ADMINISTRATIVE POLICY
TITLE: Security Incident Response and Reporting / POLICY NUMBER
IT-13-105
EFFECTIVE: April 2, 2013
REVISED:
PURPOSE
Chapter 71A-1.014 Florida Administrative Code says “Each agency shall establish a Computer Security Incident Response Team (CSIRT) to respond to suspected computer security incidents by identifying and controlling the incidents, notifying designated CSIRT responders, and reporting findings to agency management”.
SCOPE
This policy is applicable agency-wide.
AUTHORITY
F.A.C Chapter 71A-1.014
DISTRIBUTION
The following individuals should be notified of this policy / Method of notificationDMS Executive Leadership /
- Detailed review by CIO
DMS Employees designated as CSIRT members /
- Detailed review by CIO
All DMS Employees /
- E-mail with instructions to report suspected security issues
- Information Security Awareness Training
- The Workplace and DMS Web Site
DEFINITIONS
Word/Term / DefinitionCSIRT / Computer Security Incident Response Team
Incident; or Security Incident; or Computer Security Incident / Any adverse event that threatens the confidentiality, integrity, or accessibility of state agency information resources.
ISM / Information Security Manager, as appointed by each agency head.
POLICY
This policy establishes and describes the agency CSIRT and its responsibilities. This policy has a companion process document for specifying security incident response and reporting procedures. It also prescribes an incident tracking log, and an incident reporting form.
Background
Computer systems are subject to a wide range of mishaps from corrupted data files, to viruses, to natural disasters. Some of these mishaps can be fixed through day-to-day operating procedures. For example, frequently occurring events (e.g., a mistakenly deleted file) can usually be readily repaired (e.g., by restoration from the backup file). More severe mishaps, such as outages caused by natural disasters, will normally be addressed by COOP and IT DR plans.
Other damaging events result from deliberate malicious technical activity (e.g., the creation of viruses, system intrusion, or stolen data). Such activity can be initiated from an outsider (non-State system user) or an insider (State system user.) This policy provides details regarding the responsibilities and procedures for responding to, and reporting on, computer security incidents which may occur within, or affect, the agency. Although the threats hackers and malicious code pose to systems and networks are well known, the occurrence of such harmful events remains unpredictable.
Computer Security Incidents
A computer security incident, or cyber security incident, is considered to be any adverse event that threatens the confidentiality, integrity, or accessibility of state agency information resources. It is the compromising of information or the attempt to compromise information. Events can have actual or potential harmful effects on information resources and technology. Incidents may be:
- Loss or corruption of information (by malicious or unknown means)
- Exposure of proprietary, confidential, sensitive, or exempt information, either accidental or purposeful
- A system attack or unauthorized access – from the outside or inside
- Misuse of information or systems
- Loss or theft of data devices containing sensitive or confidential information
- Attempts to produce failures that may cause loss of life or significant impact on the health and economic security of the state.
Computer Security Incident Response Team (CSIRT)
A Computer Security Incident Response Team is an organization or team that provides services and support to a defined constituency, in this case the Department of Management Services, for responding to, handling and reporting computer security incidents and providing reactive and pro-active approaches to security incident management. The role of the CSIRT is to respond rapidly to any suspected security incident by identifying and controlling the suspected incident, following incident response procedures, notifying users of procedures to preserve evidence, and reporting all findings to management.
The DMS CSIRT is comprised of three core members:
- The Chief Information Officer or his/her designee
- The Information Security Manager
- The Inspector General or his/her designee
In addition to the core members listed above, the following resources will be considered support members to be called upon when needed:
- The General Counsel or his/her designee
- The Director Human Resources or his/her designee
- The Director Public Communications or his/her designee
Maintaining an active CSIRT is the responsibility of the CIO. The CIO is responsible for all CSIRT activities, and ensuring the CSIRT operates according to applicable authorities, policies, and standard practices.
The Information Security Manager (ISM) is the Team Leader of the CSIRT. The core CSIRT shall meet at least quarterly, and at a minimum:
- Review incident response procedures
- Review a log of incidents
- Discuss opportunities for improvements
Team Member Roles and Responsibilities
CIO
-Assist in coordinating with application development teams, the network and telephone support team, and Division of Telecommunications experts.
-Assist in coordinating with outside entities for assistance, such as the Southwood Shared Resource Center (SSRC) and the Office of Information Security.
Inspector General
-Establish and coordinate all investigative activities as deemed necessary.
-Coordinate with outside law enforcement entities.
Information Security Manager
-Own and manage incident response and reporting procedures
-Close incidents and perform incident reporting
-Convene quarterly CSIRT meetings
-Convene CSIRT as necessary for incident response
-Manage and maintain an incident log
-Maintain a CSIRT page on The Workplace, listing the CSIRT members, and important contact information
-Inform users who are affected by a security incident of necessary actions to take
General Counsel
-Provide legal support
-Brief other members on privacy and other legal issues
-Advise public communications resources as necessary
-Act as liaison with outside legal counsel
Director Human Resources
-Provide HR support
-Advise other members on personnel policies and procedures
-Make recommendations on handling sensitive employee information
Director Public Communications
-Act as single point of contact for the media
-Create any press releases
-Obtain legal advice before any interview or release of information
-Obtain confirmation from IG as necessary to ensure actions do not interfere with investigations
Security Incident Classification
It is the responsibility of the ISM as the CSIRT Team Leader to classify security incidents into three classes based on the severity of the incident: Class 1, Class 2 and Class 3.
Class 1: Local/Low Impact
Class 2: Local/High Impact
Class 3: Interagency/High Impact
Class 1 Incidents: Localized, minor and may not require full CSIRTinvolvement. This type of incident may be reviewed by the appropriate staff as determinedby the CSIRT Team Leader. The Team Leader may escalate a Class 1 incident into a Class 2 incident ifdeemed appropriate. Examples of Class 1 incidents are:
- Localized virus attacks
- Internet abuse, excluding criminal behavior
- Incidents traceable to user error or system failure
- Minor attempts at network intrusion or scanning
- Missing or lost IT devices or equipment
Class 2 Incidents: Usually handled within the Agency and may be reported to the Office of Information Security (OIS) for assistance in the event of escalation and the need to report the incident to other agencies. Examples of Class 2 incidents are:
- Coordinated, distributed attacks
- System-wide network or database attacks (virus, worm, etc.)
- Any attacks which cause Denial of Service (DOS)
- Financial fraud involving computers
- Unauthorized activity involving a file server or host
- Theft or accidental exposure of confidential, sensitive, exempt, or proprietary information
- Unauthorized activity involving a sensitive system (HR, Legal, Financial, etc.)
- Internet abuses which violate either State or Federal Law
- Theft of IT devices
- Security non-compliance by contracted service providers
Class 3 Incidents: Class 2 incidents reported to the Office of Information Security, and determined to potentially have an enterprise wide impact. The Office of Information Security is responsible for reporting all Class 3 incidents to all agencies.
Escalation: Classification of an incident can be escalated by:
- Decision of the CSIRT Team Leader
- Determination of the CIO or IG
- Escalating events (e.g. emergence of a distributed, coordinated attack)
- Request by executive management or agency head
Security Incident Response and Reporting
The CSIRT Team Leader and the CSIRT will handle and manage security incidents according to the Security Incident Response and Reporting Process document related to this policy.
Office of Information Security Notification
The CIO will notify the Office of Information Security, within the Agency for Information Technology, of computer security incidents including suspected or confirmed breaches with 24 hours of discovery.
A breach is defined in F.A.C. 71A-1.002 as “unlawful and/or unauthorized access of computerized data that materially compromises the security, confidentiality, or integrity of personal information.”
RESPONSIBILITIES
Individualor Group / Responsibilities
CSIRT /
- Each team members’ responsibilities are as described in the Team Member Roles and Responsibilities listed above.
- Report all suspected security incidents to the ISM
Agency Executive Team and Division Directors /
- Maintain an understanding of this policy and Incident Response and Reporting procedures for the agency.
Employees and Contractors /
- Report any suspected computer security incidents to the Information Security Manager.
Information Security Manager /
- Maintain a log of all incidents addressed and handled.
- Maintain contact information on The Workplace, and on the DMS Web Site.
Page 1 of 6 DMS Policy No. IT-13-105
Security Incident Response and Reporting