Monday, July 16, 2007

Information Security Policy 101 – Incident Management Policy



Part 8 in the Information Security Policy 101 Series

Let’s start off with a scenario. Bill Johnson works as the Information Security Officer of a medium-sized regional bank and its Monday morning. Bill receives a phone call from the bank service desk reporting that a laptop was lost or stolen over the weekend. Uh oh, Bill doesn’t have incident response policy or procedures.

Try to put yourself in Bill’s shoes for a moment. What risk does this incident pose? Does the laptop contain regulated data, i.e. social security numbers, credit card numbers, other personally identifiable (PII) data, etc.? Does the laptop contain usernames and passwords? Will this incident make the evening news? Who should Bill notify? Should Bill contact the authorities, i.e. local police, Secret Service, FBI, etc.? Panic might begin to set in for Bill. Maybe Bill should just drop everything, run, and find a new profession.

Bill shouldn’t have to worry about how to respond to such an incident.

All companies large and small should have an incident management program. What the program looks like and how it is run will differ from company to company as expected, but they all start with policy.

NOTE: The first actions taken following an incident are often critical and could dictate the entire course of an investigation. If an incident is handled incorrectly, cause identification and eventual prosecution could be impossible.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Incident Management Policy is to describe the requirements for dealing with computer security incidents. Security incidents include but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of Information Resources as outlined in the Acceptable Use Policy.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Incident Management Policy applies to all individuals in an organization. The policy is meant to be referred to by personnel charged with incident response.

SAMPLE:
Audience
The %ORGANIZATION% Incident Management Policy applies equally to all individuals that use any %ORGANIZATION% Information Resource

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Incident Management Policy
The Incident Management Policy is intended to communicate what is expected of personnel when confronted with an incident pertaining to information resource confidentiality, integrity, and/or availability. The policy provides the vital framework necessary to develop detailed incident response procedures.

NOTE: Incident response procedures will detail (preferably step-by-step) how personnel are expected to respond to an incident. Incident response procedures should be tested on a regular basis (quarterly, semi-annually, or yearly).

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- %ORGANIZATION% management will establish and provide overall direction to an %ORGANIZATION% Incident Response Team (IRT)
- %ORGANIZATION% IRT members have pre-defined roles and responsibilities which can take priority over normal duties

Conclusion
Do yourself a favor and create an incident management program. The incident management program does not need to be complicated and account for every possible scenario that could occur. Supporting procedures can be written in such a manner to be flexible enough to apply to most conceivable incidents. Incidents WILL occur, so be prepared!

Download the SAMPLE INCIDENT MANAGEMENT POLICY.

Next in the series: “Information Security Policy 101 – Network Configuration Policy”

Previous: “Information Security Policy 101 – “Data Classification Policy”

No comments: