Incident Response Policy

Version: 1.00Issue Date: 2/10/2015

This Incident Response Policy specifies how computer security incidents shall be responded to.

1.0 Overview

This Incident Response Policy will help ensure that security incidents are handled in a timely manner. This computer security Incident Response Policy defines computer security incidents and responsibilities associated with computer security incident reporting and their resolution. This computer security Incident Response Policy outlines the incident response phases. This Incident Response Policy discusses how information is passed to the appropriate personnel, assessment of the incident, minimising damage and response strategy, documentation, and preservation of evidence. The incident response plan which this policy calls for will further define areas of responsibility and establish procedures for handing various security incidents. This incident response policy discusses the considerations required to build an incident response plan.

2.0 Purpose

This Incident Response Policy is intended to ensure the security of the organization and data by ensuring security incidents are handled by qualified individuals, in a timely manner, and are resolved satisfactorily.

3.0 Scope

This computer security Incident Response Policy applies to all computer security incidents and all employees, contractors, or vendors who use organizational resources, network, or systems. This Incident Response Policy applies to on site or off site incidents anytime data or systems associated with the organization may be in danger of loss, compromise, damage, or destruction. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Incident Response Goals

  1. Verify that an incident occurred.
  2. Maintain or Restore Business Continuity.
  3. Reduce the incident impact.
  4. Determine how the attack was done or how the incident happened.
  5. Prevent future attacks or incidents.
  6. Improve security and incident response.
  7. Prosecute illegal activity.
  8. Keep management informed of the situation and response.

5.0 Incident Definition

A computer security incident is any one or more of the following:

  1. Loss of information confidentiality (data theft)
  2. Compromise of information integrity (damage to data or unauthorized modification).
  3. Theft of physical IT asset including computers, storage devices, printers, etc.
  4. Damage to physical IT assets including computers, storage devices, printers, etc.
  5. Denial of service.
  6. Misuse of services, information, or assets.
  7. Infection of systems by unauthorized or hostile software.
  8. An attempt at unauthorized access.
  9. Unauthorized changes to organizational hardware, softwaare, or configuration.
  10. Reports of unusual system behavior.
  11. Responses to intrusion detection alarms.

6.0 Incident Planning

In the incident response plan, do the following:

  1. Define roles and responsibilities
  2. Establish procedures detailing actions taken during the incident.
    1. Detail actions based on each type of incident such as a virus, hacker intrusion, data theft, system destruction.
    2. Procedures should consider how critical the threatened system or data is.
    3. Consider whether the incident is ongoing or done.
    4. An example is to consider when a user gets a virus. The personnel responding to the incident should consider what servers and systems the user with the virus connects to. They should consider whether infected files were left on other systems or whether other systems were infected based on the characteristics of any identified viruses. The case should not be considered closed until all other possible infections are investigated and resolved.
    5. There should be a mechanism or method for all involved with the virus incident to determine whether the case is closed.

A Computer Security Incident Response Team (CIRT) should be created in your organization. The purpose and responsibilities of the team are to minimize security incidents and limit damage along with investigate incidents. The team would also ensure that incidents are properly closed so they are no longer a threat.

7.0 Incident Response Life Cycle

  1. Incident Preparation
    1. Policies and Procedures
      1. Computer Security Policies - These involve many policies including password policies, intrusion detection, computer property control, data assessment, and others.
      2. Incident Response Procedures
      3. Backup and Recovery Procedures
    2. Implement policies with security tools including firewalls, intrusion detection systems, and other required items.
    3. Post warning banners against unauthorized use at system points of access.
    4. Establish Response Guidelines by considering and discussing possible scenarios.
    5. Train users about computer security and train IT staff in handling security situations and recognizing intrusions.
    6. Establish Contacts - Incident response team member contact information should be readily available. An emergency contact procedure should be established. There should be one contact list with names listed by contact priority.
    7. Test the process.
  2. Discovery - Someone discovers something not right or suspicious. This may be from any of several sources:
    1. Helpdesk
    2. Intrusion detection system
    3. A system administrator
    4. A firewall administrator
    5. A business partner
    6. A monitoring team
    7. A manager
    8. The security department or a security person.
    9. An outside source.
  3. Notification - The emergency contact procedure is used to contact the incident response team.
  4. Analysis and Assessment - Many factors will determine the proper response including:
    1. Is the incident real or peceived?
    2. Is the incident still in progress?
    3. What data or property is threatened and how critical is it?
    4. What is the impact on the business should the attack succeed? Minimal, serious, or critical?
    5. What system or systems are targeted, where are they located physically and on the network?
    6. Is the incident inside the trusted network?
  5. Response Strategy - Determine a response strategy.
    1. Is the response urgent?
    2. Can the incident be quickly contained?
    3. Will the response alert the attacker and do we care?
  6. Containment - Take action to prevent further intrusion or damage and remove the cause of the problem. May need to:
    1. Disconnect the affected system(s)
    2. Change passwords.
    3. Block some ports or connections from some IP addresses.
  7. Prevention of re-infection
    1. Determine how the intrusion happened - Determine the source of the intrusion whether it was email, inadequate training, attack through a port, attack through an unneeded service, attack due to unpatched system or application.
    2. Take steps to prevent an immediate re-infection which may include one or more of:
      1. Close a port on a firewall
      2. Patch the affected system
      3. Shut down the infected system until it can be re-installed
      4. Re-install the infected system and restore data from backup. Be sure the backup was made before the infection.
      5. Change email settings to prevent a file attachment type from being allow through the email system.
      6. Plan for some user training.
      7. Disable unused services on the affected system.
  8. Restore Affected Systems - Restore affected systems to their original state. Be sure to preserve evidence against the intruder by backing up logs or possibly the entire system. Depending on the situation, restoring the system could include one or more of the following
    1. Re-install the affected system(s) from scratch and restore data from backups if necessary. Be sure to preserve evidence against the intruder by backing up logs or possibly the entire system.
    2. Make users change passwords if passwords may have been sniffed.
    3. Be sure the system has been hardened by turning off or uninstalling unused services.
    4. Be sure the system is fully patched.
    5. Be sure real time virus protection and intrusion detection is running.
    6. Be sure the system is logging the correct items.
  9. Documentation - Document what was discovered about the incident including how it occurred, where the attack came from, the response, whether the response was effective.
  10. Evidence Preservation - Make copies of logs, email, and other documentable communication. Keep lists of witnesses.
  11. Notifying proper external agencies - Notify the police if prosecution of the intruder is possible.
  12. Assess damage and cost - Assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts.
  13. Review response and update policies - Plan and take preventative steps so the intrusion can't happen again.
    1. Consider whether an additional policy could have prevented the intrusion.
    2. Consider whether a procedure or policy was not followed which allowed the intrusion, then consider what could be changed to be sure the procedure or policy is followed in the future.
    3. Was the incident response appropriate? How could it be improved?
    4. Was every appropriate party informed in a timely manner?
    5. Were the incident response procedures detailed and cover the entire situation? How can they be inproved?
    6. Have changes been made to prevent a re-infection of the current infection? Are all systems patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.?
    7. Have changes been made to prevent a new and similar infection?
    8. Should any security policies be updated?
    9. What lessons have been learned from this experience?

8.0 Requirements

  • Incident preparation shall include the definition of emergency situations which should be further defined in the incident response plan.
  • Emergency access rights should be defined in the incident response plan. Emergency access rights should be set up but not enabled before an incident occurs. For example, one to three accounts for security officers can be set up in advance on servers by administrators with the proper rights needed to help investigate or mitagate a security incident. The account may be kept inactive until needed.
  • The asset owners must define what an emergency situation is. The asset owner must define emergency actions to be taken and define who emergency access rights are given to along with what those rights are. All emergency access rights actions must be logged. Emergency access rights must be removed as soon as the emergency is over.
  • A process shall be created for determining whether failed attempts to access resources were mistakes or attempts to gain unauthorized access to data. This should be part of the incident response plan or referenced in the incident response plan.
  • A team for investigating and responding to computer security incidents must exist in the organization. This team should be led by the Chief Information Security Officer.
  • Members of the incident response team must have proper training and experience to effectively investigate computer security incidents. The minimum training and experience must be determined by the Chief Information Security Officer.
  • Members of the incident response team and server administrators must have proper training about how to minimize the effect of various types of computer security incidents. The minimum training and experience must be determined by the Chief Information Security Officer.
  • Specific security incidents that require investigation should be identified.
  • A central system shall be created which can be used to report security breaches. The system will allow actions to be logged and resources to be assigned to the incident. The system will help ensure that the incident is properly closed. The system will enable statistics about the security incidents to be recorded and kept including the severity and number of security incidents along with the amount of time each breach required to close.
  • All possible useful information about each security incident shall be logged into the central system so problem resolution can be supported and documented.
  • Whether a security incident is reported manually or using an automated process, a procedure must be in place to be sure that the incident is acted upon by the incident team promptly.
  • A process of assessing the importance of reported security incidents must be in place which sets responsibilities for determining importance and for determining who will fix the issues. A well qualified security team shall review each reported security incident in a timely manner. Team members shall ensure that damage is minimized and the cause of the incident is determined.
  • An escalation process for security breaches should be in place.
  • Access to security logs by users shall not be allowed. Programs that are allowed to ammend security log files must have valid reasons for access.
  • The procedures for all computer security incidents including computer viruses shall be documented and communicated to appropriate personnel. The procedures shall ensure damage containment and recovery along with a mechanism for escelation if needed.
  • Significant security incidents should be defined and management shall be informed of all significant computer security incidents.
  • Statistics of computer security incidents related to employees, expecially those that the employee could have prevented through training, shall be monitored and analyzed periodically. Awareness training programs shall be modified based on this informaiton.

9.0 Enforcement

Since prompt and thorough incident response is critical for protecting the security of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

10.0 Other Requirements

  • Incident Response Plan
  • Intrusion Detection Policy


Approved by:__________________________ Signature:_____________________ Date:_______________