• No results found

Security Incident Policy

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security Incident Policy"

Copied!
14
0
0

Loading.... (view fulltext now)

Download now ( 14 Page )

Full text

(1)

Organisation Somerset County Council

Title

Security Incident Policy

Author Peter Grogan

Owner Information Governance Manager

Protective Marking Unclassified

POLICY ON A PAGE

Somerset County Council will ensure all users of Council email are aware of the process of reporting a security incident or data breach and the importance of reporting these incidents as quickly as possible.

This policy provides information process, the rules and guidance that must be followed, the standards to be maintained, the risk to users, clients and the Council and the potential consequences of not reporting these incidents.

This document will be distributed to: All Elected Members, Somerset County Council Staff, 3rd

Party Contractors and Volunteers

Key Messages

 All staff should report any incidents or suspected incidents immediately by informing the ICT Helpdesk, and the SCC Information Governance Team.

 All incidents that result in the unauthorised disclosure of personal or sensitive data must be reported to the Information Governance Manager who may inform the Information

Commissioner’s Office (ICO).

 All incidents that result in a potential breach to the network must be reported to the ICT Help-desk, as a result the ICT Security Manager may inform Gov-Cert and SWWARP.  All Incidents will be taken through the following process - Detection, Assessment,

Communication, Escalation, Resolution, Follow up and Lessons learned  If you wish SCC can maintain your anonymity when reporting an incident.

If you are unsure of anything in this policy you should ask for advice from the Information Governance Team.

(2)

Revision History

Revision Date Editor Previous Version Description of Revision

01.06.11 Peter Grogan Initial Draft

04.07.11 Peter Grogan v.01 Comments from D.Littlewood 05.07.11 Peter Grogan v.02 Comments from D.Littlewood 11.08.11 Peter Grogan v.03 Additions P.Grogan

15.09.11 Peter Grogan v.04 Additions P.Grogan 04.11.11 Peter Grogan v.05 Additions P.Grogan

04.12.11 Peter Grogan v.06 Revised Flow chart & Reformatting 04.01.12 Peter Grogan v.07 New Title & Reformatting

09.03.12 Peter Grogan v.08 Reformatting

15.06.12 Peter Grogan v.09 HR Update & Union Approver

Document Approvals

This document requires the following approvals:

Approval Name Date

Information Governance Manager Peter Grogan

Caldicott Guardians Clare Steel / John Kirby Information Governance Board Donna Fitzgerald Unions / JCC Carrie-Anne Hiscock

SCC HR Richard Crouch

Elected Members David Huxtable

Document Distribution

This document will be distributed to: All Elected Members, Somerset County Council Staff, 3rd

(3)

FULL POLICY DOCUMENT

1.

Policy Statement

Somerset County Council will ensure that it reacts appropriately to any actual or suspected incidents relating to information systems and information within the custody of the Council.

2.

Purpose

The aim of this policy is to ensure that Somerset County Council reacts appropriately to any actual or suspected security incidents relating to information systems and data.

Somerset County Council has a responsibility to monitor all incidents that occur within the

organisation that may breach security and/or confidentiality of information. All incidents need to be identified, reported, investigated and monitored. The policy has been implemented so that

Somerset County Council can learn from reported incidents. It is not the intention to apply or apportion any blame to members of staff and is only by adopting this approach that Somerset County Council can ensure that incidents of a particular nature do not keep re-occurring.

3.

Scope

This document applies to all Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who use Somerset County Council IT facilities and equipment, or have access to, or custody of, customer information or Somerset County Council information.

All users must understand and adopt use of this policy and are responsible for ensuring the safety and security of the Council’s systems and the information that they use or manipulate.

All users have a role to play and a contribution to make to the safe and secure use of technology and the information that it holds.

4.

Definition

This policy needs to be applied as soon as information systems or data are suspected to be, or are actually affected by an adverse event which is likely to lead to a security incident.

The definition of an “information management security incident” (‘Information Security Incident’ in the remainder of this policy and procedure) is an adverse event that has caused or has the potential to cause damage to an organisation’s assets, reputation and / or personnel. Incident management is concerned with intrusion, compromise and misuse of information and information resources, and the continuity of critical information systems and processes.

Any employee who detects or suspects an information security incident has a personal

responsibility to report it in accordance with this policy. The prime purpose of this policy is not to apportion blame but to contain problems and learn valuable lessons for improvement.

Types of Incident

The following are the main categories of incident;

(4)

These categories cover a range of incidents and breaches that are actions of either a physical or non physical nature. For example, this can include.

 Site Breach - This could include unauthorised access to the site, with the intent to cause criminal damage.

 Network Breach - This could include network violation and/or breach of firewalls etc.  Security Hardware Incident - This could include a failure with any site security hardware

including cameras, gates, doors, failure of firewall etc.

 Building Incident - This could include a problem within the offices, such as fire or flood.  Area Breach within the building - This could include person or persons intentionally

gaining access to areas within the building they are not authorised to be in.

5.

Risks

Somerset County Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business.

This policy aims to mitigate the following risks:

 To reduce the impact of security breaches by ensuring incidents are followed up correctly.  To help identify areas for improvement to decrease the risk and impact of future incidents.  To ensure impact is reduced to other organisations associated with WARP

 To ensure impact is reduced for Somerset County Council in respect of the Information Commissioner’s Office.

Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and fines and an inability to provide necessary services to our customers.

6.

Applying the Policy

6.1

Procedure for Incident Handling

Events and weaknesses need to be reported at the earliest possible stage as they need to be assessed by both the Information Governance (IG) Team and the ICT Security Team. The

technical advice from the ICT Advisor will enable the IG Team to identify when a series of events or weaknesses have escalated to become an incident. It is vital for the IG Team to gain as much information as possible from the users to identify if an incident is occurring.

Information Governance and ICT Security team will validate the impact of the incident ensuring:

 the incident is with the appropriate technical/operational team/s using internal or external teams at the appropriate level

 the incident progresses in a timely manner through the identification, incident routing, isolation and resolution phases

 management escalation where deemed applicable for invoking the Management Escalation of High Severity Incident process

(5)

Dependant on the severity and identified impact of the incident, timely updates shall be provided to the Information Governance Manager until the incident is resolved, either temporarily or

permanently.

The Incident Owner will decide whether to engage with other appropriate personnel as part of the technical or management escalation process to gain further advice and/or guidance and/or for communication.

The Incident Management Process is managed using the following stages and is depicted in diagrammatic form in Appendix 1

Stage 1 – Incident Detection

Three types of information sources feed information regarding the incident:  The Service Desk receives notification from the end-user community

 Operational Personnel detect incidents in the infrastructure which could provide service disruption which could be experienced by the end user

 Management Systems monitor and detect incidents automatically triggering alerts based on system thresholds and failures

Stage 2 – Incident Assessment

The aim of this stage is to quickly and accurately determine whether the incident is a serious incident.

 Initial Problem Input Data - The details are entered in to the Service Desk system and an appropriate Impact classification is applied (see Appendix 1).

 Incident Assessment - the incident is assessed and appropriate category is confirmed by selected Incident owner

 Serious Incident - If the incident is classified as ‘Critical’, assessment should be confirmed with 60 mins of incident initiation.

Stage 3 – Communication and Escalation

The communication and escalation processes aim to ensure that all parties are kept informed of the incident status.

 Management Escalation - The relevant Service Managers must be notified of the incident and kept up to date with progress to allow them to manage their customers.

 Security Management Escalation - Where it is deemed that this is a ‘High’ security related incident, the Senior Information Risk Officer and the Support Services Group Manager must be notified and kept up to date with progress.

Stage 4 – Incident Resolution

The Incident Resolution phase covers all the various technical investigations that will be required in order to bring the incident into resolution. This may require various personnel from various technical and non technical business areas to provide effective resolution – it is expected that resources are made available as required.

Stage 5 – Incident Post Resolution

(6)

 Critical Incident Review - The Senior Information Risk Owner (SIRO) chairs a Serious Incident Review within 3 working days of incident resolution. This is attended by all key support staff involved in the incident

 Critical Incident Report – taken from the Service Desk system - The output of the Serious Incident Review is the Serious Incident Report. This summarises the events of the incident, the impact, actions taken to resolve the incident and further actions being taken to mitigate the risk of future occurrence/impact. The completed Government Emergency Response Team (Gov Cert) Incident Report is emailed to incidents@govcertuk.gov.uk.

 Non Critical Incidents - The SIRO chairs a Information Governance Meeting (IGB) quarterly and a report of this incident is included.

Stage 6 - Recording of Incidents and Follow Up

ICT will log all incidents on the Service Desk system to enable a central register to be

(7)

Appendix 1

Governance Arrangements

Policy Compliance

If any user is found to have breached this policy, they will be subject to Somerset County Council’s disciplinary procedure. Where it is considered that a criminal offence has potentially been

committed, the Council will consider the need to refer the matter to the police.

If you do not understand the implications of this policy or how it may apply to you, seek advice from the Information Governance Team

Policy Governance

The following table identifies who within Somerset County Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

 Responsible – the person(s) responsible for developing and implementing the policy.  Accountable – the person who has ultimate accountability and authority for the policy.  Consulted – the person(s) or groups to be consulted prior to final policy implementation.

Informed – the person(s) or groups to be informed after policy implementation or

amendment.

Responsible Information Governance Manager

Accountable SIRO - Head of Client Services

Consulted Senior Management Team, HR, Unions

Informed All, Members, staff, contractors, volunteers and 3rd parties.

Review and Revision

This policy, and all related appendices, will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. Policy review will be undertaken by Information Governance Manager.

References

The following Somerset County Council policy documents are directly relevant to this policy:  Corporate Information Security Policy

 Data Protection Policy

 Information Transparency Policy  Acceptable Use Policy

(8)
(9)

Appendix 2 – Examples of Information Security Incidents

Examples of the most common Information Security Incidents are listed below. It should be noted that this list is not exhaustive.

Malicious

 Giving information to someone who should not have access to it - verbally, in writing or electronically.

 Computer infected by a Virus or other malware.  Sending a sensitive e-mail to 'all staff'.

 Receiving unsolicited mail of an offensive nature.

 Receiving unsolicited mail which requires you to enter personal data.  Finding data that has been changed by an unauthorised person.

 Receiving and forwarding chain letters – including virus warnings, scam warnings and other emails which encourage the recipient to forward onto others.

 Unknown people asking for information which could gain them access to council data (e.g. a password or details of a third party).

Misuse

 Use of unapproved or unlicensed software on Somerset County Council equipment.  Accessing a computer database using someone else's authorisation (e.g. someone else's

user id and password).

 Writing down your password and leaving it on display / somewhere easy to find.  Printing or copying confidential information and not storing it correctly or confidentially.

Theft / Loss

 Theft / loss of a hard copy file.

(10)

Appendix 3 - Procedure for Incident Handling

1. Reporting Information Security Events or Weaknesses

The following sections detail how users and ICT Support Staff must report information security events or weaknesses. Appendix 1 provides a process flow diagram illustrating the process to be followed when reporting information security events or weaknesses.

1.1 Reporting Information Security Events for all Employees

Security events, for example a virus infection, could quickly spread and cause data loss across the organisation. All users must understand, and be able to identify that any unexpected or unusual behaviour on the workstation could potentially be a software malfunction. If an event is detected users must:

 Note the symptoms and any error messages on screen.

 Disconnect the workstation from the network if an infection is suspected (with assistance from ICT Support Staff).

 Not use any removable media (for example USB memory sticks) that may also have been infected.

All suspected security events should be reported immediately to the ICT Helpdesk on 01823 355200 and SCC Information Governance on 01823 357194.

If the Information Security event is in relation to paper or hard copy information, for example personal information files that may have been stolen from a filing cabinet, this must be reported to Senior Management, the Information Governance Team and the relevant Caldicott Guardian for the impact to be assessed.

The ICT Helpdesk will require you to supply further information, the nature of which will depend upon the nature of the incident. However, the following information must be supplied:

 Contact name and number of person reporting the incident.  The type of data, information or equipment involved.

 Whether the loss of the data puts any person or other data at risk.  Location of the incident.

 Inventory numbers of any equipment affected.  Date and time the security incident occurred.  Location of data or equipment affected.

 Type and circumstances of the incident (loss / theft).

1.2 Reporting Information Security Weaknesses for all Employees

Security weaknesses, for example a software malfunction, must be reported through the same process as security events. Users must not attempt to prove a security weakness as such an action may be considered to be misuse.

(11)

1.3 Reporting Information Security Events for ICT Support Staff

Information security events and weaknesses must be reported to a nominated central point of contact within ICT (Security team 01823 355919) as quickly as possible and the incident response and escalation procedure must be followed.

Security events can include:

 Uncontrolled system changes.

 Access violations – e.g. password sharing.  Breaches of physical security.

 Non compliance with policies.

 Systems being hacked or manipulated. Security weaknesses can include:

 Inadequate firewall or antivirus protection.  System malfunctions or overloads.  Malfunctions of software applications.  Human errors.

The reporting procedure must be quick and have redundancy built in. All events must involve both the Information Governance Team and also the nominated person within ICT who must both be required to take appropriate action. The reporting procedure must set out the steps that are to be taken and the time frames that must be met

An escalation procedure must be incorporated into the response process so that users and support staff are aware who else to report the event to if there is not an appropriate response within a defined period.

Incidents must be reported to the Business Development teams in relevant Directorates should the incident directly affect the Service.

2. Management of Information Security Incidents and Improvements

A consistent approach to dealing with all security events must be maintained across the Council. The events must be analysed and the Information Governance Team must be consulted to

establish when security events become escalated to an incident. The incident response procedure must be a seamless continuation of the event reporting process and must include contingency plans to advise the Council on continuing operation during the incident.

All high and medium incidents should be reported to the Head of Client Services. All low incidents should be reported to the Information Governance Manager. To decide what level of impact an incident has users should refer to the Risk Impact Matrix in Appendix 4.

2.1 Collection of Evidence

If an incident may require information to be collected for an investigation, strict rules must be adhered to. The collection of evidence for a potential investigation must be approached with care. Internal Audit (SWAudit Partnership) must be contacted immediately for guidance and strict

(12)

2.2 Responsibilities and Procedures

Management responsibilities and appropriate procedures must be established to ensure an effective response against security events. The Information Governance Team must decide when events are classified as an incident and determine the most appropriate response.

An incident management process must be created and include details of:

 Identification of the incident, analysis to ascertain its cause and vulnerabilities it exploited.  Limiting or restricting further impact of the incident.

 Tactics for containing the incident.

 Corrective action to repair and prevent reoccurrence.  Communication across the Council to those affected.

The process must also include a section referring to the collection of any evidence that might be required for analysis as forensic evidence. The specialist procedure for preserving evidence must be carefully followed.

The actions required to recover from the security incident must be under formal control. Only identified and authorised staff should have access to the affected systems during the incident and all of the remedial actions should be documented in as much detail as possible.

The officer responsible for an incident should risk assess the incident based on the Risk Impact Matrix (please refer to Appendix 4). If the impact is deemed to be high or medium this should be reported immediately to the Head of Client Services.

2.3 Learning from Information Security Incidents

To learn from incidents and improve the response process incidents must be recorded and a Post Incident Review conducted. The following details must be retained:

 Types of incidents.

 Volumes of incidents and malfunctions.  Costs incurred during the incidents.

The information must be collated and reviewed on a regular basis by ICT services and any patterns or trends identified. Any changes to the process made as a result of the Post Incident Review must be formally noted.

(13)

Appendix 4 - Risk Impact Matrix

1. Risk Impact Matrix

Type of Impact Reputational Media and Member Damages Reputational Loss within Government and

/ or Failure to Meet Statutory / Regulatory Obligations Contractual Loss Failure to meet Legal Obligations Financial Loss / Commercial Confidentiality Loss Disruption to Activities Personal Privacy Infringement Low Contained

internally within the council

Internal investigation or disciplinary involving one individual

Minor contractual problems / minimal SLA failures

Small fine - less than £1K

Less than £1,000 Minor disruption to service activities that can be recovered Small numbers of personal details revealed or compromised within department Medium Unfavorable local media interest Unfavorable council member response Government authorised investigation by nationally recognised body or disciplinary involving 2 to 9 people Significant client dissatisfaction. Major SLA failures. Failure to attract new business

Less than £50K Damages and fine

£1,000 - £50,000 Disruption to service that can be recovered with an intermediate level of difficulty. One back up not backing up for 2 or more days

Small numbers of personal details revealed or compromised external to the authority Sustained local media coverage, extending to national media coverage in the short term Government intervention leading to significant business change. Internal disciplinary involving 10 or more people Failure to retain contract(s) at the point of renewal Greater than £50K damages and potential fine from ICO

£50,000 - £1,000,000

Major disruption to service which is very difficult to recover from. Two or more systems not being backed up for two or more days Large numbers of personal details revealed or compromised external to the authority

Harm mental or physical to one member of staff or public. High Sustained unfavorable national media coverage Service or product outsourced through Government intervention Client contract(s) cancelled Over £1M damages and / or fine Custodial sentence(s) imposed More than £1,000,000 Catastrophic disruption - service activities can no longer be continued Detrimental effect on personal & professional life OR large scale compromise affecting many people.

Harm mental or physical to two or more

(14)

Appendix 5 - Security Incident and Time Frames

CRITICAL - Report Immediately

User Account compromised

Changes to System Hardware, Firmware or Software without the System Owners Authorisation Corruption of data/information

Physical Damage to systems Denial of Service attack Fraud

Intrusion/Hack

Protectively marked material/equipment found Major damage to building

Network compromise

Property destruction relating to an incident – more than £50,000 Unauthorised System downtime

Theft – Data Theft – Physical

Unauthorised physical access to building

Unauthorised disclosure or misuse of data/information Illegal Software download/sale

Web site defacement Social Engineering misuse

Sending an email containing sensitive information to 'all staff' by mistake. Malicious Code – Virus/Worms

SIGNIFICANT – Report Within 4 hours

Use of unapproved or unlicensed software

Use of unapproved or unlicensed software

Misuse of computer equipment eg. Connecting unauthorised devices to the Council network Pornography

Property destruction relating to an incident – less than £50,000 Sharing of account details

Unauthorised access and/or use of a system using another user’s user-id/password Violation of Special Access Requirements to a computer or computing facility Writing down your password and leaving it on display

Receiving unsolicited mail which requires you to enter personal data

Receiving unsolicited mail of an offensive nature, e.g. containing pornographic, obscene, racist, sexi grossly offensive or violent material.

Software vulnerability

MINOR – Report Within 1 DAY

Minor damage to building

Suspected sharing of account details

References

Download now ( PDF - 14 Page - 299.69 KB )

Related documents

HEALTHCARE RECORDS MANAGEMENT

information and why.. • If the patient or person with the enquiry still requires further information, then they should be referred to a senior manager if available, to re-assure

Belgian Journal of Entomology

Updating lanternflies biodiversity knowledge in Cambodia (Hemiptera: Fulgoromorpha: Fulgoridae) by optimizing field work surveys with citizen science involvement through Facebook

THE UNIVERSITY OF CHICAGO HOW MUCH SSD IS USERFUL FOR RESILIENCE IN SUPERCOMPUTERS A DISSERTATION SUBMITTED TO

It can be concluded from simple workload results that (1) job size, solve time and check- point size ratio do not impact SSD service ratio under System Efficiency Based Allocation;

Thank you for your interest in volunteering with the Avon and Somerset Constabulary.

The Avon and Somerset Constabulary have a vetting policy in compliance with the National Vetting Policy for the Police Community 20103. This is to ensure the integrity of

Guidelines for Reimbursements for Travel and Related Expenses

Somerset County Board of Education Policy Guidelines Policy 200-20 Guidelines for Reimbursements for Travel and Related Expenses.. MILEAGE AND TRAVEL RELATED

G r a p h i c a l A p p l i c a t i o n D e v e l o p m e n t w i t h B o n i t a S t u d i o

When the fields of the Form(s) for a step are defined, a default page template is generated by Bonita Open Solution and linked with an html file that directs how the Form is to be

Definition of an enhanced Bank strategy in the microfinance sector

The Bank also could invest in equity. Although the Bank has the option of taking direct equity investments in MFIs, it is preferable to provide equity financing through