Page History

Stages:

Activities:

Identification and prioritization of incident, and performing a timely assessment of the situation

Determine the scope/impact. The number of users affected, or number of devices, or segments of the network should be considered. Is a single user or account involved?

Assess the severity. What is the sensitivity of data involved? What is the criticality of the service, or system, or application? What is the potential for damage or liability? Is there potential for harm?

Assess the urgency of the event. Is it an active problem, threat, or event-in-progress? Was the problem discovered after the fact? Is the intrusion "dormant", or completed? Does this involve use of an account rather than a system? Is this involve the safety or privacy of individuals?

Containment of the event

Does the system need to be removed from the network? Does active memory need to be imaged or captured?

Are there user accounts or system-level accounts that need to be disabled or changed? Are there sessions that need to be dropped?

Investigation of what occurred and how (includes "root cause" analysis)

An incident tracking record needs to be created. If deemed necessary, due to the scope, seriousness, or complexity of the incident, an incident notes log should also be created.

Gathering and preserving relevant information should be conducted by trained security personnel.

Evaluation of evidence commences. It may be a "forensic" caliber assessment, or a less comprehensive analysis, depending on the type of incident and your institution's policies. Decisions with respect to the appropriate resolution and response should be discussed with decision makers and key stakeholders.

Response (effect)

Eradication of the problem, and associated changes to the system need to be applied. This includes technical actions such as operating system and application software installs, new or changed firewall rules, custom configurations applied, databases created, backup data restored, accounts created and access controls applied

Recovery to a fully operational state always follows appropriate testing or assurance of the system integrity and stability. Effective customer service includes regular communications with stakeholders who may be anxious for recovery.

Outcomes, including possible sanctions should be determined. Sanctions, if they are deemed appropriate to the response, may be internal, such as disciplinary action, or they may be external, such as referral to law enforcement.

Follow up (Improvements)

After incident debriefing. Its important to review the process and how it could have been better, after an incident is closed. This is especially valid for new types of incidents, and particularly severe or costly incidents.

Consider policy and process changes. Were any procedures missing, communications unclear, or stakeholders that were not appropriately considered? Did the technical staff have appropriate resources (information as well as equipment) to perform the analysis and/or the recovery?

Consider controls improvements, leading to prevention. What can we do to ensure this does not happen again? What improvements can we implement to make our response and recovery more timely?

27002:2013 Information Security Management
Chapter 16: Information Security Incident Management

800-53: Recommended Security Controls for Federal Information
Systems and Organizations
800-61: Computer Security Incident Handling Guide
800-83: Guide to Malware Incident Prevention and Handling
800-86: Guide to Integrating Forensic Techniques into Incident Response
800-94: Guide to Intrusion Detection and Prevention Systems Rev 1

APO11.06
APO12.06
APO11.06
BAI01.10
BAI01.13
DSS02.07
DSS04.03
DSS04.05

Req 11
Req 12

PR.IP-8
PR.IP-9
DE.AE-2
DE.DP-4
DE.DP-5

45 CFR 164.308(a)(6)