Security Incident Reporting Checklist

Security Incident Reporting Checklist

REPORTING CRITERIA:

An incident is an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system & non-information system related or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. A major incident is likely to be categorized as a critical or high priority incident characterized by the following:

• A service is completely unavailable (e.g. email, internet, VOIP, etc.)
• Multiple users are impacted; impact to VIPs.
• Critical Business Applications or Core Infrastructure Services are impacted.

Checklist:

1. ETS Staff Notified: ______Date:______
Person/Office Reporting Issue: ______

2. Service Center staff create a ticket with the following information: Summary: MAJOR INCIDENT: Identify the services and or business applications impacted, number of users and VIPs impacted and provide a detailed description of the issue. Contact Person & Phone #; Route to the appropriate ETS Group. All subsequent related tickets should have MAJOR INCIDENT in the Summary line.
Service Center staff will notify the Service Center/Escalation Manager.
Record Ticket #: ______

3. The Service Center/Escalation Manager will send an incident email to these Managers: Rebecca Skarr, Ann Baaten, Gary Renslo, DionnaMustybrook, ManinderHansra, Trisha Roman, Tracy Howard & Allen Grand.

4. The appropriate ETS Manager responds and identifies the Technical Lead. The Technical Lead develops a Net!alertmessage and forwards to Service Center to be sent.
Technical Lead: ______

5. Service Center/Escalation Manager refers to the appropriate Communication Checklist, based on the type of incident, and executes. Net!alertmessages continue in the morning, mid day and prior to close of business until the major incident is resolved.

6. The Technical Lead documents status and/or workaround in the ticket and communicates to the Service Center Manager when possible.
(Skip #6. If Security Incident)

Major Security Incident Management Procedures

Technical lead refers to SIMM 5340-A.

ISO/Sec Ops will send an incident email to the Security Incident Response Team (SIRT). Use the Email Template (see EmailTemplate.docx)

ISO informs OLS, if appropriate.

Technical Lead categorizes incident: (i.e. loss, damage, misuse of information assets, improper dissemination of information, breach of security involving personal information, malware, virus, etc.)
Security Category: ______

Technical Lead continues to work with the SIRT to capture any issues that require further action, follow-up items, and resolution steps.

Technical Lead uses the RemediationSteps.docx to document steps taken to resolve issue.

ISO prepares letter IncidentRemediationStepsAgreement.docx and executes.

Incident Resolved:

7. The Technical Lead notifies the Service Center/Escalation Manager that the incident has been resolved and services are up and running.

8. Service Center staff validate the incident is resolved, contacts customers and close all major incident tickets. The Service Center Manager sends a RESTORED net!alert.

9. The primary ticket is closed when the Technical Lead provides a Root Cause Analysis, which is saved in the ticket.

For security incidents, skip to Security Incident Resolved.

10. Service Center/Escalation Manager facilities a Major Incident Recap meeting with the Support Group(s) on what worked with the Major Incident Process, what needs improvement, and possible changes to be made to the process, if required. (i.e. metrics, logs, type, etc.)

11. Service Center/Escalation Manager takes suggested changes to the Service Management Team to make updates to the checklist and/or Incident processes.

Security Incident Resolved:

ISO/Sec Ops facilities a Major Incident Recap meeting with the Support Group(s) to discuss the workaround or resolution to the Major Incident*. (lessons learned, corrective actions to prevent or mitigate the risk of similar occurrences in the future)

 ISO/Sec Ops discusses what worked with the Major Incident Process, what needs improvement, and possible changes to be made to the process. (i.e. metrics, logs, type, etc.)

ISO/Sec Ops takes suggested changes to the Service Management Team to make updates to the checklist and/or Incident processes.

*If not a resolution, this issue moves into Problem Management to continue to do a root cause analysis of the event. Once a resolution is found then implement the solution. Write up Knowledge Base Article. (future)

1

Version: 1.2

September 28, 2016