OVERVIEW

Any issue that results in customer downtime, degraded performance, security breach, loss of customer data or violation of privacy policy must be reported internally as an incident.

This plan is based on the guidelines set forth by Incident Response controls within NIST 800-53. See Incident Response Policy and Procedure for additional information.

MANAGEMENT OVERSIGHT

Leadership shall be responsible for assigning staff members to the Incident Management Team. This plan shall be reviewed and approved as per Management Oversight Policy.

This plan will be updated to address system/organizational changes or problems encountered during plan implementation, execution, or testing.

This plan shall be protected via the same document control process used for all information security policies, procedures and plans.

INCIDENT MANAGEMENT TEAM

The IT/Data Center Operations roles shall be responsible for handling incidents. The CISO shall be responsible for oversight of the function.

The focus of the team shall be primarily on protecting customer data and secondarily available of service to customers.

This plan shall be shared with all team members. Both annual and initial (on starting role) shall be required of all team members. Any significant changes to this plan shall be communicated to team members.

In certain cases, the Contingency Planning Policy may be impacted by incident(s). The CISO shall be responsible for determining if the Contingency Plan needs to be considered.

REPORTABLE INCIDENTS

NIST Special Publication 800-61 Revision 2 is used as the basis to define reportable incidents (an incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.)

See https://www.us-cert.gov/government-users/reporting-requirements for additional details and response timelines.

INCIDENT MONITORING

All information systems shall be hosted in FedRAMP accredited hosting facilities. Our team will use this plan to handle incidents (reported by Microsoft Azure Government Cloud) that impact our customers. Hosting partners must have a robust incident management plan in place (per FedRAMP requirements).

A SIEM shall be used to aggregate logs and detect potential incidents. The SIEM shall be monitored 24 X 7 for security alerts.

CAPTURED METRICS

For any reported incident, the following metrics will be tracked.

  • Detection Success - Comparison of automated system vs human detection of incidents
  • Detection to decision - Time from detection to analysis by team member
  • Decision speed - Time to remediation plan (or identification as false positive)
  • False positive rates - Ratio of false positives to actual incidents
  • Time to mitigation/containment - Time from detection to remediation

INCIDENT REPORTING
All possible incidents (customer- or system-generated) must be logged as “Issues.” Issues become incidents (and must be reported as such) if they are deemed to be REPORTABLE INCIDENTS (e.g. result in customer downtime, degraded performance, security breach, or loss of customer data).

Staff members are responsible for logging incidents into our issue-tracking system. Incidents must be reported with 2 hours of discovery. As soon as an incident is reported, senior team leaders must be informed of the incident. Senior leaders then determine based on policy if an issue is “significant” (see Incident Handling below). All Incident Reports are kept on file for a minimum period of 3 years.

CUSTOMER NOTIFICATION AND INCIDENT RESPONSE ASSISTANCE
Senior leadership is responsible for notifying affected customers of incident reports. Senior management shall use the following guidelines for notification:

  1. IT staff must validate all reported incidents to ensure that false positives and insignificant incidents are not reported to customers.
  2. Once an incident is validated as significant, senior leadership must report the incident to customers within one business day. Notification can be done via a web maintenance page for incidents that do not involve security breach or data loss. Incidents that involve security breach or data loss must be reported to the customer via email or telephone.
  3. Senior leadership is also responsible for notifying key parties within our company (e.g. technical support and senior management).
  4. The organization shall provide customers with an incident response support resource to offers advice and assistance on handling and and reporting of security incidents.

INCIDENT HANDLING

The NIST Incident Handling Checklist shall be used as the basis handling incoming incidents (Reference
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf).

Once a significant incident is reported the following procedure is followed:

  1. IT staff members are assigned to resolve the incident by senior leadership.
  2. The incident is then validated and status is communicated with the customer and internal stakeholders if necessary.
  3. Staff shall work 24 X 7 until an incident is resolved.
  4. Once an issue is resolved, the incident report is closed and then filed for further analysis.

A remediation plan for low risk vulnerabilities shall be generated within 90 days of discovery.