Computer Security Incident Response Policy: A Sample


Posted on by Divya Aradhya

Case Project:
Create an organization-wide policy defining and authorizing a security or computer incident response team to have full access to and authority over all IT systems, applications, data, and physical IT assets when a security or other incident occurs. Create this for the Sunshine Credit Union.

Sunshine Credit Union – Computer Security Incident Response Policy

Policy Statement

Computer security incidents are becoming increasingly common in the credit union industry. The risks due to these incidents are financial, reputational, and legal stemming from non-compliance of the GLBA. Newer types of threats are emerging each day, and not all have them can be prevented, they all have to be handled in a manner that minimizes losses due to them. Therefore, a computer security incident response capability is necessary for proactively identifying potential threats, rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services.

Purpose/Objectives

This document provides Sunshine Credit Union’s policy for responding to computer security incidents affecting the organization’s assets, infrastructure, networks, resources, users, and stakeholders.

Scope

This policy applies to all Sunshine Credit Union’s employees, contractors, vendors, and agents having access to any system that processes the organization’s information, that resides at any of the branches facility or contractor facility, having access to Sunshine Credit Union’s network, or storing of any public or non-public organization information.

This policy also applies to all IT systems operated by Sunshine Credit Union, or operated by a contractor or outside entity on behalf of the Sunshine Credit Union. In addition, this policy applies to all PII in all forms (both electronic and physical form).

Procedures

The procedures require the creation and functioning of a Computer Security Incident Response Plan, and a Computer Security Incident Response Team as defined below.

Computer Security Incident Response Plan

The Chief Information Security Officer (CISO) is responsible for ensuring the development of a Computer Security Incident Response Plan (CSIRP) that includes but is not limited to:

  • Standards for prioritizing computer security incidents
    Computer security incidents should be prioritized based on the criticality of the affected resources and the effect the incident has on Sunshine Credit Union. Expectations of response timelines should be set by priority level.
  • Organization’s computer security incident response process
    This would include-

    • Preparation – selecting tools, preparing for computer security incidents, and proactively preventing incidents
  • Detection and Analysis – computer security incident categories, signs of an incident, sources of precursors and indications, incident analysis, incident documentation, incident prioritization, and incident notification
  • Containment – containment strategy, evidence gathering and handling, identifying the attacker
  • Eradication – deleting malicious code, disabling breached user accounts
  • Recovery – restoring the system to normal operation and hardening the system to prevent similar computer security incidents
  • Post Incident Activity – lessons learned, using collected incident data, evidence retention, assessing residual risk
  • Recommendations for Improvement

Computer Security Incident Response Team

The CSIRC is provided by the Chief Information Security Office (CISO) and includes a centralized Computer Security Incident Response Team (CSIRT) that can assemble resources as needed from appropriate parts of Sunshine Credit Union. The computer security incident response team leader and backup team leader are dedicated staff whose primary purpose is to address computer security incidents.

The CSIRT is staffed by members from:

  • The information security team
  • Network and infrastructure team
  • Server admins
  • Desktop Support team
  • Disaster Recovery Coordinating team
  • Legal
  • Human Resources
  • Public Relations
  • Physical Security and Facilities team
  • Management team

The CSIRT responsibilities are a higher priority for the team members than their other operational duties. Their supervisors will ensure that they are made available in an expeditious manner. The CSIRT receives specialized training annually, including simulated events, to facilitate an effective response by personnel during crisis situations.

The responsibilities of the CSRIT include-

  • Immediately notifies the CISO, CEO, and the CFO of any computer security or PII Incident or GLBA non-compliance Incident
  • Reports computer security incidents within the time frame required by that level of incident
  • Develops and maintains procedures for computer security incident handling and reporting based on Sunshine Credit Union’s CSIRT policy.
  • Is available to respond 24 hours a day, 7 days a week, and 365 days a year.
  • Develops and maintains standards to ensure that an adequate audit trail exists to support the organization’s computer security incident handling process.
  • Develops and maintains guidelines for communicating with outside parties regarding computer security incidents, including but not limited to legal regulators, stakeholders, press, and public
  • Develops and maintains a best-practices knowledge base for resolving various computer security incidents.
  • Incorporates lessons learned from ongoing incident handling activities into the organization’s computer security incident handling process.
  • Confiscates or disconnects equipment as required to prevent additional computer security incidents or damage to the organization’s systems, and monitors suspicious activity throughout the organization.
  • Employs automated mechanisms to support the computer security incident handling process, to support the tracking of security incidents, to assist in the collection of computer security incident information, to assist in the analysis of computer security incident information, and to help with the reporting of computer security incidents.
  • Tracks and documents computer security incidents on an ongoing basis (24/7 365 days a year).
  • Develops and maintains audit trail standards and procedures.
  • The CSIRT team leader and CISO is responsible for ensuring these responsibilities are fulfilled.