Академический Документы
Профессиональный Документы
Культура Документы
_______________________________________________________________
Incident Management
______________________________________
OFFICIAL
Version History
No.
Date
Section
Amendment
1.0
08/01/2014
Draft
OFFICIAL
Table of Contents
1
Introduction .................................................................................................................................... 6
1.1
1.2
1.3
OFFICIAL
6.6
6.7
6.8
OFFICIAL
Table of Figures
Figure 1 Categories of information security incidents according to threats ....................................... 19
Figure 2 NISF Functional Impact Categories ..................................................................................... 20
Figure 3 NIST Information Impact Categories ................................................................................... 20
Figure 4 NIST Recoverability Effort Categories ................................................................................. 21
Figure 5 Business Impact Levels ....................................................................................................... 21
Figure 6 Security Incident Severity Levels and Escalation Criteria ................................................... 22
Figure 7 NIST Incident Response Life Cycle ..................................................................................... 25
Introduction
This Standard presents the official Government of Uganda (GoU) approach for
managing information security incidents. In keeping with US ISO/IEC 27035, the
Standard covers the processes for detecting, assessing, reporting, responding to
and learning from security incidents. According to US ISO/IEC 27035, the term
information security incident management encompasses the management of
information security incidents and information security vulnerabilities.
1.1
1.2
1.2.1.1
1.2.1.2
The International Telecommunication Union (ITU) adopted the term CIRT in Resolution 58 of its World
Telecommunication Standardization Assembly (WTSA) held in Johannesburg, South Africa, 21-30 October 2008.
OFFICIAL
1.2.1.3
1.2.1.4
1.3
References
This Standard references the following publications:
i.
ii.
iii.
iv.
OFFICIAL
I.
Incident Response
Planning and Preparation
2.1
2.2
Stress the importance of effective logging of incidents and its role in later
analysis including the preservation of the legal weight of electronic evidence;
OFFICIAL
US ISO/IEC 27035 also states that integration involves the use of lessons learnt
from the incident management process to improve effectiveness of the corporate
risk management and other related policies.
2.3
2.4
OFFICIAL
2.5
How the incident management scheme works, including its scope and the
security event, incident and vulnerability management workflow;
Authority of the incident management organisation and its reporting line; and
Who receives reports from the incident management scheme, and how the
reports are distributed.
ISO/IEC 27035 and the NISP agree that security awareness should form part of
the induction process and other corporate security awareness programmes.
2.6
Cyber Drills
US ISO/IEC 27035 requires that organisations test incident management
processes and procedures regularly to identify and rectify any potential flaws
and problems. For example, a periodic cyber drill should evaluate the ISIRTs
capacity to respond to complex incidents, through the simulation of realistic
attacks, failures or faults. The Standard recommends that simulated scenarios
use real new information security threats. The drills should also involve internal
and external stakeholders involved in the incident management process. US
ISO/EC 27035 recommends that any changes resulting from post testing reviews
must under thorough checking before their application to the live environment.
11
OFFICIAL
II.
Incident Management
Roles and Responsibilities
12
3.1.1
3.1.2
3.1.3
3.1.4
OFFICIAL
3.1.5
3.1.6
Determining the actions to take to address security incidents within the scope
and responsibility of his or her team; and
3.1.7
Internal Dependencies
As noted above, incident management activities rely on a number of other teams
outside the core security area. The teams provide invaluable expert advice to the
ISIRT and might include the following:
3.1.7.1
3.1.7.2
OFFICIAL
The teams would know how to collect and preserve logs from the systems. The
teams would also know when and how to disconnect systems from the Internet.
3.1.7.3
3.1.7.4
Human Resources
The human resources team plays an important role in incident response. HR is
particularly valuable when the incident involves a member of staff or contractor.
HR is responsible for organising disciplinary proceedings including dismissal. HR
can also help arrange services such as leave and medical assistance for victims.
3.1.7.5
Legal Department
Legal departments help ensure that incident response is in strict adherence with
relevant laws, regulations and ethics. For example, the legal team might assist
with the preservation of the legal weight and ensure the admissibility of
electronic evidence before Courts of Law. The legal team also works with HR on
disciplinary matters in particular those that lead to prosecution of a suspect. The
legal team would also advise CII owners and/or operators of contractual and
regulatory implications of security incidents e.g. loss of personal data.
3.1.8
External Dependencies
US ISO/IEC 27035 also recommends that organisations maintain contacts and
relationships with external entities, including:
3.1.8.1
3.1.8.2
Law Enforcement
Law enforcement teams can assist with electronic evidence handling. For
example, the Uganda Police Force enforces cybercrime legislation. In addition,
15
OFFICIAL
3.1.8.3
Utilities
Organisations must have relationships with utility companies such as water and.
Electricity. The utilities respond to incidents such as fire and flooding. Utilities
can support active incident response activity by turning off electricity, water and
gas utilities.
3.1.8.4
3.1.8.5
Technology Vendors
Technology vendors can also assist incident response. Vendor roles include:
16
OFFICIAL
III.
Incident
Identification
and Categorisation
17
4.1
4.1.1
Category
Description
Examples
Natural disaster
incident
Social unrest
incident
Physical damage
incident
Infrastructure failure
incident
Radiation
disturbance incident
Electromagnetic radiation,
electromagnetic pulse, electronic
jamming, voltage fluctuation, thermal
radiation, etc.
OFFICIAL
Category
Description
Examples
Technical failure
incident
Malware incident
Technical attack
incident
Breach of rule
incident
Compromise of
functions incident
Compromise of
information incident
Harmful contents
incident
4.2
19
OFFICIAL
4.2.1
Category
Definition
None
Low
Medium
High
4.2.2
Category
Definition
None
Privacy
Breach
Proprietary
Breach
Integrity Loss
4.2.3
OFFICIAL
Category
Definition
Regular
Supplemented
Extended
Not
Recoverable
4.2.4
Classification Level
Impact Level
Business Impact
UNCLASSIFIED
Trivial
UNCLASSIFIED-PERSONAL
Low
OFFICIAL
High
SECRET
Extreme
TOP SECRET
Catastrophic
Parties applying this Standard should refer to SS1 and SS3 for the business
impact tables and security classification levels respectively.
21
OFFICIAL
4.2.5
Incident Severity
Description
Highest Escalation
Response Time
Trivial
As appropriate
Low
ISIRT
Within 48 hours.
High
Chief Security
Officer;
ISIRT
Within 1 hour.
Project Director;
Chief Security
Officer
Chief Information
Risk Owner for CII
Immediately or as soon
as possible
Board
Accounting Officer
Immediately
Extreme
Catastrophic
22
OFFICIAL
IV.
Incident
Management
Process
23
5.1
5.1.1
5.1.2
5.1.3
5.1.4
Responses
This phase involves reacting to information security incidents in accordance with the
actions agreed in the assessment and decision phase.
5.1.5
Lessons Learnt
This phase occurs after the resolution or closure of security incidents. It involves
learning lessons incident and/or vulnerability handling approach.
OFFICIAL
5.2
5.2.1
Preparation
This phase involves establishing and training an incident response team, and
acquiring the necessary tools and resources. The organisation also attempts to
limit the number of incidents by selecting and implementing controlled driven by
the results of risk assessments. However, residual risk remains.
5.2.2
5.2.3
25
OFFICIAL
5.2.4
Post-Incident Activities
This phase captures the lessons learnt in a report that explains the cause and
cost of the incident and the recommended steps for preventing future incidents.
6.1
The analyst would use the initial impressions to formulate the first response. The
analyst should have a mechanism of escalating the event to other analysts
and/or the ISIRT leader on confirmation that it is indeed a security incident. The
team leader would then conduct detailed analysis of the security incident. The
ISIRT leader would also choose the next course of action from the predetermined steps in the organisational incident management process.
6.2
Begin Notification
Notification is the typical next step after the confirmation of a security incident.
The ISIRT leader uses pre-established guidance to notify nominated individuals
of the security incident. It is beneficial for the team leader to have a script of
what to say during incident notification to avoid confusion.
26
OFFICIAL
6.3
Setup Communications
Organisations must have in place secure means of sharing incident information.
Failure to communicate securely could alert the perpetrators leading to the
destruction of electronic evidence and/or exposure of the vulnerability to other
threat sources and actors. Therefore, this step requires that ISIRT leader and
other stakeholders to setup a secure channel for communicating information
about the status, extent and actions taken to contain a security incident. Given
that some of the communications occur over insecure networks such as e-mail
and the Public Switched Telephone Network (PSTN), organisations would find it
beneficial to assign codes to security incidents and/or vulnerabilities. In this way,
the ISIRT leader is able to coordinate response without risking disclosure of
sensitive information to unauthorised parties.
6.4
Contain
As defined in step three of the NIST SP 800-61 Revision 2 incident response life
cycle above, this phase involves steps to stop the spread of the incident e.g.
shutdown a system, disconnect if from a network and disable certain functions. It
aims to buy time to develop an effective remediation strategy. At this stage, the
ISIRT must work closely with other professionals such as forensics, system and
network administration to understand fully the impact of the containment actions.
For example, whilst shutting down a system might stop the spread of the attack,
it has the potential to destroy electronic evidence that might assist in the
identification and eventual prosecution of the perpetrator(s). However, in some
instances the sensitivity of the information involved might so high that the impact
of the disclosure outweighs the benefits of gathering evidence and prosecuting
the culprits such as when the disclosure could lead to widespread loss of life.
6.5
Identify
This activity follows containment and focuses on the identification of:
What happened?
Where it happened?
Why it happened?
When it happened?
How it happened?
With the support of the ISIRT, forensics teams both internal and external such as
law enforcement, security and intelligence organisations would take over and
assist in answering the questions above. In some cases, the forensics team is
part of the ISIRT. In this case, there must enough segregation between the
activities of the operational ISIRT group and the forensics investigators.
27
OFFICIAL
6.6
Date of Incident;
ii.
Incident Number;
iii.
iv.
v.
vi.
vii.
viii.
ix.
Components/Assets affected;
x.
xi.
xii.
Incident Resolution;
xiii.
xiv.
xv.
xvi.
xvii.
xviii.
Actions Outstanding;
xix.
Conclusions;
xx.
xxi.
xxii.
28
OFFICIAL
Organisations should not expect the ISIRT to complete the above lengthy form in
one sitting. Indeed, some of the information will only be available in later stages
of the incident response lifecycle.
6.7
Return to Operations
This activity involves the resumption of operations to the level before the security
incidents and/or in accordance with Service Level Agreements. The ISIRT shall
work closely with all professionals identified in this process, in particular the IT
and Networking teams to ensure that the system returns to full capacity. Due to
high likelihood of an ongoing forensics investigation, it is unlikely that operational
team would regain access to all the assets involved in the security incident. As
such, the organisation shall mobilise new and/or replacement assets.
6.8
29