsible for managing the resolution process including user or system notification and escalation action, a follow-up action, and post-incident reporting.
  • All employees are encouraged and required to report any observed or suspected security weaknesses in systems or services, even if not an incident.