Computer Security Incident Response Plan

Download as pdf or txt
Download as pdf or txt
You are on page 1of 11

 

 
 

 
 
 
 
 
 
Computer  Security  Incident  Response  Plan  
Name  of  Approver:  Mary  Ann  Blair   Effective  Date:  23-­‐FEB-­‐2015  
Date  of  Approval:  23-­‐FEB-­‐2015    
Date  of  Review:  22-­‐FEB-­‐2015   Name  of  Reviewer:  John  Lerchey  
   
 
 

Table  of  Contents  


Table  of  Contents  ......................................................................................................................................................  2  
Introduction  ................................................................................................................................................................  3  
Purpose  ....................................................................................................................................................................  3  
Scope  .........................................................................................................................................................................  3  
Maintenance  ..........................................................................................................................................................  3  
Authority  .................................................................................................................................................................  3  
Relationship  to  other  Policies  ........................................................................................................................  3  
Relationship  to  Other  Groups  at  CMU  ........................................................................................................  3  
Definitions  ...................................................................................................................................................................  3  
Event  .........................................................................................................................................................................  3  
Incident  ....................................................................................................................................................................  3  
Personally  Identifiable  Information  (PII)  .................................................................................................  4  
Protected  Health  Information  (PHI)  ...........................................................................................................  4  
Roles  and  Responsibilities  ....................................................................................................................................  5  
Incident  Response  Coordinator  ....................................................................................................................  5  
Incident  Response  Handlers  ...........................................................................................................................  5  
Insider  Threats  .....................................................................................................................................................  5  
Law  Enforcement  ................................................................................................................................................  6  
Office  of  General  Counsel  (OGC)  ....................................................................................................................  6  
Officers  .....................................................................................................................................................................  6  
Users  .........................................................................................................................................................................  6  
Methodology  ...............................................................................................................................................................  6  
Constituencies  .......................................................................................................................................................  6  
Evidence  Preservation  ......................................................................................................................................  6  
Operational-­‐Level  Agreements,  Governance  ...........................................................................................  7  
Staffing  for  an  Incident  Response  Capability,  Resiliency  ...................................................................  7  
Training  ...................................................................................................................................................................  7  
Incident  Response  Phases  ....................................................................................................................................  7  
Preparation  ............................................................................................................................................................  8  
Detection  .................................................................................................................................................................  8  
Containment  ..........................................................................................................................................................  9  
Investigation  ..........................................................................................................................................................  9  
Remediation  ...........................................................................................................................................................  9  
Recovery  ..................................................................................................................................................................  9  
Guidelines  for  the  Incident  Response  Process  .............................................................................................  9  
Insider  Threats  .....................................................................................................................................................  9  
Interactions  with  Law  Enforcement  .........................................................................................................  10  
Communications  Plan  .....................................................................................................................................  10  
Privacy  ...................................................................................................................................................................  10  
Documentation,  Tracking  and  Reporting  ....................................................................................................  10  
Escalation  ..................................................................................................................................................................  11  
Further  Information  .............................................................................................................................................  11  
Revision  History  .....................................................................................................................................................  11  

Computer  Security  Incident  Response  Plan     Page  2  of  11  


 
 

Introduction  
Purpose  
This  document  describes  the  overall  plan  for  responding  to  information  security  incidents  
at  Carnegie  Mellon  University.  It  defines  the  roles  and  responsibilities  of  participants,  
characterization  of  incidents,  relationships  to  other  policies  and  procedures,  and  reporting  
requirements.  The  goal  of  the  Computer  Security  Incident  Response  Plan  is  to  detect  and  
react  to  computer  security  incidents,  determine  their  scope  and  risk,  respond  
appropriately  to  the  incident,  communicate  the  results  and  risk  to  all  stakeholders,  and  
reduce  the  likelihood  of  the  incident  from  reoccurring.  

Scope  
This  plan  applies  to  the  Information  Systems,  Institutional  Data,  and  networks  of  Carnegie  
Mellon  University  and  any  person  or  device  who  gains  access  to  these  systems  or  data.    

Maintenance  
The  University’s  Information  Security  Office  (ISO)  is  responsible  for  the  maintenance  and  
revision  of  this  document.  

Authority  
The  ISO  is  charged  with  executing  this  plan  by  virtue  of  its  original  charter  and  various  
policies  such  as  the  Computing  Policy,  Information  Security  Policy,  and  HIPAA  Policy.  

Relationship  to  other  Policies  


This  plan  incorporates  the  risk  profiles  for  Institutional  Data  as  outlined  in  the  Guidelines  
for  Data  Classification.  

Relationship  to  Other  Groups  at  CMU  


The  ISO  acts  on  behalf  of  the  University  community  and  will  ask  for  cooperation  and  
assistance  from  community  members  as  required.  The  ISO  also  works  closely  with  
University  administrative  groups  such  as  the  Student  Life  Office,  Human  Resources,  and  the  
Office  of  General  Counsel  in  investigations  and  e-­‐discovery  matters,  and  at  their  behest  may  
assist  Law  Enforcement.  

Definitions  
Event  
An  event  is  an  exception  to  the  normal  operation  of  IT  infrastructure,  systems,  or  services.    
Not  all  events  become  incidents.  

Incident  
An  incident  is  an  event  that,  as  assessed  by  ISO  staff,  violates  the  Computing  Policy;  
Information  Security  Policy;  other  University  policy,  standard,  or  code  of  conduct;  or  

Computer  Security  Incident  Response  Plan     Page  3  of  11  


 
 
threatens  the  confidentiality,  integrity,  or  availability  of  Information  Systems  or  
Institutional  Data.  
 
Incidents  may  be  established  by  review  of  a  variety  of  sources  including,  but  not  limited  to  
ISO  monitoring  systems,  reports  from  CMU  staff  or  outside  organizations  and  service  
degradations  or  outages.  Discovered  incidents  will  be  declared  and  documented  in  ISO’s  
incident  documentation  system.  
   
Complete  IT  service  outages  may  also  be  caused  by  security-­‐related  incidents,  but  service  
outage  procedures  will  be  detailed  in  Business  Continuity  and/or  Disaster  Recovery  
procedures.  
 
Incidents  will  be  categorized  according  to  potential  for  restricted  data  exposure  or  
criticality  of  resource  using  a  High-­‐Medium-­‐Low  designation.  The  initial  severity  rating  
may  be  adjusted  during  plan  execution.  
   
Detected  vulnerabilities  will  not  be  classified  as  incidents.  The  ISO  employs  tools  to  scan  
the  CMU  environment  and  depending  on  severity  of  found  vulnerabilities  may  warn  
affected  users,  disconnect  affected  machines,  or  apply  other  mitigations.  In  the  absence  of  
indications  of  sensitive  data  exposure,  vulnerabilities  will  be  communicated  and  the  ISO  
will  pursue  available  technology  remedies  to  reduce  that  risk.  

Personally  Identifiable  Information  (PII)  


For  the  purpose  of  meeting  security  breach  notification  requirements,  PII  is  defined  as  a  
person’s  first  name  or  first  initial  and  last  name  in  combination  with  one  or  more  of  the  
following  data  elements:  
• Social  security  number  
• State-­‐issued  driver’s  license  number  
• State-­‐issued  identification  card  number  
• Financial  account  number  in  combination  with  a  security  code,  access  code  or  
password  that  would  permit  access  to  the  account  
• Medical  and/or  health  insurance  information  

Protected  Health  Information  (PHI)  


PHI  is  defined  as  "individually  identifiable  health  information"  transmitted  by  electronic  
media,  maintained  in  electronic  media  or  transmitted  or  maintained  in  any  other  form  or  
medium  by  a  Covered  Component,  as  defined  in  Carnegie  Mellon’s HIPAA Policy.  PHI  is  
considered  individually  identifiable  if  it  contains  one  or  more  of  the  following  identifiers:  
 
• Name  
• Address  (all  geographic  subdivisions  smaller  than  state  including  street  address,  
city,  county,  precinct  or  zip  code)  
• All  elements  of  dates  (except  year)  related  to  an  individual  including  birth  date,  
admissions  date,  discharge  date,  date  of  death  and  exact  age  if  over  89)  

Computer  Security  Incident  Response  Plan     Page  4  of  11  


 
 
Telephone  numbers  

Fax  numbers  

Electronic  mail  addresses  

Social  security  numbers  

Medical  record  numbers  

Health  plan  beneficiary  numbers  

Account  numbers  

Certificate/license  numbers  

Vehicle  identifiers  and  serial  numbers,  including  license  plate  number  

Device  identifiers  and  serial  numbers  

Universal  Resource  Locators  (URLs)  

Internet  protocol  (IP)  addresses  

Biometric  identifiers,  including  finger  and  voice  prints  

Full  face  photographic  images  and  any  comparable  images  

Any  other  unique  identifying  number,  characteristic  or  code  that  could  identify  an  

individual  
Per  Carnegie  Mellon’s HIPAA  Policy,  PHI  does  not  include  education  records  or  treatment  
records  covered  by  the  Family  Educational  Rights  and  Privacy  Act  or  employment  records  
held  by  the  University  in  its  role  as  an  employer.  

Roles  and  Responsibilities  


The  Incident  Response  Process  incorporates  the  Information  Security  Roles  and  
Responsibilities  definitions  and  extends  or  adds  the  following  Roles.  

Incident  Response  Coordinator  


The  Incident  Response  Coordinator  is  the  ISO  employee  who  is  responsible  for  assembling  
all  the  data  pertinent  to  an  incident,  communicating  with  appropriate  parties,  ensuring  that  
the  information  is  complete,  and  reporting  on  incident  status  both  during  and  after  the  
investigation.  

Incident  Response  Handlers  


Incident  Response  Handlers  are  employees  of  the  ISO,  other  CMU  staff,  or  outside  
contractors  who  gather,  preserve  and  analyze  evidence  so  that  an  incident  can  be  brought  
to  a  conclusion.  

Insider  Threats  
Insiders  are,  according  to  CERT1,  current  or  former  employees,  contractors,  or  business  
partners  who  have  access  to  an  organization’s  restricted  data  and  may  use  their  access  to  
threaten  the  confidentiality,  integrity  or  availability  of  an  organization’s  information  or  

                                                                                                               
1
 This  is  a  paraphrase  of  the  definition  presented  in  the  Software  Engineering  Institute’s    2009  publication  entitled  
“Common  Sense  Guide  to  Prevention  and  Detection  of  Insider  Threats”  (Capelli  et  al,  third  edition,  v3.1)  

Computer  Security  Incident  Response  Plan     Page  5  of  11  


 
 
systems.  This  particular  threat  is  defined  because  it  requires  special  organizational  and  
technical  amendments  to  the  Incident  Response  Plan  as  detailed  below.  

Law  Enforcement  
Law  Enforcement  includes  the  CMU  Police,  federal  and  state  law  enforcement  agencies,  and  
U.S.  government  agencies  that  present  warrants  or  subpoenas  for  the  disclosure  of  
information.  Interactions  with  these  groups  will  be  coordinated  with  the  Office  of  General  
Counsel  (see  below).  

Office  of  General  Counsel  (OGC)  


The  University’s  Office  of  General  Counsel  (OGC)  is  the  liaison  between  the  ISO  and  outside  
Law  Enforcement,  and  will  provide  counsel  on  the  extent  and  form  of  all  disclosures  to  law  
enforcement  and  the  public.  

Officers  
Officers  are  the  staff  designates  for  various  regulatory  frameworks  to  which  the  University  
is  required  to  comply.  

Users  
Users  are  members  of  the  CMU  community  or  anyone  accessing  an  Information  System,    
Institutional  Data  or  CMU  networks  who  may  be  affected  by  an  incident.  

Methodology  
This  plan  outlines  the  most  general  tasks  for  Incident  Response  and  will  be  supplemented  
by  specific  internal  guidelines  and  procedures  that  describe  the  use  of  security  tools  and/or  
channels  of  communication.  These  internal  guidelines  and  procedures  are  subject  to  
amendment  as  technology  changes.  It  is  assumed  that  these  guidelines  will  be  documented  
in  detail  and  kept  up-­‐to-­‐date.  

Constituencies  
The  ISO  represents  the  entire  University’s  Information  System(s)  and  Institutional  Data,  
supporting  the  Users.  Some  departments  and  schools  maintain  their  own  IT  staffs  and  
some  branches  of  the  university  are  located  in  other  cities  or  countries.    To  the  extent  
possible,  the  ISO  will  attempt  to  coordinate  its  efforts  with  these  other  groups  and  to  
represent  the  University’s  security  posture  and  activities.  Since  the  ISO  is  primarily  
concerned  with  preventing  the  disclosure  of  PII  and  ePHI,  its  responses  to  incidents  and  
threats  will  be  conditioned  by  the  role  of  the  Users  with  regard  to  PII  and  ePHI  .    

Evidence  Preservation  
The  goal  of  Incident  Response  is  to  reduce  and  contain  the  scope  of  an  incident  and  ensure  
that  IT  assets  are  returned  to  service  as  quickly  as  possible.  Rapid  response  is  balanced  by  
the  requirement  to  collect  and  preserve  evidence  in  a  manner  consistent  with  the  
requirements  of  rules  26-­‐34  of  the  Federal  Rules  of  Civil  Discovery,  and  to  abide  by  legal  
and  Administrative  requirements  for  documentation  and  chain  of  custody.  ISO  will  

Computer  Security  Incident  Response  Plan     Page  6  of  11  


 
 
maintain  and  disseminate  procedures  to  clarify  specific  activities  in  the  ISO  and  in  CMU  
departments  with  regard  to  evidence  preservation,  and  will  adjust  those  procedures  as  
technologies  change.    

Operational-­‐Level  Agreements,  Governance  


Computing  groups  have  operational-­‐level  agreements  with  the  customers  they  serve.  
Interruption  of  service  is  a  hardship  and  the  ISO  will  cooperate  with  these  groups  to  ensure  
that  downtime  is  minimized.  However,  the  ISO’s  management  supports  the  priority  of  
investigation  activities  where  there  is  significant  risk,  and  this  may  result  in  temporary  
outages  or  interruptions.  

Staffing  for  an  Incident  Response  Capability,  Resiliency  


The  ISO  will  endeavor  to  maintain  sufficient  staffing  and  third-­‐party  augmentation  to  
investigate  each  incident  to  completion  and  communicate  its  status  to  other  parties  while  it  
monitors  the  tools  that  detect  new  events.  Insufficient  staffing  will  impact  rapid  response  
capability  and  resiliency,  as  will  degradation  of  the  tools  used  for  detection,  monitoring,  
and  response.  

Training  
The  continuous  improvement  of  incident  handling  processes  implies  that  those  processes  
are  periodically  reviewed,  tested  and  translated  into  recommendations  for  enhancements.  
CMU  staff  inside  and  outside  of  the  ISO  will  be  periodically  trained  on  procedures  for  
reporting  and  handling  incidents  to  ensure  that  there  is  a  consistent  and  appropriate  
response  to  incidents,  and  that  post-­‐incident  findings  are  incorporated  into  procedural  
enhancements.  

Incident  Response  Phases  


The  basic  incident  process  encompasses  six  phases:  preparation,  detection,  containment,  
investigation,  remediation  and  recovery.  The  dynamic  relationship  between  those  phases  is  
highlighted  in  Figure  1.    These  phases  are  defined  in  NIST  SP  800-­‐61  (Computer  Security  
Incident  Handling  Guide).    The  ISO’s  overall  incident  response  process  includes  detection,  
containment,  investigation,  remediation  and  recovery,  documented  in  specific  procedures  
it  maintains.    This  plan  is  the  primary  guide  to  the  preparation  phase  from  a  governance  
perspective;  local  guidelines  and  procedures  will  allow  the  ISO  to  be  ready  to  respond  to  
any  incident.    Recovery  includes  re-­‐evaluating  whether  the  preparation  or  specific  
procedures  used  in  each  phase  are  appropriate  and  modifying  them  if  inappropriate.  

Computer  Security  Incident  Response  Plan     Page  7  of  11  


 
 

 
Figure  1  

Preparation    
Preparation  includes  those  activities  that  enable  the  ISO  to  respond  to  an  incident:  policies,  
tools,  procedures,  effective  governance  and  communication  plans.  Preparation  also  implies  
that  the  affected  groups  have  instituted  the  controls  necessary  to  recover  and  continue  
operations  after  an  incident  is  discovered.  Post-­‐mortem  analyses  from  prior  incidents  
should  form  the  basis  for  continuous  improvement  of  this  stage.  

Detection  
Detection  is  the  discovery  of  the  event  with  security  tools  or  notification  by  an  inside  or  
outside  party  about  a  suspected  incident.  This  phase  includes  the  declaration  and  initial  
classification  of  the  incident.  

Computer  Security  Incident  Response  Plan     Page  8  of  11  


 
 
Containment  
Containment  is  the  triage  phase  where  the  affected  host  or  system  is  identified,  isolated  or  
otherwise  mitigated,  and  when  affected  parties  are  notified  and  investigative  status  
established.  This  phase  includes  sub-­‐procedures  for  seizure  and  evidence  handling,  
escalation,  and  communication.    

Investigation  
Investigation  is  the  phase  where  ISO  personnel  determine  the  priority,  scope,  and  root  
cause  of  the  incident.    

Remediation  
Remediation  is  the  post-­‐incident  repair  of  affected  systems,  communication  and  instruction  
to  affected  parties,  and  analysis  that  confirms  the  threat  has  been  contained.  The  
determination  of  whether  there  are  regulatory  requirements  for  reporting  the  incident  
(and  to  which  outside  parties)  will  be  made  at  this  stage  in  cooperation  with  OGC.  Apart  
from  any  formal  reports,  the  post-­‐mortem  will  be  completed  at  this  stage  as  it  may  impact  
the  remediation  and  interpretation  of  the  incident.  

Recovery  
Recovery  is  the  analysis  of  the  incident  for  its  procedural  and  policy  implications,  the  
gathering  of  metrics,  and  the  incorporation  of  “lessons  learned”  into  future  response  
activities  and  training.  
 
Specific  procedures  related  to  this  Incident  response  plan  are  documented  at  the  ISO’s  
Policies  and  Procedures  internal  site.  

Guidelines  for  the  Incident  Response  Process  


In  the  process  of  responding  to  an  incident,  many  questions  arise  and  problems  are  
encountered,  any  of  which  may  be  different  for  each  incident.    This  section  provides  
guidelines  for  addressing  common  issues.    The  Incident  Response  Coordinator,  Director  of  
Information  Security  and  Office  of  General  Counsel  should  be  consulted  for  questions  and  
incident  types  not  covered  by  these  guidelines.  

Insider  Threats  
In  the  case  that  a  particular  Incident  Response  Handler  is  a  person  of  interest  in  an  
incident,  the  Incident  Response  Coordinator  will  assign  other  Incident  Response  Handlers  
to  the  incident.  
 
In  the  case  that  the  Incident  Response  Coordinator  is  a  person  of  interest  in  an  incident,  the  
Director  of  Information  Security  will  act  in  their  stead  or  appoint  a  designee  to  act  on  their  
behalf.      
 

Computer  Security  Incident  Response  Plan     Page  9  of  11  


 
 
In  the  case  that  the  Director  of  Information  Security  is  a  person  of  interest  in  an  incident,  
the  Chief  Information  Officer  (CIO)  will  act  in  their  stead  or  appoint  a  designee  to  act  on  
their  behalf.  
 
In  the  case  that  another  CMU  administrative  authority  is  a  person  of  interest  in  an  incident,  
the  ISO  will  work  with  the  remaining  administrative  authorities  in  the  ISO’s  reporting  line  
to  designate  a  particular  point  of  contact  or  protocol  for  communications.  

Interactions  with  Law  Enforcement  


All  communications  with  external  law  enforcement  authorities  are  made  after  consulting  
with  the  Office  of  General  Counsel.    The  ISO  works  with  CMU  Police,  where  authorized  by  
OGC,  to  determine  their  information  requirements  and  shares  the  minimum  necessary  
information  as  required  for  incident  response.    

Communications  Plan  
All  public  communications  about  an  incident  or  incident  response  to  external  parties  
outside  of  CMU  are  made  in  consultation  with  OGC  and  Media  Relations.    Private  
communications  with  other  affected  or  interested  parties  contain  the  minimum  
information  necessary.    The  minimum  information  necessary  to  share  for  a  particular  
incident  is  determined  by  the  Incident  Response  Coordinator  and  the  Director  of  
Information  Security  in  consultation  with  OGC  or  other  campus  administrative  authorities.  

Privacy  
The  Computing  Policy  provides  specific  requirements  for  maintaining  the  privacy  of  
University  affiliates.    All  incident  response  procedures  will  follow  the  current  privacy  
requirements  as  set  out  in  the  Computing  Policy.  Exceptions  must  be  approved  by  OGC.  

Documentation,  Tracking  and  Reporting  


All  incident  response  activities  will  be  documented  to  include  artifacts  obtained  using  
methods  consistent  with  chain  of  custody  and  confidentiality  requirements.  Incidents  will  
be  prioritized  and  ranked  according  to  their  potential  to  disclose  restricted  data.  As  an  
investigation  progresses,  that  ranking  may  change,  resulting  in  a  greater  or  lesser  
prioritization  of  ISO  resources.      
 
Incidents  will  be  reviewed  post-­‐mortem  to  assess  whether  the  investigational  process  was  
successful  and  effective.  Subsequent  adjustments  may  be  made  to  methods  and  procedures  
used  by  the  ISO  and  by  other  participants  to  improve  the  incident  response  process.  
 
Artifacts  obtained  during  the  course  of  an  investigation  may  be  deleted  after  the  conclusion  
of  the  investigation  and  post-­‐mortem  analysis  unless  otherwise  directed  by  OGC.  

Computer  Security  Incident  Response  Plan     Page  10  of  11  


 
 

Escalation  
At  any  time  during  the  incident  response  process,  the  Incident  Response  Coordinator  and  
the  Director  of  Information  Security  may  be  called  upon  to  escalate  any  issue  regarding  the  
process  or  incident.      
 
The  Incident  Response  Coordinator  and  Director  of  Information  Security  in  consultation  
with  OGC  will  determine  if  and  when  an  incident  should  be  escalated  to  external  
authorities.  

Further  Information  
Further  information  on  the  Computer  Security  Incident  Response  Plan  and  associated  
procedures  can  be  obtained  from  the  Incident  Response  Coordinator  of  the  ISO  via  iso-­‐
[email protected]  or  412-­‐268-­‐2044.  

Revision  History  
 
Version   Date   Author   Description  
1.0   13-­‐FEB-­‐2015   Laura  Raderman   Initial  Document  
<lbowser>  
 

Computer  Security  Incident  Response  Plan     Page  11  of  11  

You might also like