incident management policy

8/18/2019 Incident Management Policy

1/18

T ncident Management Plan

(March 31, 2015 – Version 0.1)

Contents1 Document Revision Control......................................................................................2

2 Effective Date............................................................................................................2

3.2 Address..............................................................................................................................33.3 Reporting...........................................................................................................................3

4.1 Objectives...............................................................................................................4

5 Governance Model....................................................................................................4

6 Incident Management Process..................................................................................5

6.1 Preparation.........................................................................................................................6 The preparation stage involves incident handling planning and trainingactivities designed to provide adequate capabilities to prevent and detectincidents..................................................................................................................................66.2 Identification......................................................................................................................7Categorization.............................................................................................................................7

Prioritization................................................................................................................................86.3 Response............................................................................................................................86.4. Recovery..............................................................................................................................96.. Post Incident Ana!ysis........................................................................................................1"

7 Office Roles and Responsibilities............................................................................11

Appendi# A $ %efinitions.........................................................................................................12Appendi# & $ '())ary of *ffice *+!igations.........................................................................13Appendi# C $ ,vidence Preservation.......................................................................................14'tep 1-.......................................................................................................................................14'tep 2.........................................................................................................................................1'tep 3.........................................................................................................................................1

Appendi# % $ Incident Categorization.....................................................................................16Appendi# , $ Incident Report e)p!ate...................................................................................17


2/18

1 Document Revision Control

Revision Date Summary of Revisions MadeChanges Made By

(Name)

0.1 3/30/2015 Initial Version

2 Effective Date

This plan takes efect on March 31, 215. !t "ill be revie"ed on a #earl# basis

and $odi%ed as appropriate.

3 Introduction

3.1 Purpose

This docu$ent delineates the policies and procedures &or !n&or$ation

Technolog# !ncident Manage$ent, as "ell as 'o$pan#(s process)level plans

&or $anaging incidents on critical technolog# plat&or$s and the

teleco$$unications in&rastructure. *ur $ission is to ensure in&or$ation

s#ste$ upti$e, data integrit# and availabilit#, and business continuit#.


3/18

3.2 Scope

This +lan applies to all 'o$pan#s o-ces and subsidiaries subect to the

+olic# and addresses/

• Threats, vulnerabilities, and incidents "ithin an !T environ$ent that

afect or $a# afect service to 'o$pan# operations, securit# or privac#

o& in&or$ation or con%dence0

• !ncidents "ithin an !T environ$ent requiring an integrated response0

• et"orks classi%ed secure and belo".

3.3 Reporting

This version o& the plan requires e$plo#eesdepart$entso-ces to report !T

incidents to the !T epart$ent using the *T4 tool or an# other

co$$unication $ethod in case access to *T4 is i$possible.

3.4 Communication

The !T incident $anage$ent depart$ental operating procedures re&erenced

herein "ill be provided to 4 &or inclusion in the standard policiesplan

librar#.

4 Context

The occurrence o& !n&or$ation Technolog# !T8 incidents involving 'o$pan#s

net"orks and in&rastructure can have a signi%cant i$pact on 'o$pan#operations, services delivered to custo$ers and, consequentl#, con%dence in

'o$pan# The abilit# to detect and respond to incidents in a coordinated and

consistent &ashion is essential to $aintaining 'o$pan# operations and

services and to ensure the con%dentialit#, integrit# and availabilit# o&

'o$pan#s in&or$ation and !T assets.

The 'o$pan# !n&or$ation Technolog# !ncident Manage$ent +lan provides an

operational &ra$e"ork &or the $anage$ent o& !T securit# incidents and


4/18

events that could have or have had an i$pact on 'o$pan# in&or$ation

technolog# in&rastructure.

4.1 Objectives

The &ollo"ing are the obectives o& this plan.

• 9nhanced situational a"areness across the 'o$pan#0

• !$proved coordination and incident $anage$ent planning "ithin the

'o$pan#0

• Ti$el# resolution o& incidents that afect 'o$pan# services and

operations0

• !n&or$ed decision $aking and associated incident $itigation and

response0

• : shared sense o& responsibilit# and partnership a$ong the 'o$pan#

!T and custo$ers !n&or$ation Technolog# ecurit# areas0

• !$proved shared 'o$pan# kno"ledge and e;pertise0

• 9nhanced con%dence in 'o$pan#.

4.2 Assumptions

The following assumptions were made during the development of

this Plan:

• 'urrent $andates and responsibilities "ill be respected0

• !T securit# incidents related to the disclosure o& personal in&or$ation or

private co$$unications "ill &ollo" established privac# procedures

according the countr# la"0

• !n addition i& the incident is considered a cri$e, particulars should be

reported to the countr# 9n&orce$ent :genc# as applicable.


5/18

5 Governance Model

uring a serious incident, the ti$el# engage$ent o& senior $anage$ent is

ke# to a strong and efective response. The governance $odel o& the !M+

identi%es the senior $anage$ent co$$ittees and $anagers "ho "ill be

engaged "hen severit# and trigger criteria are $et.

to be co$pleted?

6 Incident Management Process

The incident $anage$ent process "ill consist o& the &ollo"ing %ve de%ned

stages see @igure 18/ the stages ApreparationA and Aidenti%cationA are

integral co$ponents to an efective incident $anage$ent plan that $ust be

in place and kept up to date to be properl# prepared &or $anaging an

incident. The other three stages, AresponseA, Arecover#A and Apost incident

anal#sisA "ill be the &ocus o& the governing structure.

Figure 1: Stages of Incident Management Process


6/18

The responsibilities o& depart$ents related to incident $anage$ent process

are docu$ented &or each o& the stages in the &ollo"ing sections. : su$$ar#o& responsibilities &or all stages o& the incident $anage$ent process is

su$$ariBed in :ppendi; C.

6.1 Preparation

The preparation stage involves incident handling planning and trainingactivities designed to provide adequate capabilities to prevent and detectincidents.

At a minimum/

1. evelop and practice incident handling planning and training

activities and e;ercises to enable identi%cation and efective response

2. 9nsure the response plan and co$$unications procedures are "ell

kno"n and easil# accessible to all involved personnel, and revie"ed

and updated as required8 both periodicall# and &ollo"ing an incident.

3. !denti critical s#ste$s Cusiness and *perations8 to better identi

inur# and i$pact levels "hen reporting an event or incident.

D. !ntegrate the processes o& the !M+ into the *-ce ecurit#, Cusiness

'ontinuit# and !T contingenc# plans.

5. 9nsure a"areness and response training is available to all

e$plo#ees co$$ensurate "ith the current and e$ergent threat

landscape.

6. 9nsure provision o& appropriate training and a"areness o& incident

identi%cation, incident $anage$ent polic#, and procedures to !T staf,

so that all individuals involved understand their role andresponsibilities related to incidents.

7. 9nsure that standard $easures are de%ned in advance &or rapid

i$ple$entation as required.

E. Monitor and $anage so&t"are, hard"are and %r$"are con%gurations

including versions nu$bers and patch levels in a depart$ental

database to ensure that depart$ents are able to identi vulnerabilities


7/18

and act accordingl#.

F. Take reasonable $easures to ensure the preservation and protection

o& evidence see :ppendi; '8.

6.2 Identification

The identi%cation stage consists o& the detection o& an event suspected o&

being an !T securit# incident, advising !n&or$ation Technolog#

representatives &or the afected s#ste$s "ho "ill per&or$ the initial

assess$ent to deter$ine i& it is an actual incident8, and deter$ining the

i$pact, severit#, and probable cause o& the suspected incident.

As a minimum, !ces will:

1. 'arr# out $onitoring and intrusion detection activities e.g. track

and anal#Be threats, vulnerabilities, events via logs &ro$ various

sources such as %re"alls or !ntrusion etection #ste$s, "hich $a#

afect !T s#ste$s8. This should also include a proactive vulnerabilit#

$anage$ent process using standard &ra$e"orks such as the ational!nstitute o& tandards and Technolog#s 'o$$on Gulnerabilit# coring

#ste$0

2. *nce it is deter$ined that an event has the potential or has been

con%r$ed to be an incident, send an initial incident report using *T4

and "hen &urther in&or$ation beco$es available, sub$it an updated

incident report0

3. +reserve evidence as outlined !n :ppendi; '.

The incident in&or$ation $ust be reported to the *T4 no later than one 18

hour a&ter the detection o& an incident. The *T4 tool should be used to

report the incident. !n the incident report, reporter $ust assign a level o&

inur# and i$pact severit#. :ppendi; should be used as a guideline to

categoriBe the level.

!& relevant, afected o-ces should atte$pt to correlate $ultiple incident

reports to identi those that are related to a single incident.

http://www.tbs-sct.gc.ca/sim-gsi/sc-cs/docs/itimp-pgimti/itimp-pgimti04-eng.asp#Toc324324209http://www.tbs-sct.gc.ca/sim-gsi/sc-cs/docs/itimp-pgimti/itimp-pgimti04-eng.asp#Toc324324209


8/18

!& the !T securit# area noti%es an o-ce o& a signi%cant event, o-ces "ill be

requested to con%r$ i& the event is in &act an incident. *-ces then $ustrespond b# reporting the incident using the *T4 tool.

The !T securit# area $a# trigger the !ncident Manage$ent process i& the#

detect an incident involving one or $ore o-ces.

Categorization

The afected o-ce shall assign a categor# to the con%r$ed or suspected

incident using the chart provided in :ppendi; .

Prioritization

:fected o-ces shall prioritiBe based on the incidents potential i$pact.

!$pact is the efect o& the incident on the organiBations obectives and

$ission based on the &ollo"ing &actors/

• Technical impact "current and future#: The current negative

efects o& the incident and likel# &uture efects. @or e;a$ple, $al"are

spreading "ithin one regional o-ce has an i$$ediate local i$pact, but

i& the $al"are spreads across the 'o$pan#, it could afect operationsthroughout the organiBation0 and

• Criticalit$ of a%ected resources: The criticalit# o& the !n&or$ation

s#ste$ !8 resources that are or could be afected b# the incident.

'ritical s#ste$s have been identi%ed through the Cusiness !$pact

:ssess$ents and other business continuit# activities.

6.3 Response

*nce an event is received &ro$ an afected o-ce, partner, or custo$er, the

!ncidence 4esponse Tea$ !4T8 "ill send an ackno"ledg$ent o& receipt. !& it

is deter$ined to be an incident the !4T "ill assess the in&or$ation received

to deter$ine "hether the incident is o& an !T or c#ber nature, and provide

appropriate $itigation advice and guidance to the afected o-ces8 and "ill

alert other o-ces o& the threat and ho" to protect against it. !& the incident is

o& a c#ber)securit# nature, the !4T "ill also provide this in&or$ation to !T

securit# &or anal#sis. The !4T "ill also provide a su$$ar# o& incidents on a


9/18

regular basis &or situational a"areness.

Cased on the incident categoriBation :ppendi; 8, the incident "ill be

handled accordingl# as indicated belo".

If deemed low ris& /

• The in&or$ation "ill be logged and the circu$stances $onitored as

an integral part o& situational a"areness. !t "ill also be revie"ed

against previous events even those dee$ed lo" risk8.

If deemed medium to high ris&:

• !& the incident is dee$ed to be non)c#ber in nature, the in&or$ation

"ill be provided to the $anage$ent tea$ &or revie" and action i&

"arranted.

• The in&or$ation "ill be provided to !T securit# as to ensure the

$anage$ent o& securit# incidents is efectivel# coordinated "ithin

o-ces.

• The in&or$ation "ill be passed to the business unit &or an

assess$ent. !& an investigation is dee$ed necessar# the countr#(s la"en&orce$ent agenc# "ill be in&or$ed i$$ediatel#.

• !& an incident has i$plications &or a custo$er, the in&or$ation "ill be

passed to the corresponding partner so the custo$er can be in&or$ed

i$$ediatel#.

• Hhile an investigation is ongoing, the investigating part# $a# provide

in&or$ation to !4T andor the '#ber 4esponse Init '4I8 &or $itigation

purposes.

The '4I "ill proceed according to standard operating procedures.

The '4Is $ain goal is to provide $itigation advice to the afected o-ces8

and to alert other o-ces o& the threat and ho" to protect against it.

!& contain$ent cannot be achieved at the o-ce level, the !4T "ill lead the

contain$ent efort as per established procedures.

:t an# ti$e o-ces $a# update their incident report to provide additional

in&or$ation to the !4T or to request &urther $itigation advice.


10/18

Threat and vulnerabilit# events "ill be escalated b# the !4T to the '4I "hen

there is a high risk to 'o$pan#.

The Manage$ent Tea$ is the decision)$aking group that is convened to

advise and intervene "hen atte$pts to restore services have not produced

e;pected results or "hen no action takenconceived can provide &or the

continuit# o& operations and rapid recover# o& services. The Manage$ent

Tea$ has the authorit# to $ake i$portant decisions necessar# in a crisis/

activation o& a disaster recover# service, approval o& special budgets, etc. !n

addition, i& $itigation requires additional resources, the Manage$ent Tea$

"ill be called upon to revie" the '4Is action plan and act accordingl#.

6.4. Recovery

Most incidents "ill require recover# actions to restore s#ste$s and services

to nor$al operations and preventative actions to avoid recurrence. 4ecover#

actions $a# include restoration o& s#ste$s &ro$ original $edia or i$ages,

installation o& patches and i$$ediate $itigation actions to prevent

reoccurrence. #ste$service recover# should be conducted in a $anner

that preserves the integrit# o& the s#ste$ to assist "ith an in)depth

anal#sisinvestigation o& the incident.

The recover# process should align "ith internal processes such as/ !ncident

Manage$ent, +roble$ Manage$ent, 'hange Manage$ent, 'on%guration

Manage$ent, and 4elease Manage$ent.

+rior to reconnecting afected s#ste$s or restoring services, incident

handlers shall ensure that reinstating the s#ste$ or service "ill not result in

another incident.

As a minimum, o!ces will:

1. 4espond to !4T electronic in&or$ation products as requested.

'#ber Jashes, 4@!, etc.80

2. !nso&ar as possible, i$ple$ent an# relevant $itigating $easures

as reco$$ended $andated b# the !4T, !T securit# or !T Manage$ent0

3. +rovide situation report updates during the incident phases and

provide a %nal noti%cation to the !4T "hen nor$al operations have


11/18

resu$ed to close the *T4 ticket.

6.5. Post Incident Analysis

+ost)anal#sis o& incidents is vital &or learning and continuousl# i$proving

'o$pan# sa&eguards and response plans and procedures. 4evie"ing the

incident recording o& lessons learned, reco$$ending changes in processes,

procedure, and developing long)ter$ capabilit# i$prove$ent solutions are

crucial &or a success&ul preparation phase.

@or ever# $aor incident that occurs/

!ces will per&or$ a post incident anal#sis, "hich su$$ariBes the i$pact

o& the incident and identi%es/

• sa&eguard de%ciencies0

• $easures to prevent si$ilar incidents0

• $easures to reduce the i$pact o& a recurrence0

• !$prove$ents to incident)handling procedures and relating policies0

• revie" o& the preparation phase in ter$s o& the response o& theincident0 and

• lessons learned.

A%ected o!ces will provide the !4T a post)incident su$$ar# report.

IT management will close the post)incident anal#sis phase o& the !T !M+ based

on the i$ple$entation o& $itigating $easures and actions.

For multi'o!ce incidents, IT management will lead post)incident

anal#sis and "ill lead i$ple$entation o& identi%ed changes i$prove$ents.

7 Office Roles and Responsibilities

This section identi%es roles and responsibilities "ithin o-ces relevant to the

!T !M+.

The IT Securit$ !cer is responsible &or/


12/18

• 9stablishing reporting require$ents &or !T securit# incidents that align

"ith the require$ents established in the !T !M+ as part o& a coordinatedapproach to the $anage$ent o& o-ce securit# incidents.

The IT Securit$ Coordinator is responsible &or/

• 9nsuring that efective processes &or the $anage$ent !T securit#

incidents are developed, docu$ented, approved, pro$ulgated and

i$ple$ented "ithin the depart$ent, and that the efectiveness o&

these processes is $onitored0 and

• 4eporting on detected !T securit# incidents in accordance "ith the

require$ents established b# the !T*.

Securit$ practitioners and perational IT Sta% are responsible &or/

• 4esponding to !T ecurit# incidents in accordance "ith the processes

and procedures established b# the depart$ent.

All o!ce emplo$ees are responsible &or/

• 4eporting real or suspected !T securit# incidents or other suspicious

activit# to o-ce $anagers, in accordance "ith the processes andprocedures established b# 'o$pan#.


13/18

Appendix A – Definitions

C$(er Incident

: deliberate !T incident that is state)sponsored or is utiliBing a non)publicl#

kno"n e;ploit.

)vent

:n event is an observable change to the nor$al behavior o& a s#ste$,

environ$ent, process, "orkJo" or person. :n event can &eed into an incidentbut the opposite is not true.

Incident *andler

The person appointed or responsible to lead all stages o& incident handling.

The incident handler "ill be the contact person to throughout the incident li&e

c#cle.

IT Incidents

!ncidents are understood to be an# event or collection o& events "hich $a#

afect the con%dentialit#, integrit#, or availabilit# o& an in&or$ation s#ste$

including co$ponents, or an event or collection o& events "hich $a# violate

in&or$ation s#ste$ policies or the la". !ncidents can originate internall# or

e;ternall# and can be caused deliberatel# or accidentall#. !ncidents include

privac# breaches, "hich are a collection, use, disclosure, access, disposal, or

storage o& personalcusto$er in&or$ation, "hether accidental or deliberate,

that is not authoriBed.


14/18

Appendix B – Summary of Office Obligations

!ces will develop and practice incident handling training activities and

e;ercises to enable identi%cation and efective response.

!ces will ensure the response plan and co$$unications procedures are

"ell kno"n and easil# accessible to all !T personnel, and revie"ed and

updated as required8 both periodicall# and &ollo"ing an incident.

!ces will identi their critical s#ste$s Cusiness and *perations8 to

better identi inur# and i$pact levels "hen reporting an event or incident.

!ces will integrate the processes o& the !M+ into their o-ce ecurit#,

Cusiness 'ontinuit#, !T contingenc# plans.

!ces will ensure a"areness and response training is available to all

e$plo#ees co$$ensurate "ith, the current and e$ergent threat landscape.

!ces will ensure provision o& appropriate training and a"areness o&

incident identi%cation, incident $anage$ent polic#, and procedures to !T

staf, so that all individuals involved understand their role and responsibilities

related to incidents.!ces will ensure that standard $easures are de%ned in advance &or rapid

i$ple$entation as required.

!ces will $onitor and $anage so&t"are, hard"are and %r$"are

con%gurations including versions nu$bers and patch level in a database to

ensure that are able to identi vulnerabilities and act accordingl#.

!ces will take reasonable $easures to ensure the preservation and

protection o& evidence see :ppendi; '8.

!ces will carr# out $onitoring and intrusion detection activities e.g.

track and anal#Be threats, vulnerabilities, events via logs &ro$ various

sources such as %re"alls or !ntrusion etection #ste$s8. This should also

include a proactive vulnerabilit# $anage$ent process using standard

&ra$e"orks such as the ational !nstitute o& tandards and Technolog#s

'o$$on Gulnerabilit# coring #ste$.

!ces will contact !T &or assistance in characteriBing potentiall# suspicious


15/18

events.

!ces will, once it is deter$ined that an event has the potential or has

been con%r$ed to be an incident, %ll an initial incident report using *T4

and "hen &urther in&or$ation beco$es available, add the in&or$ation to the

incident report.

!ces will provide situation report updates during the incident phases and

provide a %nal noti%cation to the "hen nor$al operations have resu$ed.

:&ter nor$al operation have resu$ed, the incident $ust be closed in *T4.

!ces will per&or$ a post anal#sis, "hich su$$ariBes the i$pact o& the

incident and identi%es/

• sa&eguard de%ciencies0

• $easures to prevent si$ilar incidents0

• $easures to reduce the i$pact o& a recurrence0

• !$prove$ents to incident)handling procedures and relating policies0

• revie" preparation phase in ter$s o& the response o& the incident0

and

• lessons learned.

A%ected o!ces will provide a post)incident su$$ar# report.

Appendix C – Evidence Preservation

The &ollo"ing is an overvie" o& basic evidence preservation &or !T personnel.

Step 1:

Hhen an incident has been identi%ed, the incident handlers $ust/

9nsure that the afected $achines8 is no longer accessible to non)authoriBed

personnel i.e. onl# accessible to incident handlers ) preservation o& the

chain o& custod#8.

9nsure that no atte$pts are $ade to e;plore the content o& the afected


16/18

$achines8 or to recover data &ro$ it. The incident handlers $ust also

docu$ent/

• Hhen "as the incident discoveredK

• o" "as the incident discoveredK

• Hho discovered the incidentK

Step 2

The incident handler needs to preserve the evidence b# taking the &ollo"ing

actions/

• 9nsure that the afected $achines8 re$ains in a =ive tate so that

the live $e$or# can be collected.

• 4ecord o& all processes running on the afected $achines8.

• 4ecord all ph#sical connections &ro$ the afected $achines8 to all

other devices.

• 4ecord all !+ addresses and "ireless connections to and &ro$ the

afected $achines8 across the net"ork.

• +reserve all tra-c logs %re"all, !, !+, !, etc.8 to and &ro$ the

afected $achines8 across the net"ork.

• Hhen disconnecting the afected $achines8 &ro$ the net"ork

care&ull# $onitor processes to ensure that the hard drive is not being

erased. !& in&or$ation is being deleted i$$ediatel# turn of the po"er.

Step 3

:&ter preserving the net"ork logs and protecting the evidentiar# chain o&

custod#, the incident handlers should take the &ollo"ing actions/

• 4ecord o& all actions relating to the collection, preservation, access,

storage andor trans&er o& digital evidence.

• +repare a net"ork diagra$ "ith the !+ addresses o& all the afected

$achines8 and all other relevant net"ork nodes.

• +repare, date and sign detailed notes on all actions taken during the


17/18

course o& the incident response.

• 'o$$unicate all observations $ade and actions taken to la"

en&orce$ent investigators.

Incident handlers must ensure that the$ have the legal authorit$ to

collect and preserve all information gathered during the incident

response process+ The$ are also responsi(le for all actions ta&en

with respect to digital evidence+

Appendix D – Incident Categorization

Step 1/ e%ne the inur# level and sector "ith the guide belo".

SectorInjury Level

Lo Medium !igh

Image and

customer

confidence ith

Com"any

Limited or no loss of

image or negative

im"act on Com"any

re"utation

/oderate !oss of i)age

or negative i)pact on

Co)pany rep(tation

'ignificant !oss of

i)age or negative

i)pact on Co)pany

rep(tation

Infrastructure #

$rovision of

Services

Limited or no negative

effect on critical

infrastructure or

"rovision of services%

/oderate negative

effect on critica!

infrastr(ct(re or

provision of services

'ignificant negative

effect on critica!

infrastr(ct(re or

provision of services.

$roductivity #

&inancial

Limited or no negative

effect on "roductivity

or finances%

/oderate negative

effect on prod(ctivity

or finances

'ignificant negative

effect on prod(ctivity or

finances.

Step : e%ne the !$pact o& the !ncident "ith the guide belo".

Im"act Level Descri"tion

Lo • Im"acts a single or'station moile #"ortale device

• Incident i)pacts 104 of (sers


18/18

Im"act Level Descri"tion

• nc!assified infor)ation i)pacted

Medium

• Im"acts one server or an administrator account is involved

• I)pacts )any 1"5 orstations )o+i!e porta+!e devices or one of a

:ig: profi!e )anager5

• Incident i)pacts 09 of (sers

•

Protected or confidentia! infor)ation i)pacted

!igh

• Im"acts infrastructure device such as a router%

• I)pacts to or )ore servers. or one ,0)ai! server5

• Incident i)pacts 1" or )ore of (sers

• Critica! infor)ation i)pacted to +e reported via sec(re )et:ods on!y5

• Privacy +reac:

Appendix E – Incident Report Template

@or assistance %ling an !ncident 4eport using *T4 contact the local !T

depart$ent.

incident management policy

Documents