Incident Response Policy

Enterprise Security Office Forum

November 20th, 2008

2

Welcome

Theresa Masse, State CISO

3

Agenda

Policy Overview

Roles and Responsibilities

Resources For Agencies

Agency Panel

Questions

4

Incident Response Policy

Why do we need it? Increasing value of information

Increasing risk to information

Increasing penalties for failure to safeguard PCI, HIPAA, OCITPA (aka SB583)

2005 Legislature HB3145 -> ORS 182.122

5

Policy Goals

Develop Statewide Incident Response (IR)

Develop Agency Incident Response

Incident Reporting

Timely Response Coordination

Data Collection

6

What Information Is Covered by Policy?

All Information:

Electronic

Written

Verbal

7

Key Policy Elements: IncidentWhat is an “incident” we should report?

Defined in Policy Remember Policy Goals!

Will reporting this incident help?

Four Key Elements: Involves security of information Is unwanted or unexpected Shows harm or significant threat of harm Requires non-routine response

8

Key Policy Elements: IncidentCommon pitfall for IR plan authors

Incident vs. “SB583 Breach”

Information Security Incident

PII Exposure, per OCITPA (aka SB583)

All Breaches are Incidents

Not all Incidents are Breaches

9

Key Policy Elements: ResponsibilitiesState Incident Response Team (SIRT)

State Data Center (SDC)

Agencies

10

SIRT Responsibilities

Statewide Incident Response Program Policy, Plan, Procedures, Reporting

Data Aggregation and Reporting Incident Response – When will the SIRT

respond? Multi-Agency Statewide Impact Agency Assistance Required SB583 Breaches

Incident Forensics Capabilities

11

SDC Responsibilities

Monitoring, Alerting Incident Response

State Wide Area Network (WAN) SDC-hosted Infrastructure

12

Agency Responsibilities

Agencies are responsible for their own information

Agency IR Capabilities Policy, Plan, Procedures

Agency Information Incidents Detection, Response, Follow-up, Protection

SIRT Point of ContactAssist SIRT

13

SDC Response Chart

14

Agency Response Chart

15

Agencies Need To:

Create or Adopt Policy

Develop Plan

Develop Capabilities

Create Procedures

Assign Point of Contact

Policy Compliance Date May 1, 2009

16

“IR” Is Not Just “IT”

IR Requires Agency Business Participation

Not all information is electronic

Business drives response

Incident detection happens anywhere in agency – not just in IT department

17

Resources For Agencies

Website overview

Plan Template

Educational Resources

Qualified Vendors List

Point of Contact Form

Potential IR workshops

18

IR Website http://www.oregon.gov/DAS/EISPD/ESO/SIRT.shtml

19

IR Plan Template

http://www.oregon.gov/DAS/EISPD/ESO/docs/SIRT/IncidentResponsePlanTemplate.doc

20

Educational Resources

Carnegie Mellon CERT

http://www.cert.org/work/training.html

SANS Institute

http://www.sans.org/sans_training.php

InfoSec Institute

http://infosecinstitute.com/courses/security_training_courses.html

21

Master Services Contract

Qualified Vendors List

Incident Response

Forensics

Breach Services

Currently in DAS Procurement

ETA...

22

Agency Point of Contact This form (available on our website) needs to be

completed for every agency and given to the SIRT

23

Guest Speakers

Agency Experiences Developing Incident Response Capabilities

Bret West – DAS

Richard Rylander – DOJ

Incident Response Policy and Plan Development

Bret West,Operations Division Administrator

Department of Administrative Services

DAS Incident Response Policy and Plan DevelopmentThe assignment:

Develop and implement DAS’ internal incident response program

The timeframe: Concurrently with development and adoption

of the statewide Enterprise Security Office IRP policy

Why concurrently? To inform ESO policy/plan development

DAS Incident Response Policy and Plan Development

Process Engaged DAS IT Management Council

Governing body for DAS internal IT Made up of representatives from all DAS

divisions Good mix of division administrators/staff;

technical/non-technical; management/classified Established subcommittee to work through

details Discussed roles and responsibilities of IT staff

vs. data owners

DAS Incident Response Policy and Plan DevelopmentProcess

Presented draft policy, plan and informational flyer to IT Management Council

Identified changes needed through robust council discussion

Presented final package to DAS Executive Team for adoption

DAS Incident Response Policy and Plan DevelopmentChallenges

Timeline

Ensuring stakeholder engagement

Clearly delineating roles and responsibilities

DAS Ops (internal) vs. SDC and ESO (external)

Data owners vs. IT staff

Communication/Reporting

Resuming business operations

DAS Incident Response Policy and Plan DevelopmentPath to Success

Used ESO templates for the policy, plan and awareness flyer

Engaged business partners and executive team

Realized that the plan would evolve with experience

Identified gaps in staffing/skill sets Work with agency communications team to roll

out the policy

30

Guest Speakers – Part II

Agency Experiences Developing Incident Response Capabilities

Bret West – DAS

Richard Rylander – DOJ

DOJ Security Incident Response

Richard RylanderSecurity Coordinator

Department of Justice

32

Agenda

Incident Types

Challenges

Planning

Mistakes

Incident data

Benefits

Resources

33

Incident Types

Malware and Spyware Infection

Viruses and Worms Infection/Outbreak

Breach of Acceptable Use Policy

Breach of security policy or procedures

Loss or theft of physical or electronic media

Data Loss

34

Challenges

Who owns incident response? Management Employees Information Technology

Who is responsible for incident response? Roles and responsibilities

Communications PlanEscalation

35

Challenges

Business Concerns

Reporting

Incident impact

Notification requirements

Media

Law enforcement

36

Challenges

Business Concerns – cont’d

Data Loss

Physical or electronic

Financial Loss

Legal requirements

Loss of productivity

37

Challenges

Information Technology Concerns What data was compromised?

Physical or electronic

How was the data compromised? How many systems were affected? Was the data loss preventable? Was there inside involvement? Was there outside involvement? Was the data encrypted?

38

Planning

Create an incident response process flow

Create a responsibility matrix

Create a communications plan

39

Incident Response Flow Diagram

Incident Detection

CSC Notified

CSC Contacts SIRT Member Based on Incident Location

SIRT Member Conducts Initial

Investigation

Forensic Duplication of Data (as required)

Continue Investigation/ Determine Response

(document)

Response (document)

Communications (internal)

Communications (external)

Recovery (document)

Determine Business Impact (document)

Collect Evidence (document)

Monitor Systems Isolate & Contain (as necessary)

Deliver findings to CIO & Management

Security Incident?

Close Security Incident

No

Yes

Concurrent

Notify CIO

Escalate

No

Yes

Apply Corrective Actions

Property Loss?

No

Yes

Property Loss Policy

Risk ManagementNotification

Update Risk Management

Return System(s) to Normal Operation

Identify Lesson(s) Learned (document)

Implement Improvements or Corrections from Lesson(s) Learned

Develop Final Report

40

Develop a Responsibility Matrix

Report Detect/Monitor Evaluate Containment Communicate Respond/Correct Recover Document

Chief Information Officer R I I/C/R I/C I/C/R I/C I I/C/R

IS Management R I I/C/R I/C I/C/R I/C I I/C/R

Security Officer R C/R I/C/R I/C I/C I/C I I/C/R

Network Security Administrator R C/R I/C/R C/R I/C/R I/C/R I/CR I/C/R

Network Administrator R C/R I/C/R C/R I/C/R I/C/R I/C/R I/C/R

Network Services Team R C/R I/C/R C/R I/C I/C/R I/C/R I/C/R

Mainframe Team R C/R I/C/R C/R I/C/R I/C/R I/C/R I/C/R

Desktop Services Team R C/R I/C I/C I/C I/C/R I/C/R I/C/R

Customer Services Team R C/R I/C I/C I/C I/C I/C I/C/R

Application Development Team R C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R

Division Management R C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R

All DOJ Employees R C/R n/a I/C I/C I I I/C

Risk Management I I I/C/R I/C/R I/C/R I/C I/C I/C/R

State Data Center (SDC related) R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R I/C/R

R = Responsible C = Contributes I = Informed

41

Incident Response Mistakes

42

Incident Response MistakesFailure to mitigate the risk

Shut down the attack point. Do not get caught up in ‘fire fighting’ mode.

Isolate and prevent the incident from spreading unless there is a reason to permit the attack to continue.

Do not underestimate the scope of the incident.

43

Incident Response MistakesFailure to learn from past incidents

Modify security controls and training materials to reflect lessons learned.

Failure to document incident procedures Provide communication plan.

Provide reporting and documentation requirements.

Document all incidents in detail.

44

Oregon Incidents 2008 Nov. 1, 2008 Veterans Affairs Medical Center (Portland, OR) 1,600Personal information, including some Social Security numbers, of patients at the Veterans Affairs Medical Center in Portland wasinadvertently posted on a public Web site.

June 4, 2008 Oregon State University (Corvallis, OR) 4,700The Oregon State Police are investigating the theft of personalinformation from online customers of the OSU Bookstore who usedcredit cards to purchase items.

April 28, 2008 Hough, MacAdam & Wartnik (North Bend, OR) 500A notebook computer was stolen from a locked vehicle. Thenotebook's hard drive may have contained names, Social Security numbers,and other personal information.

Mar. 6, 2008 Cascade Healthcare Community (Prineville, OR) 11,500A computer virus may have exposed to outside eyes the names, credit cardnumbers, dates of birth and home addresses individuals who donated toCascade Healthcare Community.

http://www.privacyrights.org

Notable Incidents

Records Organization Date

94,000,000TJX Companies Inc. 01/17/200740,000,000CardSystems 06/19/2005

(Visa, MasterCard, American Express)30,000,000America Online 06/24/200426,500,000U.S. Department of Veterans Affairs 05/22/200625,000,000HM Revenue and Customs 11/20/200717,000,000T-Mobile, Deutsche Telekom 10/06/200812,500,000Archive Systems Inc. 05/07/2008

Bank of New York Mellon11,000,000GS Caltex 09/06/20088,637,405 Dai Nippon Printing Company 03/12/20078,500,000 Certegy Check Services Inc. 03/07/2007

Fidelity National Information Services

Source: http://datalossdb.org

46

Benefits of Incident ResponseUser Awareness

Defined responsibilities

Defined response procedure

Defined Incident Response Policy

Defined communications plan

Measurable results

47

Summary

Define responsibilities

Identify areas of challenge

Identify and create key documents

Communications Plan

Document in detail

Use resources available for assistance

48

Resources

NIST – National Institute of Standards and

Technology (http://csrc.nist.gov/)

SANS Institute (http://www.sans.org/)

US-CERT (http://www.us-cert.gov/)

RFC 2350 (http://www.ietf.org/rfc)

Richard RylanderOregon Department of Justicerichard.rylander@state.or.us

49

Questions?