Gem Infosys (hereafter also referred to as “the Company”) is a small software company which has decided to enhance the security of its computer systems after suffering a two-day network operations shutdown following a severe malware attack. Information security breaches may arise at any time resulting in severe impacts; therefore, it is important to implement an incident-response policy to reduce the Company’s network downtime in the event of network security incidents. Wood and Lineman (2009) defines incident response as a well-planned approach to management of the aftermath or consequences of an information security incident – attack or breach. The ultimate goal of an incident response strategy is to effectively and efficiently manage the situation towards limiting associated damages and reducing recovery costs, time and effort.
2.0 Incident-response policy
The aim of this policy is to provide guidance on standards, protocols, best practices, and strategies necessary for Gem Infosys to reduce network downtime if future network security incidents occur.
2.2 Scope and applicability
The policy is applicable to the Company’s management, all employees, and vendors and contractors. In addition, it covers the following major information assets used by the Company: a firewall, three file servers, two Web servers, one Windows 2008 Active Directory server for user access and authentication, ten PCs, and a broadband connection to the Internet. The policy also covers the following elements: development of an incident-response team, disaster-recovery processes, and business-continuity planning.
2.3.1 Development of an incident-response team
Developing a competent incident-response team is the first step in implementing an incident-response policy. The incident-response team consists of IT personnel who are contacted to restore functionality in case of a security incident. The following are the roles and responsibilities of different members of the incident-response team:
- Senior IT manager or Chief Information Officer (CIO) or Chief Information Security Officer (CISO): oversee the management of network security incidents while making decisions regarding specific incidents and notifying appropriate stakeholders.
- Incident response manager: manage the incident response process and coordinate post-incident reviews.
- Incident response lead: coordinate the work of small teams performing response tasks.
- Multi-disciplinary internal team (legal representative, PR officer and business management): perform different incident-response tasks.
- Vendor representatives: provide system-specific professional guidance and consultancy.
2.3.2 Disaster-recovery processes
All IT users and/or employees are required to immediately report existing and suspected information security incidents to the incident-response team via email, telephone, or in-person.
The incident-response team should apply relevant forensic techniques and review logs (derived from information systems, firewall, servers, DHCP, and Active Directory) to clearly understand the incident at hand and protect evidence from damage. People who report security incident(s), victims and witnesses will also be interviewed by authorized personnel. This helps understand a security incident, along with its scope of impact, sensitivity and criticality of information asset, and probability of breach propagation for effective and efficient remediation.
The incident-response team should log the incident in the “Incident Tracking System”, and conduct appropriate procedures needed to proactively eliminate or lessen the overall impact of compromise of affected assets – containment and remediation. Typically, the goals of containment and remediation are to (Shimonski, 2003; Wood & Lineman, 2009):
- Prevent potential loss of sensitive or confidential data, for example, by changing firewall rules.
- Prevent propagation of security breach or further damage, for example, by blocking affected systems, locking a user account, blocking some services or ports, updating anti-virus software, isolating affected computers or subnets, or disabling VPN access.
- Plan for IT user training and awareness.
- Notifying external personnel such as law enforcers.
- Restoring affected network resources and services to their desired state could encompass the following procedures:
- Re-installation of affected IT systems from scratch.
- Restoration of data or applications from backup.
Members of the incident response team will uphold confidentiality of data such as people’s names, date of birth, credit card details, salary, postal or physical address, telephone number, social security number, and medical information.
A post-incident analysis and report must be prepared for security incidents falling under “Critical” and “Serious”. Moreover, such a report should be developed if requested by senior company management or IT personnel. Evidence should also be preserved and prevented from potential breaches (Shimonski, 2003).
Follow-up is also important to ensure that implemented measures are effective. Additionally, it helps document lessons learned from the recovery process and make sound recommendations for preventing future incidents.
2.3.3 Business-continuity planning
Business-continuity planning defines how a business operates after an incident towards returning to normal operations as quickly as possible. The sensitivity and criticality of information assets facing potential disruption challenges as well as the overall impact of a security incident are often used as the main prioritization factors regarding business-continuity planning (Shimonski, 2003). The following are major classifications of information security incidents and typical associated information assets based on the severity levels of threats related to them:
- Critical: extended outage, complete violation of information, necessitating business continuity action, massive legal liabilities, large financial costs, impact on human safety, and permanent loss of information asset. Information assets under this category include: Web servers and Windows 2008 Active Directory
- Serious: significant outage, loss of customers, damaged corporate confidence, and considerable compromise of sensitive data. File servers fall under this category.
- Damaging or significant: damaged reputation, considerable effort needed to repair, embarrassment, and loss of confidence. The firewall and broadband internet connection falls under this category.
- Minor and insignificant: insignificant/no impact, noticeable by only a small of number of people, and minimal effort needed to repair or restore. For example, PCs.
The business-continuity planning encompasses (Wood & Lineman, 2009):
- A backup strategy: an effective backup and recovery strategy is critical to successful incident response and business-continuity planning. The backup strategy should assure continuity as the incident-response team attempts to restore functionality to normalcy. For example, critical data and systems such as file and Web servers and Active Directory should be deployed into redundant infrastructures through replicating data to external storage devices, cloud environments, or to PCs kept in secure off-site locations from where quick restoration can be executed.
- Documented business continuity planning procedures and agreed relocation strategies.
- Alternative means of running operations and processes.
- Communication plan.
The incident-response team will handle the security incident process through analysis or assessment, containment and remediation, reporting, and follow-up. Business-continuity planning seeks to minimize disruption of network resources in case of a security incident, and it will be managed adequately and appropriately in the order of impact severity. For example, data breaches related to a user PCs may result in insignificant damages in loss of workforce productivity and/or efficiency. However, if Web servers are compromised, then the Company might experience a considerable loss of workforce efficiency or productivity, revenue, reputation, customer trust and confidence, or legal liabilities arising from confidential data breaches. Therefore, it is important to classify information security incidents and associated assets based on the severity levels of threats related to them to ensure that the disaster recovery and business-continuity planning processes are effective.
Shimonski, R. J. (2003). Make an Incident Response Plan. Retrieved from http://www.windowsecurity.com/articles-tutorials/misc_network_security/Make_an_Incident_Response_Plan.html
Wood, C. C., & Lineman, D. (2009). Information Security Policies Made Easy Version 11. Information Shield, Inc.