Incident Response (IR)

An incident is a violation or imminent threat of violation of information security policies, acceptable use policies, or standard computer security practices. Incidents may result from intentional or unintentional actions. Incident response relates to action taken in reaction to an incident occurrence. These incidents can severely disrupt computer supported operations, compromise the confidentiality of sensitive information, and diminish the integrity of critical data. To help combat the disruptive short and long-term effects of security incidents, each government agency is required to implement and maintain a security incident reporting and handling capability.

Incident response plans provide clear instructions to individual users on the proper response to events such as malicious software, denial of service attacks, viruses, and unauthorized access.

These procedures are designed to limit the impact of the incident and to recover sufficient information to assist in follow-up investigations.

Policy: OPM shall:

• Establish an operational incident handling capability for OPM information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.

• Report all suspected incidents to the OPM Situation Room (SitRoom) at

202-418-0111/202-418-0111 STU. SitRoom personnel shall initiate a Remedy Ticket, and notify appropriate parties.

• The OPM Computer Incident Response Team (CIRT) shall report incidents to United States Computer Emergency Readiness Team (US-CERT), in accordance with the OPM Incident Response and Reporting Guide. Components shall not send incident reports directly to US-CERT.

6.4.1 Incident Response Policy and Procedures (IR-1)

The policies under this family are implemented with the OPM Incident Response Procedures.

Operational Incident Response procedures may be developed by program offices and operational groups where necessary, but must include reporting to the OPM Situation Room (SitRoom) for all incidents. Incident response procedures shall be developed and disseminated. The

procedures shall be reviewed at least annually and updated as determined necessary.

6.4.2 Incident Response Training (IR-2)

Quickly responding to incidents provides a mechanism for controlling the impact of the incident on the information systems; therefore, individuals must understand their incident response responsibilities and the actions they should take if an incident is suspected. To accomplish this individuals require training in incident detection and response. Incident response training includes user training in the identification and reporting of suspicious activities both from external and internal sources.

The Chief Information Security Officer (CISO), Program Supervisors, Information System Security Officer (ISSO), and Designated Security Officer (DSO) shall:

• Train personnel in their incident response roles and responsibilities with respect to the information system; and

• Provide refresher training at least annually.

OPM shall incorporate simulated events into incident response training by using automated mechanisms to provide a more thorough and realistic training environment and facilitate effective response by personnel in crisis situations. (High)

6.4.3 Incident Response Testing and Exercises (IR-3)

To determine the effectiveness and weaknesses of OPM’s Incident Response capability and to improve on that capability requires that tests and exercises be performed in a controlled manner and the results analyzed.

The CISO, System Owner (SO), ISSO, and DSO shall test and/or exercise the incident response capability for the information system at least annually using scenario based exercises to determine the incident response effectiveness and documents the results. (Moderate and High) OPM shall employ automated mechanisms to more thoroughly and effectively test/exercise the incident response capability. (High)

6.4.4 Incident Handling (IR-4)

In order to protect information assets, OPM’s security incident handling capability must provide the necessary steps for security incident detection and resolution.

The CISO shall ensure:

• Incident handling capability for security incidents is implemented that includes preparation, detection and analysis, containment, eradication, and recovery;

• Incident handling activities are coordinated with contingency planning activities; and

• Lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.

Incident-related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports.

OPM shall employ automated mechanisms to support the incident handling process. (Moderate and High)

6.4.5 Incident Monitoring (IR-5)

In order to protect information systems it is necessary to monitor for incidents on an ongoing basis, as information assets are susceptible at any time to either intentional or unintentional damaging incidents.

The CISO, SO, ISSO, and DSO shall provide a process to track and document information system security incidents. Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling.

OPM shall employ automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. (Moderate and High)

Automated mechanisms for tracking security incidents and collecting/analyzing incident

information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents.

6.4.6 Incident Reporting (IR-6)

The timely reporting of incidents or suspected incidents assists in incident containment, impact, and mitigation. This includes reporting incidents dealing with Personally Identifiable

Information (PII). A PII incident involves suspected and confirmed breaches in the protection of personally identifiable information in electronic or physical form.

All OPM personnel and contractors shall immediately (no more than 30 minutes after becoming aware of the incident) report suspected security incidents to the OPM Situation Room

(SitRoom) (202-418-0111) in accordance with OPM’s Incident Response and Reporting Guide.

In addition, all OPM personnel and contractors must promptly report any actual or suspected breaches of PII to the OPM SitRoom in accordance with the reporting procedures on the Privacy (PII) Web pages on the OPM intranet.

OPM's Computer Incident Response Team (CIRT) shall report security incident information to designated authorities within and outside of OPM in accordance with the United States

Computer Emergency Readiness Team (US-CERT) guidelines.

OPM shall employ automated mechanisms to assist in the reporting of security incidents.

Network and host-based intrusion detection systems (IDS) and other system monitoring tools can be utilized to provide automated detection of incidents and send alerts to appropriate security personnel. The OPM CERT may use automated tools to track and report possible security incidents, such as centralized service desk ticketing tools. (Moderate and High)

Reference the OPM Incident Response and Reporting Guide for detailed information.

6.4.7 Incident Response Assistance (IR-7)

Since the handling of security incidents is not a primary duty of information system users, system users should have resources available to them to assist in responding to incidents from staff whose responsibilities include security incident response.

OPM shall provide an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. Possible implementations of incident response support resources include a help desk or an assistance group and access to forensics services, when required.

OPM shall employ automated mechanisms to increase the availability of incident response-related information and support. (Moderate and High)

Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

6.4.8 Incident Response Plan (IR-8)

It is important that OPM has a formal, focused, and coordinated approach to responding to information security incidents. OPM's mission, strategies, and goals for incident response help determine the structure of its incident response capability.

The CISO shall ensure:

• Development of an Incident Response Plan that:

• Provides the organization with a roadmap for implementing its incident response capability;

• Describes the structure and organization of the incident response capability;

• Provides a high-level approach for how the incident response capability fits into the overall organization;

• Meets the unique requirements of the organization which relate to mission, size, structure, and functions;

• Defines reportable incidents;

• Provides metrics for measuring the incident response capability within the organization;

• Defines the resources and management support needed to effectively maintain and mature an incident response capability; and

• Is reviewed and approved by designated officials within the organization.

• Distribution of copies of the Incident Response Plan to the Chief Information Officer (CIO), SOs, ISSOs, DSOs, and additional staff as necessary;

• The review of the Incident Response Plan at least annually;

• Revision of the Incident Response Plan to address system organizational changes or problems encountered during plan implementation, execution, or testing; and

• Communicate Incident Response Plan changes to the CIO, CISO, SOs, ISSOs, DSOs, and other impacted staff.