A cyber security incident refers to an adverse event in an information system and/or network or the threat of the occurrence of such an event.
The CIR Plan is required to bring needed resources together in an organised manner to deal with an adverse event related to the safety and security of the organisation’s information assets and the securing of Personal Identifiable Information (PII).
This adverse event may be a malicious code attack, unauthorised access to the organisation’s systems, unauthorised use of the organisation’s services, general misuse of systems and failure to secure PPI information.
Refer to “Cyber Security Threats” in BCMPedia for a complete list of cyber security threats
This CIR Plan contains references to the processes necessary for dealing with security incidents and/or resource abuses from any source connected to or transmitting information using the organisation’s information technology resources or information assets.
This CIR Plan is meant to provide the organisation with a systematic approach for handling the discovery of and response to abuse or security incident.
Regardless of the criticality of the incident, all steps outlined in this program must be followed, and the process is developed to achieve the following goals:
The Plan should be kept current to be a successful Incident Response program. It must reflect the organisational and/or infrastructure changes and newly discovered vulnerabilities as they occur. This document must be reviewed annually by the __________.
This process applies to all users (including but not limited to ___________) while using the organisation’s information systems resources. All users must be advised of this plan and comply with this process.
Contact information for personnel assigned to each specific role and responsibility described below is available in _________.
All users of the organisation’s information assets, system administrations, information systems support personnel, and security support personnel must understand their role concerning this process and comply with its requirements.
The Chief Information Officer (CIO) or his designee is responsible for maintaining and overseeing the CIR process and assigning members to the Cyber Security Incident Response Team (CIRT) appropriate to the cyber security event.
Cyber Security Incident Roles and Responsibilities |
|
Role |
Description |
|
|
Roles and Responsibilities of Employees
Refer to Chapters 5.6.1 and 5.6.2 for Roles and Responsibilities that can be included in the table.
Should it become necessary during incident response and recovery, the procurement for monitoring services, call centre, or computer forensics vendors shall be at the discretion of the ______ and CIO.
Although incidents occur in many ways, this plan focuses on the procedures to handle incidents that use the following common attack vectors:
Refer to Appendix 13 to see the various cyber security threats that can be addressed using this template.
Knowing how to respond to an incident BEFORE it occurs can save valuable time and effort in the long run. The Cyber Security Team performs various activities, including identity scans, Cyber Security Advisory Team meetings, and regular security awareness training.
Cyber Security Advisory Team: The CSAT includes the members of the core Cyber Security Incident Response Team (CIRT). CSAT meets _____________ to discuss security matters that include:
The CIRT cannot rely and react solely on the initial reports of a security incident because computer users rarely provide accurate problem descriptors. Log fields typically include numerous false positives. Also, identifying the criticality of an incident is difficult if one is unfamiliar with the system. The criticality of any incident can be modified after analysis. The CIRT and IT administrators:
Most information asset users are probably unaware there is a security team that monitors the system and network devices and log files that would assist in any investigation of a security incident. Observing one of the following events is inconclusive. However, combining the following ABOVE activities can represent a security event and should be investigated.
The most likely data breach scenario will involve employees with access to sensitive data and bad habits, e.g. browsing insecure sites, clicking on phishing email links, using weak passwords, or not thinking much about good security practices.
The detection or discovery of incidents involving sensitive information users involves systems categorised as having a ______ impact on the organisation or regulatory compliance data requiring a different response and incident notification process.
The CIRT is typically notified by (1) ______________________ or (2) ___________________. All information asset users should report suspect events to the _________________ who/which will gather the necessary information to appropriately record the security event. The contact number for reporting a cyber security incident is _________.
Incident Response Process: Minimising the potential loss of sensitive data is paramount. The Incident Response process must be initiated as soon as possible or critical information could be lost/destroyed before the SIRT can review it.
Incident Prioritisation: Incidents are prioritised based on the following relevant factors:
The current or future impact of an incident on the organisation’s ability to conduct business
Category |
Definition |
None |
No effect on the organisation’s ability to provide all services to all users |
Low |
Limited effect; an organisation can still provide all critical services to all users but has lost efficiency. |
Moderate |
Serious effect; the organisation has lost the ability to provide a critical service to a subset of system users. |
High |
Catastrophic effect; the organisation can no longer provide critical services to users. |
An incident may affect the overall impact of the information's confidentiality, integrity and/or availability. The SIRT must consider how information exfiltration could impact the organisation.
Category |
Definition |
None |
No information was exfiltrated, changed, deleted, or otherwise compromised |
Privacy Breach |
Sensitive, personally identifiable information of taxpayers, employees, beneficiaries, etc., was accessed or exfiltrated. |
Proprietary Breach |
Unclassified proprietary information, such as protected critical infrastructure information (PCII), was accessed or exfiltrated. |
Integrity Loss |
Sensitive or proprietary information was changed or deleted |
the size of the incident, the effort and the resources required to return to the entire operation should also be considered:
Category |
Definition |
Regular |
Time to recovery is predictable with existing resources |
Supplemented |
Time to recovery is predictable with additional resources |
Extended |
Time to recovery is unpredictable; additional resources and outside help are needed. |
Not Recoverable |
Recovery from the incident is not possible (e.g. sensitive data exfiltrated and posted publicly); launch an investigation. |
Incidents Involving Moderate and High-Categorised Systems: a suspected compromise of any system must be reported immediately to _______. The suspected system should not be rebooted, disconnected, or otherwise altered unless directed by a member of the CIRT.
Any compromised system that stores, processes, or transmits sensitive information must be reported immediately to the CIO or CIRT. Systems classified as Moderate or High may contain restricted information that includes PII,_________ and ___________. Any system classified as Moderate or High may be business critical from a service availability perspective versus an information classification perspective and require the same response.
Containment: most incidents require containment before the incident overwhelms resources or increases damages. Containment provides time for developing the appropriate remediation and making the best decision for the situation,
The containment strategy varies based on the type of incident (e.g. shut down a system, disconnect it from a network, or disable certain functions). For example, the strategy for containing an email-borne malware infection differs from that of a network-based DDoS attack. Criteria for determining the appropriate strategy include:
Sometimes, the attack may be put into a sandbox to collect additional information. Use caution when using sandboxes; some attacks may cause additional damage when they are contained.
Restoring a system to its normal business status is essential. Once a restore or recovery has been performed, it is important to verify that the restore operation was successful, that the system is back to its normal condition, or that the breached data has been contained.
Eradication: After containing the incident, every effort must be made to eliminate the threat and prevent it from causing further damage. During eradication, it is vital to identify all affected hosts so they can be remediated. Disable breached user accounts, identify and mitigate all exploited vulnerabilities, delete all malware, etc. Clean and reformat all the infected media and ensure the most current anti-virus software is installed and operating. When making backups, ensure they are clean. For some incidents, eradication is unnecessary or may be performed during recovery.
Recovery: The CIRT should verify that system administrators have restored normal operation and confirm that the systems are functioning normally and the vulnerability no longer exists. Once a resource is successfully attacked, it is often attacked again, or other resources within the organisation are attacked similarly. The incident may call for increased system logging or network monitoring.
Documentation: The primary reason for gathering evidence during an incident is to resolve it, but it may also be needed for a legal process. When forensics are performed, clearly document the incident and remediation accordingly, and with the understanding that any evidence can be admissible in court. Incident documentation should be accounted for at all times, and a log should be kept when transferred from organisation employees to law enforcement officials.
After determining whether or not an incident has occurred, and if so, the CIRT can take the appropriate actions. CIRT will consider how difficult it is to contain the incident and how fast it spreads. When an incident is analysed and prioritised, the incident response team must notify the appropriate individuals.
The exact reporting requirements will vary depending on the incident and determination by the CIR Team. The following personnel must be notified of all cyber security incidents:
At the discretion of the Chief Information Security Officer, the following personnel will be notified based on the severity and potential impact of the security incident:
At the discretion of the Chief Information Officer, the following will be notified based on the severity and potential impact of the cyber security incident:
Internal Reporting: At the discretion of the CISO, a more detailed incident report may be requested. The system user or owner should contact ________ for guidance. Answers to the following questions should be included in this report:
A copy of any cyber security incident report shall be forwarded to the CISO for review, storage and reporting. Incident reports must be disseminated to the CIO and parties involved, and the support personnel.
Performing follow-up activity helps the organisation improve their incident-handling processes and aid in the continuing support of any efforts to prosecute those who have broken the law or abused any of the organisation’s information technology resources. Follow-up actions include the following:
Every effort should be made to complete the follow-up documentation within 90 days of closing an incident to ensure continuous improvement to the CIR Plan.
Lessons-Learned Meeting: The Cyber Security Advisory Team should hold a “lessons learned” meeting with all involved parties after a major incident and optionally periodically after lesser incidents as resources permit. This meeting provides a chance to review what has occurred, what was done to intervene, and how well the intervention worked. A performing follow-up activity is one of the most critical activities in the response procedure. This follow-up can support any efforts to prosecute those who have broken the law.
Competency-based Course |
Certification Course | ||
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 25 Appendix 15: CIR Plan Template
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.