Table of Contents
1. Purpose and Objective
2. Procedure – Cyber Security Incident Response
3. Guidance – Evidence Collection and submission to authorities
4. Definition
5. Who can report an incident?
6. What can be reported (not exhaustive)?
7. Whom to report?
8. When to contact local Cyber Crime Cell or Country CERT?
9. Contacts with Special Interest Groups/Vendors for Security Incident/Problem Support
10. Procedure - Learning from Incidents
11. Monthly Performance
12. Policy Review
1. Purpose and Objective:
The purpose and objective of this document is to protect your ‘jewel crowns’ (key systems) using an agreed incident response procedure to the extent that is possible based on your combined capability of people, process and technology. If you are facing an incident, the question is what capability (incident response) do we have to mitigate and thwart the attack (including the surface) without bring down the services. If you switch off or restart your system upon an attack, the attacker wins and you loose, game over!
2. Procedure – Cyber Security Incident Response:
The following steps are taken upon user reporting an incident.
- Based on the identified incident, respective incident response /action is chosen and discussed within the IT and IT security team, based on the merit of the situation.
- If the identified incident is not in the list, a problem ticket is raised – where the solution is addressed and solution proposed. This may also involve escalating it to system and security vendors. (IT may have additional processes to escalate such issues – kindly place the reference link in line with company procedures).
- Members of the management are informed of the action taken and the solution proposed. • IT/Security implements the solution.
- IT/Security documents the root cause analyis and updates the Incident response procedure if applicable. If applicable, the incident, root cause analysius and further course of action is documented and informed to all stakeholders.
| SN | Cyber Security Incident | Based on Response | Incident Procedure Steps* (Immediate Action upon Management Approval
(not exhaustive) |
Responsibility |
|---|---|---|---|---|
| 1 | Ransomware | User Reporting the incident | Look for the specific malware, disconnect the machine from the network, search for solution in the internet such as Google Search, YouTube, and anti virus,, if needed contact the anti virus vendor. If all options fail, format the hard disk and recover from the backup. | IT Support |
| 2 | Suspected or reported breach | User Reporting the incident | Change the password of the suspected logins. Communicate all users to change their passwords if the breach is for a whole system. | IT Support |
| 3 | Theft or Loss of Mobile devices carrying company information | Users Reporting Loss of mobile | Change the password to stop relay of messages, use the [secure-wipe] utility to remove the content if connection can be established. | IT Support, HR |
| 4 | Theft of Equipment from office premise | System unavailable | CCTV Logs, Visitor Entry and Exit Logs. Additional Tasks Holding people in office Registering an FIR | Administration, IT and HR |
| 5 | Theft of Information | A suspect user has to be named to facilitate successful investigate. | Incoming and Outgoing internet Traffic, Excess Usage of Bandwidth/upload, outgoing email content review, collect necessary evidence for disciplinary action. | IT Support |
| 6 | Malware Attack | Identify system | Identify system Remove the network cable Search internet, contact anti virus vendor for patch solution. Mcafee provides a support in 15minutes. Perform as recommended. | IT Support |
| 7 | Cyber Attack including DOS attack | System/s unavailable | Look for activity logs, identify external IP. Created an address object group where any suspected IP can be moved. | IT Support |
| 8 | Website defacement | User responding the incident | Collect data for cybercrime reporting Use the CERT-In form if this has to be reported in India. Else contact the abuse@ address of the website/email provider. Take a screenshot, contact the hosting provider, ask for network/system/access logs, including privilege access logs, make the website unavailable for a specific period of time. Load the content from the backup, and test the application on the test servers, run all system and application patches, run application security testing, if all is fine, then reload and host the website again. | IT Support |
Table – Incident wise Procedures
*Tasks can be in sequence or parallel as per the event
3. Guidance – Evidence Collection and submission to authorities
Depending upon the nature and scale of incidents, you may have to establish – who, what and when impact analysis.
Evidence collection would involve ensuring the accuracy of the evidence related to crime.
For technical evidences, ensure the following are recorded (not exhaustive).
- Screenshot of the systems
- Logs of the system that may include compromised systems
- CCTV footage
An exercise of internal staff is recommended to elaborate on this procedure.
4. Definition
Any potential weakness and/or event is subject of reporting. The scope of reporting therefore includes both an event and a weakness.
-
4.1. An incident is defined as any event/activity/situation against the information security policy or supporting practices. An incident can be both accidental and deliberate. It can be internal or external. It can be an event that may require a review of organizational policy/process or an existing control.
Examples include end-user events such as (but not limited to)
4.1.1. Security Controls not operational such as door not getting closed, anti-virus signatures showing old dates of updates, firewall allowing traffic despite policy controls etc.
4.1.2. Desktop/laptop – malicious activity;
4.1.3. Access control systems – non-operational or delayed response;
4.1.4. Suspected malware
4.1.5. Information leakage by insider - 4.2. A weakness in the system can also be considered a situation for reporting, and therefore can be reported by any personnel. (Logic? A weakness if not addressed may result in Security incident to take place.) A weakness can be a part of the management system, where there are no specific policy/procedure defined, and can therefore pose threat.
- 4.3. An incident can relate to any information/related infrastructure which in the opinion of the incident reporter can compromise the Confidentiality, Integrity, privacy and/or Availability of SIPL operations.
5. Who can report an incident?
Anyone! Personnel have a duty to follow the same and report any incident, which he/she feels, is a weakness area/potential area of weakness.
6. What can be reported (not exhaustive)?
Any event or weakness that can jeopardize the confidentiality, integrity and/ availability' of information assets is worthy of reporting. This can include physical controls, technology controls, personnel behaviors related to information assets, and procedural controls.
An example of each of these is give below:
- 6.1. Physical controls can cover all aspects of physical security such as weak doors, access control systems, entry and exit areas, and associated processes.
- 6.2. Technical controls can cover strengths and weakness such as password complexity (less than 6), lack of antivirus, email attachments, accidental or deliberate mass mails etc;
- 6.3. Personnel controls such as unauthorised access attempts, violation of company policy, violation of internet usage policy etc.
- 6.4. Administrative controls such as asset not identified, document classification, no documentation, no change and access definition etc.
Note that an employee can report his/her head of department/reporting manager. Alternatively one can also approach the ISMS Manager (Name) by phone, or email at security@company.com.
7. Whom to report?
- 7.1. Any violation or incident, whether intentional or accidental should be reported to the ISMS Manager/information security officer and/or Head of department using the Incident reporting Form, telephone or personal contact. It is the responsibility of the recipient to escalate the incident/weakness, assess the incident subject to his/her knowledge/expertise, ensure record keeping, and early resolution of the incident.
- 7.2. Simply an incident/weakness can be reported via an email to info.sec@moneytap.com.
8. When to contact the local Cyber Crime Cell or Country CERT?
Contact to local cyber crime cell or country CERT should be decided based on adequate information that the attack/crime is external and that requires external help.
9. Contacts with Special Interest Groups/Vendors for Security Incident/Problem Support
| SN | Agency/Supplier | Service | Vendor link |
|---|---|---|---|
| 1 | CERT IN | New Vulnerabilities, and country cyber attack reporting | CERT-In Information Desk. Email: info@cert-in.org.in Phone : 1800-11-4949 FAX : 1800-11-6969 Web : http://www.cert-in.org.in PGP Finger Print: D1F0 6048 20A9 56B9 5DAA 02A8 0798 04C3 2D85 A787 PGP Key information: http://www.cert in.org.in/contact.htm Postal address: Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, C.G.O. Complex New Delhi-110 003 |
| 2 | AWS | OEM patch updates including problem support | |
| 3 | Sophos | OEM patch updates including problem support |
10. Procedure - Learning from Incidents
- 10.1. All incident/weakness reported are recorded irrespective of the action taken.
- 10.2. The root cause of any incident/weakness that can jeopardize the CIA of the organisation will require a higher degree of incident handling, compare to non-significant ones.
- 10.3. The decision of the ISMS manager is documented for each incident as a demonstration if his/her judgment. If incidents may impact customer operations and organisation has a contractual reporting responsibility, then the ISMS manager shall follow the guideline prescribed by the respective customer.
- 10.4. The outcome of any incident can be disciplinary (in case of a deliberate attempt) or policy pr process change (in case of unknown event or where the root cause analysis) did not reveal any factual cause.
- 10.5. It is the responsibility of the ISMS Manager to ensure that the management decisions so taken are complied with the respective enforcement official.
- 10.6. ISMS Manager and the security implementation team should learn from incidents and amend the policy/procedure/practice in order to avoid/minimize such incidents taking place in the future.
11. Monthly Performance
- 11.1. Number of Incidents/weakness reported
- 11.2. Annual Cyber Security Incident response – Tabletop Exercise
12. Policy Review
This document is subject to annual review.