[Agency name]Security Incident Management Plan — DRAFT

[Enterprise Agency Name] Security Incident
Management Plan

Last Updated:08/08/2017
(Version 008)

Contents

1.Purpose

2.Objective

3.References and Resources

4.Definition of a Security Incident

5.Roles and Responsibilities

5.1Roles Provided by DoIT Security Operations)

5.1.1Role: System or Network Monitor

5.1.2Role: Incident Handler

5.2Roles Provided by the Agency

5.2.2Role: Data Owner(s)

5.2.3Role: Security Manager

5.2.4Role: User

6.Incident Reporting and Management

6.1User Reports an Incident

6.2Continuous Monitoring Service Escalates an Alert

6.3Incident Handling

7.Reporting and Metrics

7.1Reporting on Monitoring and Incident Handling

7.2Management Reporting

7.3Regulatory Reporting

8.Signatures and Approvals

Appendix A: Acronyms and Definitions

Appendix B: Confidential Data Under [Enterprise Agency Name] Stewardship

Appendix C: [Enterprise Agency Name] and DoIT Security Operations Center Escalation and Contact Information

Appendix D: Steps to Preserve State of a Suspect Device

Appendix E: Incident Parameter Definitions

Appendix F: Security Reporting for the Agency

Appendix G: Incident Response Process Flow Defined by NIST SP 800-61R2

Exhibits

Exhibit 1: Roles and Responsibilities During Security Incident Response

Exhibit F-1: Incident Response Life Cycle modified from NIST 800-61R2, Computer Security Incident Handling Guide

1.Purpose

Since one of the primary goals for cybersecurity is to ensure the confidentiality, integrity, and availability of data and assets owned by or under stewardship of the Maryland Department of Information Technology (DoIT) Enterprise and its subscribers, the purpose of this plan is to provide guidance for Enterprise agencies and subscribers to effectively identify, report,respond to, and mitigate information security incidents.

Cybersecurity incidents refer to errors or activities that are not part of a standard information technology service operation and pose a riskof compromise or loss of information.

Discovering and reporting incidents as promptly as possible can minimize overall damage (before it “spreads”) and reduce the cost of incident handling. This Security Incident Management Plan provides DoIT and Enterprise agencies with specific contact information to encourage timely reporting and requests detailed escalation instructions to help minimize the adverse impact of security incidents.

2.Objective

The objective of this plan is to identify the policies, services, procedures, and requirements that help provide stable, effective incident managementfor an agency, and to help meet incident-management requirements in accordance with the Maryland DoIT Incident Response Policy.

Main objectives include:

  • Establish the organizational obligations for monitoring, reporting, and responding to cyber incidents, including roles and responsibilities for incident reporting and handling (Section 5)
  • Identify data under agency ownership that must be protected or may require special reporting if compromised (Appendix B)
  • Identify the persons responsible for cybersecurity within the agency and to provide specific contact information (Appendix C)
  • Outline steps to preserve incident data when security incidents are discovered (Appendix D)
  • To identify security reporting for the agency (Appendix F)

3.References and Resources

This plan incorporates by reference DoITcybersecurity policies and their requirements. All agency personnel, business partners, and staffaffiliated with third parties who have access to thisagencynetwork are required to ensure compliance with these policiesat all times.

DoIT Policies and Standards

  • DoIT Incident-Response Policy
  • DoIT Acceptable Use Policy

Regulatory Security-related Requirements

List any regulatory rules in Appendix B that your agency or system must comply with, e.g., requirement to report data compromise or breach of HIPAA information

Reference Standards and Best Practices

Additional security practices and standards may be adopted from resources below.

  • CIS Security controls,
  • NIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook, November 1995.
  • NIST Special Publication 800-53, Rev. 4, Recommended Security Controls for Federal Information Systems and Organizations, April 2013.
  • NIST Special Publication 800-83, Rev. 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, July 2013.
  • SANS CISTop Twenty Critical Security Controls for Effective Cyber Defense,

4.Definition of a Security Incident

An incident is defined in Government standards as:

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or [an occurrence] that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. (FIPS 200; NIST SP 800-53)

Incident handling is also defined:

Incident Handling: The mitigation of violations of security policies and recommended practices. (NIST SP 800-61)

Irregular or adverse cyber eventsmay include, but are not limited to:

  • Denial of system resources
  • Compromise of sensitive information or system integrity
  • Malicious software infection
  • Illegal access or attempted access to a system (either a penetration or an intrusion)
  • Inappropriate access or attempted access to a system (internal, insider threat)
  • Malicious or illegal use of system resources
  • Any activity that deliberately violates any information policy

With regard to a security incident, Appendix D shows how to handle a suspected infected or compromised device and what information to gather for reporting the incident; Appendix Eshows the definitions of incident severityand incident categories used by the DoIT Security Operations Center (SOC).

5.Roles and Responsibilities

Information security and security incident management both depend upon responsible data-ownership and responsible users. For effective security management, collaboration between DoIT and an agency should establishthe fundamental (security) responsibilities described in the roles below.

Exhibit 1 below shows an overview of the roles and responsibilities of participants in security incident response. The following sections provide more detailed descriptions of the actions each role may take.


Exhibit 1: Roles and Responsibilities During Security Incident Response

5.1Roles Provided by DoIT Security Operations)

5.1.1Role: System or Network Monitor

  • Work with DataOwner and Security Manager to establish monitoring
  • Ensure that complete and correct information is provided for monitoring

Name, type, location, and support-contact information for all hardware devices

Documented workflow and criteria for alert notification and escalation

  • With agency personnel, determine when and how to escalate alerts, and establish a workflow for handling them
  • Determine when and how to report on “aggregated” security-related activity
  • Work with Security Manager to tailor alerting requirements, i.e., filter out false-positive alerts and correlatesigns of elevated risk

5.1.2Role: Incident Handler

DoIT will provide typical incident handling services listed below and mange an incident from initial escalation to resolution:

  • Investigate the incident (causes and impact)
  • Recommend mitigation and support implementation
  • Recommend security improvements based on incident-handling outcomes
  • Ensure data is provided to agencies with regulatory reporting requirements

5.2Roles Provided by the Agency

5.2.1Role: Senior Agency Management
  • Authorize and support compliance with DoIT security policies andregulatory requirements for data management and reporting
  • Establish partnering agreements and terms of collaboration with DoITmonitoring and incident handling providers
  • Interface with customers and service providers as required
  • Authorize release of security-incident-related information

5.2.2Role: Data Owner(s)

  • Classify data —Ensures alldata is processed, stored, produced, or managed is appropriately classified and protected as required by policy or regulation
  • Support Security Manager in providing documentation and training for users on how to protect critical information
  • Work with Security Manager and monitoring organization to identify useful, standard reports (from monitors) and recommend frequency of distribution
  • Establish a process for regularly reviewing security reports; often, the person who knows the data and resources is in the best position to recognize suspicious access attempts or abnormal behavior
  • Provide DoIT Security Operations Center (SOC) with information on type of confidential data the agency has custody of and the criteria for reporting breaches, i.e., compromise or loss; use Appendix B to identify your sensitive data, its location, and the reporting criteria, as well as anagency contact to whom the DoIT Security Operations Center (SOC) will report any data loss or compromise

Agency requirement: Enter agency-specific data classification and location information into Appendix B.

5.2.3Role: Security Manager

  • Ensure day-to-day operational security

Ensure compliance with agencyand DoIT security policies and programs approved by DoIT

Ensure compliance with any applicable regulatory requirements, especially with regard to reporting incidents

Ensureprocesses exist (or adopt existing processes) and train users on how to operate systems securely, how to recognize an incident, and how to report an incident

  • Ensure education of agency staff and system users onreportable incidents —reportable security incidents include, but are not limited to:

Loss or compromise of confidential data— may require breach reporting

Incident affectingmore than ten (10) individuals

Incident affecting more than a single physical location, business unit, or functional area

Incident is identified, such as an attack on anagencynetwork resource, agency attacking a third party electronically, any allegation of electronically assisted criminal activity or copyright violation, etc.

  • Establish and maintain collaboration with DoIT for appropriate monitoring and incident handling services

Establish criteria for security monitoring, including devices, ownership, and location; this may be derived from another source such as an asset management system or data provided for a security evaluation team

Establish criteria for alert notification, including contact names and an escalation preferences

Agency requirement:enter the agency-specific contact information into Appendix C.

Assignor designatean agencyrepresentative to workdirectly with an incident handler to investigate, manage, and mitigate an incident

Ensure all mitigationrecommended by incident handlers is implemented and documented

Section 6 below shows the process for the monitoring organization or service to report alerts and the escalation tree

  • EnsureDoIT is cognizant of any changes in processes and technology that may affect monitoring and incident handling capabilities

See more detail on required information under section 5.1.1 Role: System Monitor

  • Collaborate with DoIT to establish security reporting

5.2.4Role: User

  • Follow policies and best practices as communicated by agency management and through security training
  • Understand how to recognize an incident (via security awareness training)
  • Understand how and where to report an incident
  • Be prepared to assist in incident handling and mitigation tasks, e.g., provide information, submit machine for mitigation or implement other instructions for mitigation

6.Incident Reporting and Management

Although the agency retains the responsibility for protecting its data and assets, it should be prepared to assist incident handlers promptly and thoroughly with incident investigation and mitigation.

Incident reporting can generally go two ways:

  1. Either a user or someone on the agency side notices something awry and reports it (see section 6.1 below)
  2. Or the DoIT Security Operations Center (SOC) notifies the agency of an observed anomaly (see section 6.2 below).

Appendix C.2 a template that the agency should fill out to provide DoIT with the contact information and escalation preferences for the agency, and appendix C.3 provides contact informationfor reporting a cybersecurity incident to the DoIT Security Operations Center (SOC).

6.1User Reports an Incident

In some cases, a vigilant user will recognize an incident or anomaly that warrants a security threat report.

  • User recognizes an incident or anomalous behavior

Note: if a device, e.g., workstation or laptop, is suspected of being compromised or infected with malware, follow the steps in Appendix D to preserve the state of the machine for possible forensic analysis and refrain from continued use of the device.

  • User reports incident or anomaly toSecurity Manager or directly to the DoIT Security Operations Center (SOC)
  • Workflow for investigation and mitigation then shifts to the agency Security Manager or (DoIT SOC) incident handler

The overall workflow for reporting an incident is shown below, and Appendix G contains more detailed, NIST-based description of the overall incident response cycle.

6.2Continuous Monitor

ingService Escalates an Alert

The DoIT Security Operations Center (SOC)will escalate alerts to the agency per instructions provided in Appendix C. The DoIT SOC will be responsible for:

  • Monitoringsecurity incident alerts — section 5.2.3 identifies the Security Manageras responsible for ensuring that the monitoring service receives the logs it needs to detect security threats and create correlations
  • Determining the severity of the alert(s)
  • Correlating alert information
  • Analyzing the threat
  • Notifying the agency for mitigation

6.3Incident Handling

If a formal incident is declared, incident handling will be managed by DoIT with assistance from the agency, as requested (and described in role responsibilities described in section 5 above).

The DoIT incident handler will also provide information on a data breach and support the agency in meeting reporting requirements.

7.Reporting and Metrics

7.1Reporting on Monitoring and Incident Handling

As described in section 5 above, the agency Senior Agency Management, Security Manager, and Data Owner will work with DoITand agree upon requirements for reporting both system and network health as well as for escalating incidents.

Most monitoring services provide standard security reports based on the logs they receive and the alerts and activity they see.

Appendix F shows the agreed-upon reporting for this agency.

7.2Management Reporting

Senior Agency Management and the Security Manager will determine how incident metrics are to be reported outside theiragency. They will establish requirements for the content, frequency, and distribution of all security reporting outside of the interactions with monitoring and incident handling organizations.

Appendix F shows the agreed-uponmanagement reporting for this agency.

7.3Regulatory Reporting

Senior AgencyManagement and the Security Manager will determine whether the agency or (in-scope for non-Enterprise agencies) system has any regulatory obligation to report incidents, such as IRS 1075 45-day notice of (impactful) system changes. If yes, they will establish criteria and processes to ensure compliance with the regulation.

The agency may subscribe to an enterprise-level managed reporting process, such as Ethics and Compliance Office criteria and processes for reporting breaches of protected health information (PHI).

AppendixB (B.2)shows which reporting requirements are in force for the scope of this incident management plan, the criteria for reporting (may be a reference to an enterprise-level reporting program), and the agency contact to whomthe DoIT SOC should report such incidents.

8.Signatures and Approvals

[Enterprise Agency Name] Security Managers and Security Plan Approvers
[name]
[Enterprise agency name] Security Manager / Date
[name]
[Enterprise agency name] Security Manager / Date
[name]
[Enterprise agency name] Executive / Date

Appendix A: Acronyms and Definitions

Term / Definition
Cybersecurity event / An observed change to the normal behavior or a system or environment.
Cybersecurity incident / A verified event or set of events that has or may result in a change to the confidentiality, availability or integrity of Skyline information systems, networks, or data, and for which a directed response may be required to mitigate the associated damage or risk.
An occurrence that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies may also be considered an incident.
Data breach / A cybersecurity incident that results in a loss of confidential information to an unauthorized entity (i.e., cyber attacker) and may trigger breach penalties, reporting, and/or notification requirements.
Incident response or Incident Handling / The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber-attacks against an organization’s information system(s).

Appendix B: Confidential Data Under [Enterprise Agency Name] Stewardship

It is the [Enterprise agency name] responsibility to identify and protect its confidential data; the Incident Handler will report breaches to the agency POC who will be responsible for further breach reporting.

If you need any help or have any questions about the data to be provided, contact the DoIT SOC (contact information in Appendix C.3 below).

B.1Confidential Data
Type of Data / Location / Criteria for Notification / [Enterprise agency name]
Data Owner
PII / [server name, subnet, physical location] / [more than 500 records lost] / Full-name:
Email:
Phone:
IM:
HIPAA
Agency proprietary
Etc.
B.2Incident Reports Required by Regulation, Including for Confidential Data
Regulation Rule / Criteria for Reporting / Where and How to Report

Appendix C: [Enterprise Agency Name] and DoIT Security Operations CenterEscalation and Contact Information

If you need any help or have any questions about the data to be provided, contact the DoIT SOC.

C.1Senior Agency Management

Name:

Phone:

Email:

C.2Escalation Criteria and Path for the [Enterprise agency name]
[Enterprise Agency Name] Alert Tree / Effective date:[yyyy Mon dd]
[Enterprise agency name] Security Manager (SM):
SM Email: / SM Phone:nnn-nnn-nnnn
Severity 1 (worst case/critical) / Severity 2 (high) / Severity 3 (normal)
Escalation Method:
[enter preferred escalation method(s) for each alert-priority level, e.g., Phone primary contact, then secondary] / Email primary and secondary contacts / Email primary and secondary contacts
Primary Contact(s)
Name
Phone
Email
(copy and insert rows for additional names)
Secondary Contac(s)
Name
Phone
Email
(copy and insert rows for additional names)
Additional Contac(s)
Name
Phone
Email
Comments or Instructions
Updated by:
[name] / [date]
C.3Contact Information for the DoIT Security Operations Center

Appendix D lists the information you should be able to provide when reporting a security incident.

DoIT Service Desk: 7am to 9pm M-F
Phone: 410.697.9700
Email:
(Optionally)Create a ServiceNow ticket assigned to Cybersecurity Services Assignment group.

or …during DoIT Service Desk after hours, Contact the DoIT SOC directly

Security Operations Center (24x7)
Phone: 443.713.4432
Email: