Sample Incident Response Standard:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
==Document History==
==Sample Incident Response Standard==
<br>
This Incident Response Standard builds on the objectives established in the [[Sample_Threat_Assessment_and_Monitoring_Policy:|'''Threat Assessment and Monitoring Standard''']], and provides specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions. The Company will satisfy these requirements through a formal Security Incident Response Team (SIRT).
{| id="table1" width="100%" border="1"
| bgcolor="#C0C0C0" | '''Version'''
| bgcolor="#C0C0C0" | '''Date'''
| bgcolor="#C0C0C0" | '''Revised By'''
| bgcolor="#C0C0C0" | '''Description'''
|-
| 1.0
| 1 January 2010 <Current date>
| Michael D. Peters '''<Owners's name>'''
| This version replaces any prior version.
|}
<br>
==Document Certification==
<br>
{| id="table1" width="100%" border="1"
| bgcolor="#C0C0C0" | '''Description'''
| bgcolor="#C0C0C0" | '''Date Parameters'''
|-
| '''Designated document recertification cycle in days:'''
| 30 - 90 - '''180''' - 365 '''<Select cycle>'''
|-
| '''Next document recertification date:'''
| 1 July 2010 '''<Date>'''
|}
<br>
 
=='''Sample Incident Response Standard'''==
<br>
The '''<Your Company Name>''' (the "Company") [[Sample Threat Assessment and Monitoring Policy:|'''Sample Threat Assessment and Monitoring Policy''']] defines objectives for establishing specific standards for assessing and monitoring threats to information assets.<br>
<br>
This Incident Response Standard builds on the objectives established in the [[Sample Threat Assessment and Monitoring Policy:|'''Sample Threat Assessment and Monitoring Policy''']], and provides specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions. The Company will satisfy these requirements through a formal Security Incident Response Team (SIRT).<br>
<br>


=='''I. Scope'''==
==Objectives==
<br>
# '''General Requirements'''
The Company SIRT will establish and maintain capabilities to respond effectively to electronic intrusions into the Company network infrastructure. SIRT analysis and planning activities will support proactive development of authorized, coordinated responses to incidents. The SIRT also will contribute to incident recovery activities after network intrusions are contained.<br>
## The Company shall develop a SIRT Concept of Operations (CONOP) that:
<br>
### Summarizes the overall mission of the SIRT
All SIRT members, as well as their management, are covered by the Incident Response Standard and must comply with its associated procedures and guidelines.<br>
### Defines the SIRT constituents and capabilities
<br>
### Defines the SIRT organizational structure
'''Information assets''' are defined in the '''[[Sample_Asset_Identification_and_Classification_Policy:| Sample Asset Identification and Classification Policy]]'''.<br>
### Defines specific roles and responsibilities of SIRT members
<br>
### Summarizes the operational capabilities of the team
'''Incident''' refers to an anomalous event that may indicate a security intrusion.<br>
## The SIRT, as defined in the CONOP, shall develop plans for responding to expected or typical types of intrusion events, as well as develop contingency plans for responding to new or unanticipated types of intrusions.
<br>
## The planned responses shall be dependent on the nature of the intrusion event and the criticality of the potentially impacted Company information assets.
'''Intrusion''' refers to malicious activity on or directed toward a system, application, network, or network device.<br>
## The SIRT shall maintain awareness of company information asset criticality definitions and shall develop incident response procedures that reflect these definitions.
<br>
## The SIRT shall work with other departments as necessary to coordinate, in advance, responses that may directly impact those departments.
'''Threats''' are the intentional or accidental actions, activities or events that can adversely impact Company information assets, as well as the sources, such as the individuals, groups, or organizations, of these events and activities.<br>
## SIRT planning activities shall address the full response spectrum. One end of the spectrum includes information logging as well as personnel notification and alerting. The other end of the spectrum includes higher profile responses (e.g., blocking access to the external web site, denying access from specific external networks, etc.).
## The SIRT shall maintain metrics that address at least the following:
### Incidents detected per reporting period, by severity category
### Average time from incident detection to response initiation
### Average time from response initiation to incident containment
### SIRT performance during exercises
# '''Response Requirements'''
## A SIRT Incident Response Procedure shall be developed to describe how to:
### Confirm assigned priority for valid incidents.
### Conduct or execute pre-coordinated response plans based on incident category.
### Determine if incidents have been contained.
### Perform basic forensic process to support security investigations.
### Ensure consistent and timely reporting of SIRT response activities.
### Document "lessons learned" to improve SIRT operations.
### Initiate SIRT recovery efforts, if necessary.
## The SIRT shall verify the existence of network and system intrusions, and take actions to contain the threat, in accordance with the SIRT Incident Response Procedure.
## The type of threat activity, together with the criticality of potentially impacted assets, shall provide the direct basis for conducting the incident response.
## SIRT members shall perform their designated, pre-coordinated tasks, in accordance with the SIRT Incident Response Procedure.
## SIRT members shall meet periodically during the incident to check the status and effectiveness of the response.
## The SIRT shall coordinate with or notify impacted departments and external organizations as it conducts the incident response activities.
## The SIRT shall provide Company management with periodic status reports on the response activities.
## The SIRT shall transition to incident recovery activities when the incident or intrusion is contained and meets pre-defined SIRT recovery criteria.
## SIRT incident response capabilities shall be exercised, for evaluation purposes, at least annually. However, the SIRT members (with the possible exception of a senior SIRT manager) shall not be notified in advance of the exercises.
# '''Recovery Requirements'''
## A SIRT Incident Recovery Procedure shall be developed to describe how the SIRT will work within established business resumption and recovery capabilities.
## The SIRT Incident Recovery Procedure shall describe how to:
### Document SIRT damage assessment findings.
### Coordinate with Company departments or teams responsible for recovering impacted systems.
### Ensure consistent and timely reporting of recovery activities performed by the SIRT.
### Document "lessons learned" to improve SIRT operations.
<br>
<br>


=='''II. Requirements'''==
==Document Examples==
<br>
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
:'''A. General Requirements'''<br>
<br>
::1. The Company shall develop a SIRT Concept of Operations (CONOP) that:<br>
<br>
::*Summarizes the overall mission of the SIRT<br>
::*Defines the SIRT constituents and capabilities<br>
::*Defines the SIRT organizational structure<br>
::*Defines specific roles and responsibilities of SIRT members<br>
::*Summarizes the operational capabilities of the team<br>
<br>
::2. The SIRT, as defined in the CONOP, shall develop plans for responding to expected or typical types of intrusion events, as well as develop contingency plans for responding to new or unanticipated types of intrusions.<br>
<br>
::3. The planned responses shall be dependent on the nature of the intrusion event and the criticality of the potentially impacted Company information assets.<br>
<br>
::4. The SIRT shall maintain awareness of company information asset criticality definitions and shall develop incident response procedures that reflect these definitions.<br>
<br>
::5. The SIRT shall work with other departments as necessary to coordinate, in advance, responses that may directly impact those departments.<br>
<br>
::6. SIRT planning activities shall address the full response spectrum. One end of the spectrum includes information logging as well as personnel notification and alerting. The other end of the spectrum includes higher profile responses (e.g., blocking access to the external web site, denying access from specific external networks, etc.).<br>
<br>
::7. The SIRT shall maintain metrics that address at least the following:<br>
<br>
::*Incidents detected per reporting period, by severity category<br>
::*Average time from incident detection to response initiation<br>
::*Average time from response initiation to incident containment<br>
::*SIRT performance during exercises<br>
<br>
:'''B. Response Requirements'''<br>
<br>
::1. A SIRT Incident Response Procedure shall be developed to describe how to:<br>
<br>
::*Confirm assigned priority for valid incidents.<br>
::*Conduct or execute pre-coordinated response plans based on incident category.<br>
::*Determine if incidents have been contained.<br>
::*Perform basic forensic process to support security investigations.<br>
::*Ensure consistent and timely reporting of SIRT response activities.<br>
::*Document "lessons learned" to improve SIRT operations.<br>
::*Initiate SIRT recovery efforts, if necessary.<br>
<br>
::2. The SIRT shall verify the existence of network and system intrusions, and take actions to contain the threat, in accordance with the SIRT Incident Response Procedure.<br>
<br>
::3. The type of threat activity, together with the criticality of potentially impacted assets, shall provide the direct basis for conducting the incident response.<br>
<br>
::4. SIRT members shall perform their designated, pre-coordinated tasks, in accordance with the SIRT Incident Response Procedure.<br>
<br>
::5. SIRT members shall meet periodically during the incident to check the status and effectiveness of the response.<br>
<br>
::6. The SIRT shall coordinate with or notify impacted departments and external organizations as it conducts the incident response activities.<br>
<br>
::7. The SIRT shall provide Company management with periodic status reports on the response activities.<br>
<br>
::8. The SIRT shall transition to incident recovery activities when the incident or intrusion is contained and meets pre-defined SIRT recovery criteria.<br>
<br>
::9. SIRT incident response capabilities shall be exercised, for evaluation purposes, at least annually. However, the SIRT members (with the possible exception of a senior SIRT manager) shall not be notified in advance of the exercises. <br>
<br>
:'''C. Recovery Requirements'''<br>
<br>
::1. A SIRT Incident Recovery Procedure shall be developed to describe how the SIRT will work within established business resumption and recovery capabilities.<br>
<br>
::2. The SIRT Incident Recovery Procedure shall describe how to:<br>
<br>
::*Document SIRT damage assessment findings.<br>
::*Coordinate with Company departments or teams responsible for recovering impacted systems.<br>
::*Ensure consistent and timely reporting of recovery activities performed by the SIRT.<br>
::*Document "lessons learned" to improve SIRT operations.<br>
<br>
=='''III. Responsibilities'''==
<br>
The Chief Information Security Officer (CISO) approves the Incident Response Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Incident Response Standard.<br>
<br>
SIRT Managers are the members that have primary responsibility for managing and leading SIRT routine operations and incident response efforts associated with their functional SIRT assignments. SIRT managers are responsible collectively for securing the budget for resources to support the SIRT; interfacing with Company execute management and business owners; working closely with the management of the departments that are functionally part of the SIRT; arranging periodic SIRT exercises including incident simulation and intrusion drills for third-party verification of the SIRT operational and response capabilities; leading efforts to develop the SIRT organizational structure, procedures, and operational budget; conducting post-mortem evaluations to capture lessons learned; ensuring the ongoing execution and performance of SIRT procedures; arranging periodic training for SIRT members and managing SIRT incident escalations; and ensuring that SIRT documentation is developed, approved, and distributed in a timely manner.<br>
<br>
Core SIRT members are those designated representatives from key Company departments that have primary responsibility for performing SIRT routine operations and incident response efforts. Core SIRT members are responsible collectively for representing their respective departments in SIRT operations; communicating SIRT information within their departments; leading departmental support for SIRT activities; coordinating 24x7 departmental support to the SIRT; interfacing with local, state, and federal law enforcement agencies to facilitate legal responses to incidents; assisting with development of baseline IDS configurations; supporting reviews of available Information Security sources to maintain currency with information that can assist SIRT operations; and advising the SIRT, in concert with existing troubleshooting and status procedures, on strategies for processing non-routine notifications and responding to security incidents.<br>
<br>
Supporting SIRT members are those designated representatives from key Company departments that supplement the core SIRT members by providing specific expertise or assistance. Supporting SIRT members are responsible collectively for representing their respective departments in SIRT operations; communicating SIRT information within their departments; leading departmental support for SIRT activities; providing legal advice to the SIRT and executive management; interface with management, employees, and contractors to facilitate personnel-related responses to incidents; assisting with internal communication on incident response and incident status information; leading external communication to the media and public regarding responses to incidents; and supporting reviews of available Information Security sources to maintain currency with information that can assist SIRT operations.<br>
<br>
Managers of SIRT members are responsible for working closely with SIRT management to ensure that their departmental representatives are performing their functionally assigned SIRT responsibilities, as well as the duties and tasks specified in approved SIRT procedures.<br>
<br>
 
=='''IV. Enforcement and Exception Handling'''==
<br>
Failure to comply with the Incident Response Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the Incident Response Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Incident Response Standard.<br>
<br>
=='''V. Review and Revision'''==
<br>
The Incident Response Standard will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
Approved: _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Insert Name><br>
<br>
::Chief Information Security Officer<br>
<br>
<br>
<gallery>
Image:Incident Response Standard.png|Incident Response Standard page one of nine.
Image:Incident Response Standard(1).png|Incident Response Standard page two of nine.
Image:Incident Response Standard(2).png|Incident Response Standard page three of nine.
Image:Incident Response Standard(3).png|Incident Response Standard page four of nine.
Image:Incident Response Standard(4).png|Incident Response Standard page five of nine.
Image:Incident Response Standard(5).png|Incident Response Standard page six of nine.
Image:Incident Response Standard(6).png|Incident Response Standard page seven of nine.
Image:Incident Response Standard(7).png|Incident Response Standard page eight of nine.
Image:Incident Response Standard(8).png|Incident Response Standard page nine of nine.
</gallery>

Latest revision as of 15:24, 21 January 2014

Sample Incident Response Standard

This Incident Response Standard builds on the objectives established in the Threat Assessment and Monitoring Standard, and provides specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions. The Company will satisfy these requirements through a formal Security Incident Response Team (SIRT).

Objectives

  1. General Requirements
    1. The Company shall develop a SIRT Concept of Operations (CONOP) that:
      1. Summarizes the overall mission of the SIRT
      2. Defines the SIRT constituents and capabilities
      3. Defines the SIRT organizational structure
      4. Defines specific roles and responsibilities of SIRT members
      5. Summarizes the operational capabilities of the team
    2. The SIRT, as defined in the CONOP, shall develop plans for responding to expected or typical types of intrusion events, as well as develop contingency plans for responding to new or unanticipated types of intrusions.
    3. The planned responses shall be dependent on the nature of the intrusion event and the criticality of the potentially impacted Company information assets.
    4. The SIRT shall maintain awareness of company information asset criticality definitions and shall develop incident response procedures that reflect these definitions.
    5. The SIRT shall work with other departments as necessary to coordinate, in advance, responses that may directly impact those departments.
    6. SIRT planning activities shall address the full response spectrum. One end of the spectrum includes information logging as well as personnel notification and alerting. The other end of the spectrum includes higher profile responses (e.g., blocking access to the external web site, denying access from specific external networks, etc.).
    7. The SIRT shall maintain metrics that address at least the following:
      1. Incidents detected per reporting period, by severity category
      2. Average time from incident detection to response initiation
      3. Average time from response initiation to incident containment
      4. SIRT performance during exercises
  2. Response Requirements
    1. A SIRT Incident Response Procedure shall be developed to describe how to:
      1. Confirm assigned priority for valid incidents.
      2. Conduct or execute pre-coordinated response plans based on incident category.
      3. Determine if incidents have been contained.
      4. Perform basic forensic process to support security investigations.
      5. Ensure consistent and timely reporting of SIRT response activities.
      6. Document "lessons learned" to improve SIRT operations.
      7. Initiate SIRT recovery efforts, if necessary.
    2. The SIRT shall verify the existence of network and system intrusions, and take actions to contain the threat, in accordance with the SIRT Incident Response Procedure.
    3. The type of threat activity, together with the criticality of potentially impacted assets, shall provide the direct basis for conducting the incident response.
    4. SIRT members shall perform their designated, pre-coordinated tasks, in accordance with the SIRT Incident Response Procedure.
    5. SIRT members shall meet periodically during the incident to check the status and effectiveness of the response.
    6. The SIRT shall coordinate with or notify impacted departments and external organizations as it conducts the incident response activities.
    7. The SIRT shall provide Company management with periodic status reports on the response activities.
    8. The SIRT shall transition to incident recovery activities when the incident or intrusion is contained and meets pre-defined SIRT recovery criteria.
    9. SIRT incident response capabilities shall be exercised, for evaluation purposes, at least annually. However, the SIRT members (with the possible exception of a senior SIRT manager) shall not be notified in advance of the exercises.
  3. Recovery Requirements
    1. A SIRT Incident Recovery Procedure shall be developed to describe how the SIRT will work within established business resumption and recovery capabilities.
    2. The SIRT Incident Recovery Procedure shall describe how to:
      1. Document SIRT damage assessment findings.
      2. Coordinate with Company departments or teams responsible for recovering impacted systems.
      3. Ensure consistent and timely reporting of recovery activities performed by the SIRT.
      4. Document "lessons learned" to improve SIRT operations.


Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.