Computer Security Incident Response Plan
Computer Security Incident Response Plan
Computer Security Incident Response Plan
Computer
Security
Incident
Response
Plan
Name
of
Approver:
Mary
Ann
Blair
Effective
Date:
23-‐FEB-‐2015
Date
of
Approval:
23-‐FEB-‐2015
Date
of
Review:
22-‐FEB-‐2015
Name
of
Reviewer:
John
Lerchey
Introduction
Purpose
This
document
describes
the
overall
plan
for
responding
to
information
security
incidents
at
Carnegie
Mellon
University.
It
defines
the
roles
and
responsibilities
of
participants,
characterization
of
incidents,
relationships
to
other
policies
and
procedures,
and
reporting
requirements.
The
goal
of
the
Computer
Security
Incident
Response
Plan
is
to
detect
and
react
to
computer
security
incidents,
determine
their
scope
and
risk,
respond
appropriately
to
the
incident,
communicate
the
results
and
risk
to
all
stakeholders,
and
reduce
the
likelihood
of
the
incident
from
reoccurring.
Scope
This
plan
applies
to
the
Information
Systems,
Institutional
Data,
and
networks
of
Carnegie
Mellon
University
and
any
person
or
device
who
gains
access
to
these
systems
or
data.
Maintenance
The
University’s
Information
Security
Office
(ISO)
is
responsible
for
the
maintenance
and
revision
of
this
document.
Authority
The
ISO
is
charged
with
executing
this
plan
by
virtue
of
its
original
charter
and
various
policies
such
as
the
Computing
Policy,
Information
Security
Policy,
and
HIPAA
Policy.
Definitions
Event
An
event
is
an
exception
to
the
normal
operation
of
IT
infrastructure,
systems,
or
services.
Not
all
events
become
incidents.
Incident
An
incident
is
an
event
that,
as
assessed
by
ISO
staff,
violates
the
Computing
Policy;
Information
Security
Policy;
other
University
policy,
standard,
or
code
of
conduct;
or
Insider
Threats
Insiders
are,
according
to
CERT1,
current
or
former
employees,
contractors,
or
business
partners
who
have
access
to
an
organization’s
restricted
data
and
may
use
their
access
to
threaten
the
confidentiality,
integrity
or
availability
of
an
organization’s
information
or
1
This
is
a
paraphrase
of
the
definition
presented
in
the
Software
Engineering
Institute’s
2009
publication
entitled
“Common
Sense
Guide
to
Prevention
and
Detection
of
Insider
Threats”
(Capelli
et
al,
third
edition,
v3.1)
Law
Enforcement
Law
Enforcement
includes
the
CMU
Police,
federal
and
state
law
enforcement
agencies,
and
U.S.
government
agencies
that
present
warrants
or
subpoenas
for
the
disclosure
of
information.
Interactions
with
these
groups
will
be
coordinated
with
the
Office
of
General
Counsel
(see
below).
Officers
Officers
are
the
staff
designates
for
various
regulatory
frameworks
to
which
the
University
is
required
to
comply.
Users
Users
are
members
of
the
CMU
community
or
anyone
accessing
an
Information
System,
Institutional
Data
or
CMU
networks
who
may
be
affected
by
an
incident.
Methodology
This
plan
outlines
the
most
general
tasks
for
Incident
Response
and
will
be
supplemented
by
specific
internal
guidelines
and
procedures
that
describe
the
use
of
security
tools
and/or
channels
of
communication.
These
internal
guidelines
and
procedures
are
subject
to
amendment
as
technology
changes.
It
is
assumed
that
these
guidelines
will
be
documented
in
detail
and
kept
up-‐to-‐date.
Constituencies
The
ISO
represents
the
entire
University’s
Information
System(s)
and
Institutional
Data,
supporting
the
Users.
Some
departments
and
schools
maintain
their
own
IT
staffs
and
some
branches
of
the
university
are
located
in
other
cities
or
countries.
To
the
extent
possible,
the
ISO
will
attempt
to
coordinate
its
efforts
with
these
other
groups
and
to
represent
the
University’s
security
posture
and
activities.
Since
the
ISO
is
primarily
concerned
with
preventing
the
disclosure
of
PII
and
ePHI,
its
responses
to
incidents
and
threats
will
be
conditioned
by
the
role
of
the
Users
with
regard
to
PII
and
ePHI
.
Evidence
Preservation
The
goal
of
Incident
Response
is
to
reduce
and
contain
the
scope
of
an
incident
and
ensure
that
IT
assets
are
returned
to
service
as
quickly
as
possible.
Rapid
response
is
balanced
by
the
requirement
to
collect
and
preserve
evidence
in
a
manner
consistent
with
the
requirements
of
rules
26-‐34
of
the
Federal
Rules
of
Civil
Discovery,
and
to
abide
by
legal
and
Administrative
requirements
for
documentation
and
chain
of
custody.
ISO
will
Training
The
continuous
improvement
of
incident
handling
processes
implies
that
those
processes
are
periodically
reviewed,
tested
and
translated
into
recommendations
for
enhancements.
CMU
staff
inside
and
outside
of
the
ISO
will
be
periodically
trained
on
procedures
for
reporting
and
handling
incidents
to
ensure
that
there
is
a
consistent
and
appropriate
response
to
incidents,
and
that
post-‐incident
findings
are
incorporated
into
procedural
enhancements.
Figure
1
Preparation
Preparation
includes
those
activities
that
enable
the
ISO
to
respond
to
an
incident:
policies,
tools,
procedures,
effective
governance
and
communication
plans.
Preparation
also
implies
that
the
affected
groups
have
instituted
the
controls
necessary
to
recover
and
continue
operations
after
an
incident
is
discovered.
Post-‐mortem
analyses
from
prior
incidents
should
form
the
basis
for
continuous
improvement
of
this
stage.
Detection
Detection
is
the
discovery
of
the
event
with
security
tools
or
notification
by
an
inside
or
outside
party
about
a
suspected
incident.
This
phase
includes
the
declaration
and
initial
classification
of
the
incident.
Investigation
Investigation
is
the
phase
where
ISO
personnel
determine
the
priority,
scope,
and
root
cause
of
the
incident.
Remediation
Remediation
is
the
post-‐incident
repair
of
affected
systems,
communication
and
instruction
to
affected
parties,
and
analysis
that
confirms
the
threat
has
been
contained.
The
determination
of
whether
there
are
regulatory
requirements
for
reporting
the
incident
(and
to
which
outside
parties)
will
be
made
at
this
stage
in
cooperation
with
OGC.
Apart
from
any
formal
reports,
the
post-‐mortem
will
be
completed
at
this
stage
as
it
may
impact
the
remediation
and
interpretation
of
the
incident.
Recovery
Recovery
is
the
analysis
of
the
incident
for
its
procedural
and
policy
implications,
the
gathering
of
metrics,
and
the
incorporation
of
“lessons
learned”
into
future
response
activities
and
training.
Specific
procedures
related
to
this
Incident
response
plan
are
documented
at
the
ISO’s
Policies
and
Procedures
internal
site.
Insider
Threats
In
the
case
that
a
particular
Incident
Response
Handler
is
a
person
of
interest
in
an
incident,
the
Incident
Response
Coordinator
will
assign
other
Incident
Response
Handlers
to
the
incident.
In
the
case
that
the
Incident
Response
Coordinator
is
a
person
of
interest
in
an
incident,
the
Director
of
Information
Security
will
act
in
their
stead
or
appoint
a
designee
to
act
on
their
behalf.
Communications
Plan
All
public
communications
about
an
incident
or
incident
response
to
external
parties
outside
of
CMU
are
made
in
consultation
with
OGC
and
Media
Relations.
Private
communications
with
other
affected
or
interested
parties
contain
the
minimum
information
necessary.
The
minimum
information
necessary
to
share
for
a
particular
incident
is
determined
by
the
Incident
Response
Coordinator
and
the
Director
of
Information
Security
in
consultation
with
OGC
or
other
campus
administrative
authorities.
Privacy
The
Computing
Policy
provides
specific
requirements
for
maintaining
the
privacy
of
University
affiliates.
All
incident
response
procedures
will
follow
the
current
privacy
requirements
as
set
out
in
the
Computing
Policy.
Exceptions
must
be
approved
by
OGC.
Escalation
At
any
time
during
the
incident
response
process,
the
Incident
Response
Coordinator
and
the
Director
of
Information
Security
may
be
called
upon
to
escalate
any
issue
regarding
the
process
or
incident.
The
Incident
Response
Coordinator
and
Director
of
Information
Security
in
consultation
with
OGC
will
determine
if
and
when
an
incident
should
be
escalated
to
external
authorities.
Further
Information
Further
information
on
the
Computer
Security
Incident
Response
Plan
and
associated
procedures
can
be
obtained
from
the
Incident
Response
Coordinator
of
the
ISO
via
iso-‐
[email protected]
or
412-‐268-‐2044.
Revision
History
Version
Date
Author
Description
1.0
13-‐FEB-‐2015
Laura
Raderman
Initial
Document
<lbowser>