CIR Plan Development
Plan Template
1.1 Executive Summary
A cyber security incident refers to an adverse event in an information system and/or network or the threat of the occurrence of such an event.
Incidents can include but are not limited to unauthorised access, malicious code, network probes and denial of service attacks. Refer to BCMPedia Cyber Security for a glossary of terms.
The CIR Plan is required to bring needed resources together in an organised manner to deal with an adverse event related to the safety and security of the organisation’s information assets and the securing of Personal Identifiable Information (PII).
This adverse event may be a malicious code attack, unauthorised access to the organisation’s systems, unauthorised use of the organisation’s services, general misuse of systems and failure to secure PPI information.
Refer to “Cyber Security Threats” in BCMPedia for a complete list of cyber security threats
This CIR Plan contains references to the processes necessary for dealing with security incidents and/or resource abuses from any source connected to or transmitting information using the organisation’s information technology resources or information assets.
1.2 Goal
This CIR Plan is meant to provide the organisation with a systematic approach for handling the discovery of and response to abuse or security incident.
Regardless of the criticality of the incident, all steps outlined in this program must be followed, and the process is developed to achieve the following goals:
- Minimise disruptions to business functions and network operations to confirm whether an incident or abuse has occurred;
- Promote the accumulation of accurate information;
- Establish controls for proper retrieval and handling of evidence;
- Allow for legal (to include criminal and/or evil) actions against perpetrators; and
- Provide accurate reports and valuable recommendations.
The Plan should be kept current to be a successful Incident Response program. It must reflect the organisational and/or infrastructure changes and newly discovered vulnerabilities as they occur. This document must be reviewed annually by the __________.
1.3 Scope
This process applies to all users (including but not limited to ___________) while using the organisation’s information systems resources. All users must be advised of this plan and comply with this process.
1.4 Roles and Responsibilities
Contact Information
Contact information for personnel assigned to each specific role and responsibility described below is available in _________.
Responsibilities
All users of the organisation’s information assets, system administrations, information systems support personnel, and security support personnel must understand their role concerning this process and comply with its requirements.
The Chief Information Officer (CIO) or his designee is responsible for maintaining and overseeing the CIR process and assigning members to the Cyber Security Incident Response Team (CIRT) appropriate to the cyber security event.
Cyber Security Incident Roles and Responsibilities |
|
Role |
Description |
|
|
Roles and Responsibilities of Employees
Refer to Chapters 5.6.1 and 5.6.2 for Roles and Responsibilities that can be included in the table.
1.5 Procurement of Resources
Should it become necessary during incident response and recovery, the procurement for monitoring services, call centre, or computer forensics vendors shall be at the discretion of the ______ and CIO.
1.6 Stages of Response
Although incidents occur in many ways, this plan focuses on the procedures to handle incidents that use the following common attack vectors:
- External/Removable Media – an attack executed from removable media (e.g. flash drive, CD) or a peripheral device;
- Attrition – an attack that uses brute force methods to compromise, degrade or destroy systems, networks or services;
- Web – an attack executed from a website or web-based application;
- Email – an attack executed via an email message or attachment;
- Improper Usage – any incident resulting from the violation of organisation policy by an authorised user;
- Loss or Theft of Equipment – the loss or theft of a computing device or media used by the university, such as a laptop or smartphone; and
- Other – an attack that does not fit into any of the other categories
Refer to Appendix 13 to see the various cyber security threats that can be addressed using this template.
Stage One: Preparation
Knowing how to respond to an incident BEFORE it occurs can save valuable time and effort in the long run. The Cyber Security Team performs various activities, including identity scans, Cyber Security Advisory Team meetings, and regular security awareness training.
Cyber Security Advisory Team: The CSAT includes the members of the core Cyber Security Incident Response Team (CIRT). CSAT meets _____________ to discuss security matters that include:
- System and information risks;
- Sensitive information discovery and risk assessment and management, including the removal, reduction and/or archiving of sensitive information in departments;
- Information ownership and access to sensitive information;
- Account life cycle and personnel security;
- Confidentiality, integrity and availability of information and enforcement of access least privileges;
- Organisation policy and implementation of best practices;
- Media protection and sanitisation;
- Storage policy; and
- Training
The CIRT cannot rely and react solely on the initial reports of a security incident because computer users rarely provide accurate problem descriptors. Log fields typically include numerous false positives. Also, identifying the criticality of an incident is difficult if one is unfamiliar with the system. The criticality of any incident can be modified after analysis. The CIRT and IT administrators:
- Profile networks and systems. The CIRT understands typical systems and network behaviour so that abnormal behaviour can be easily recognised. The CIRT monitors and measures the characteristics of expected activity so that system and network anomalies can be more easily identified;
- Establish and maintain a systems log policy;
- Maintain and use a Knowledge Base of Information;
- Ensure all host clocks are synchronised so that event correlation is meaningful;
- Perform event correlation analysis across systems and network devices, including:
- Unsuccessful logon attempts;
- Unsuccessful system crashes;
- Unexplained poor system performance;
- Port scanning (use of exploit and vulnerability scanners, remote requests for information about systems and/or users, or social engineering attempts);
- Unusual usage times (statistically, more security incidents occur during non-working hours than any other time);
- An indicated last time of usage of an account that does not correspond to the actual last time of usage for that account; and
- Filter out categories of insignificant data so that the most suspicious and relevant activity is investigated.
Stage Two: Incident Discovery/ Detection
Most information asset users are probably unaware there is a security team that monitors the system and network devices and log files that would assist in any investigation of a security incident. Observing one of the following events is inconclusive. However, combining the following ABOVE activities can represent a security event and should be investigated.
The most likely data breach scenario will involve employees with access to sensitive data and bad habits, e.g. browsing insecure sites, clicking on phishing email links, using weak passwords, or not thinking much about good security practices.
The detection or discovery of incidents involving sensitive information users involves systems categorised as having a ______ impact on the organisation or regulatory compliance data requiring a different response and incident notification process.
Stage Three: Triage and Analysis
The CIRT is typically notified by (1) ______________________ or (2) ___________________. All information asset users should report suspect events to the _________________ who/which will gather the necessary information to appropriately record the security event. The contact number for reporting a cyber security incident is _________.
Incident Response Process: Minimising the potential loss of sensitive data is paramount. The Incident Response process must be initiated as soon as possible or critical information could be lost/destroyed before the SIRT can review it.
Incident Prioritisation: Incidents are prioritised based on the following relevant factors:
Functional Impact
The current or future impact of an incident on the organisation’s ability to conduct business
Categorisation for Functional Impact
Category |
Definition |
None |
No effect on the organisation’s ability to provide all services to all users |
Low |
Limited effect; an organisation can still provide all critical services to all users but has lost efficiency. |
Moderate |
Serious effect; the organisation has lost the ability to provide a critical service to a subset of system users. |
High |
Catastrophic effect; the organisation can no longer provide critical services to users. |
Informational Impact
An incident may affect the overall impact of the information's confidentiality, integrity and/or availability. The SIRT must consider how information exfiltration could impact the organisation.
Categorisation for Informational Impact
Category |
Definition |
None |
No information was exfiltrated, changed, deleted, or otherwise compromised |
Privacy Breach |
Sensitive, personally identifiable information of taxpayers, employees, beneficiaries, etc., was accessed or exfiltrated. |
Proprietary Breach |
Unclassified proprietary information, such as protected critical infrastructure information (PCII), was accessed or exfiltrated. |
Integrity Loss |
Sensitive or proprietary information was changed or deleted |
Recoverability Impact
the size of the incident, the effort and the resources required to return to the entire operation should also be considered:
Categorisation for Recoverability Impact
Category |
Definition |
Regular |
Time to recovery is predictable with existing resources |
Supplemented |
Time to recovery is predictable with additional resources |
Extended |
Time to recovery is unpredictable; additional resources and outside help are needed. |
Not Recoverable |
Recovery from the incident is not possible (e.g. sensitive data exfiltrated and posted publicly); launch an investigation. |
Incidents Involving Moderate and High-Categorised Systems: a suspected compromise of any system must be reported immediately to _______. The suspected system should not be rebooted, disconnected, or otherwise altered unless directed by a member of the CIRT.
Any compromised system that stores, processes, or transmits sensitive information must be reported immediately to the CIO or CIRT. Systems classified as Moderate or High may contain restricted information that includes PII,_________ and ___________. Any system classified as Moderate or High may be business critical from a service availability perspective versus an information classification perspective and require the same response.
Stage Four: Containment, Eradication and Recovery
Containment: most incidents require containment before the incident overwhelms resources or increases damages. Containment provides time for developing the appropriate remediation and making the best decision for the situation,
The containment strategy varies based on the type of incident (e.g. shut down a system, disconnect it from a network, or disable certain functions). For example, the strategy for containing an email-borne malware infection differs from that of a network-based DDoS attack. Criteria for determining the appropriate strategy include:
- Potential damage to and theft of resources;
- Need for evidence preservation;
- Service availability (e.g. network connectivity, services provided to external parties);
- Time and resources needed to implement the strategy;
- Effectiveness of the strategy (e.g. partial containment, full containment); and
- Duration of the solution. (e.g. emergency workaround to be removed in four hours, temporary workaround removed in two weeks, or permanent solution)
Sometimes, the attack may be put into a sandbox to collect additional information. Use caution when using sandboxes; some attacks may cause additional damage when they are contained.
Restoring a system to its normal business status is essential. Once a restore or recovery has been performed, it is important to verify that the restore operation was successful, that the system is back to its normal condition, or that the breached data has been contained.
- A computer forensic examination of all loss of data shall be conducted to determine all possible external electronic storage locations;
- This computer forensic examination shall also verify if the breached data has or has not been disseminated to any other known or unknown external electronic location;
- The Incident Lead shall document all ongoing events, all people involved, and all discoveries into a timeline for evidentiary use;
- To determine if the external notification process shall be activated;
- To determine whether a notification process of a breach is required, the likely risk of harm caused by the breach and then the level of risk must be assessed; and
- A wide range of harm should be considered, such as harm to reputation and the potential for harassment or prejudice, particularly when health or financial benefits information is involved in the breach. Removing the cause of the incident can be a complicated process. It can involve virus removal, the conviction of perpetrators or dismissing employees.
Eradication: After containing the incident, every effort must be made to eliminate the threat and prevent it from causing further damage. During eradication, it is vital to identify all affected hosts so they can be remediated. Disable breached user accounts, identify and mitigate all exploited vulnerabilities, delete all malware, etc. Clean and reformat all the infected media and ensure the most current anti-virus software is installed and operating. When making backups, ensure they are clean. For some incidents, eradication is unnecessary or may be performed during recovery.
Recovery: The CIRT should verify that system administrators have restored normal operation and confirm that the systems are functioning normally and the vulnerability no longer exists. Once a resource is successfully attacked, it is often attacked again, or other resources within the organisation are attacked similarly. The incident may call for increased system logging or network monitoring.
Documentation: The primary reason for gathering evidence during an incident is to resolve it, but it may also be needed for a legal process. When forensics are performed, clearly document the incident and remediation accordingly, and with the understanding that any evidence can be admissible in court. Incident documentation should be accounted for at all times, and a log should be kept when transferred from organisation employees to law enforcement officials.
Stage Five: Initial Notification
After determining whether or not an incident has occurred, and if so, the CIRT can take the appropriate actions. CIRT will consider how difficult it is to contain the incident and how fast it spreads. When an incident is analysed and prioritised, the incident response team must notify the appropriate individuals.
The exact reporting requirements will vary depending on the incident and determination by the CIR Team. The following personnel must be notified of all cyber security incidents:
- Depending on the nature of the security breach, the CIO, at his/her discretion, must be notified either verbally or in writing
- The Chief Information Security Officer
At the discretion of the Chief Information Security Officer, the following personnel will be notified based on the severity and potential impact of the security incident:
- Cyber Security Incident Response Team (s);
- Cyber Security Advisory Team;
- Organisation’s Executive Leadership Team;
- External incident response teams (if appropriate); and
- System Owner and/or functional Security Liaison.
At the discretion of the Chief Information Officer, the following will be notified based on the severity and potential impact of the cyber security incident:
- Executive Management;
- Human resources;
- Public Affairs;
- Legal Department; and
- Law enforcement.
Internal Reporting: At the discretion of the CISO, a more detailed incident report may be requested. The system user or owner should contact ________ for guidance. Answers to the following questions should be included in this report:
- Did the incident disrupt ongoing operations?
- Was any data irrecoverably lost, and if so, what was the value of the data?
- Was any hardware damaged?
- Was there unauthorised access to information classified as Moderate?
- What is the estimated cost of the loss?
A copy of any cyber security incident report shall be forwarded to the CISO for review, storage and reporting. Incident reports must be disseminated to the CIO and parties involved, and the support personnel.
Stage Six: Follow-Up
Performing follow-up activity helps the organisation improve their incident-handling processes and aid in the continuing support of any efforts to prosecute those who have broken the law or abused any of the organisation’s information technology resources. Follow-up actions include the following:
- Define the “lessons learned.”
- Analyse what has transpired and what was done to intervene
- Was there sufficient preparation to prevent the incident?
- Did detection occur promptly? If not, why?
- Could additional tools have helped the detection and recovery process?
- Was the incident sufficiently contained?
- Was communication adequate, or could it have been better?
- What practical difficulties were encountered?
Every effort should be made to complete the follow-up documentation within 90 days of closing an incident to ensure continuous improvement to the CIR Plan.
Lessons-Learned Meeting: The Cyber Security Advisory Team should hold a “lessons learned” meeting with all involved parties after a major incident and optionally periodically after lesser incidents as resources permit. This meeting provides a chance to review what has occurred, what was done to intervene, and how well the intervention worked. A performing follow-up activity is one of the most critical activities in the response procedure. This follow-up can support any efforts to prosecute those who have broken the law.
- This includes, but is not limited to, changing policies as appropriate. After an incident is resolved, all incidents that have reached a severity level of _____ or higher will be reviewed by the CIRT and CISO, and a final incident report will be compiled to ensure that all existing processes were followed and were adequate
- Schedule a lessons-learned meeting to discuss any identified improvements to the response plan and the processes to the response that worked well during the incident
- Determine if other external services, such as law enforcement, insurance company, or cyber vendors, should be considered to assist with future cyber breaches and incidents
- What is the estimated financial impact on the organisation?
- Will this affect the organisation’s image or public trust negatively
- Maintain a logbook of events and develop an investigation report. The investigation report shall include, describe and answer the following:
- The description of the data lost, including the amount and its sensitivity or classification level;
- For cyber security incidents, the nature of the cyber security threat;
- Nature and number of persons affected;
- Likelihood data is accessible and usable by unauthorised personnel or cyber criminals;
- Likelihood the data was intentionally targeted;
- Evidence that the compromised data is being used to commit identity theft
- Strength and effectiveness of security technologies protecting data;
- Likelihood the breach may lead to harm and the type of harm. Such harm may include confidentiality or fiduciary responsibility, blackmail, disclosure of private facts, mental pain and emotional distress. The disclosure of address information for victims of abuse, the potential for secondary uses of the information, which could result in fear or uncertainty; and
- Ability to mitigate the risk of harm. (Dinkins, 2017)
Do You Want to Continue BCM Training onsite or online?
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 25 Appendix 15: CIR Plan Template
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.