• No results found

INFORMATION SECURITY INCIDENT REPORTING POLICY

N/A
N/A
Protected

Academic year: 2021

Share "INFORMATION SECURITY INCIDENT REPORTING POLICY"

Copied!
8
0
0

Loading.... (view fulltext now)

Full text

(1)

 

INFORMATION SECURITY INCIDENT REPORTING POLICY 

  Reference number

Approved by Information Management and Technology Board

Date approved 30 April 2013

Version 1.0

Last revised

Review date March 2014

Category Information Assurance

Owner Data Protection Officer

(2)

Document Control

This is a CONTROLLED document and updates or changes to this document are authorized and then advised by email to the relevant document holders.

It is UNCONTROLLED when printed. You should verify that you have the most current issue. DOCUMENT HISTORY

Author(s)

Names

Role

Helen Worth Senior Information Governance Officer

Document Log

Version Status Date Issued Description of Change Pages affected Review

0.1 Draft All

0.2 Draft Updated to reflect feedback

during consultation

All 1.0 Issued 30/04/2013 Approved by IM&T Board All March 2014

(3)

1.0   Introduction ... 4  1.1   What is Information? ... 4  1.2   What is the Information Security Approach? ... 4  2.0  Purpose ... 4  3.0   Scope ... 5  4.0  Indentifying Incidents ... 5  5.0  Reporting Incidents ... 5  5.1  Logging Incidents ... 5  5.2  Escalation ... 6  6.0  Managing Incidents ... 6  6.1   Incident Classification ... 6  6.2  Investigating the Incident ... 6  6.3   Closure and final report ... 8  6.4   Follow‐up ... 8  7.0   Enforcement ... 8 

Contents

(4)

1.0

Introduction

To ensure that Herefordshire Council minimises the damage from information security incidents and learns from them, it should ensure that all information security incidents are reported, recorded and investigated. All employees are required to report any observed or suspected incident promptly to allow the issue to be fully investigated in order to reduce the risk of it re-occurring.

1.1

What is Information?

Information can be in a number of forms:

 Spoken in conversations (including telephone)  Printed out and or written on paper

 Sent by fax  Sent via E-mail  Sent by text (SMS)  Stored on computers  Transmitted across networks

 Stored on media (tapes, disks, CDs, film, microfiche etc.)  Stored in databases

 As part of presentations

 Any other methods used to convey information and knowledge.

1.2

What is the Information Security Approach?

We are obliged by law to deal with any serious breach of information security under the P.A.C.E. (Police And Criminal Evidence) process. The most effective way of providing information security is to use a structured approach that will ensure the appropriate controls are applied to specific areas rather than general controls to all areas. The “Code of Practice for Information Security Management” was published in 1995 as British Standard, BS 7799 (Now ISO27001). This standard provides a comprehensive set of security controls comprising the best information security practices in current use. Its objectives are to provide organisations with a common basis for providing information security and to enable information to be shared between organisations.

2.0 Purpose

The purpose of this policy is to inform all employees of their responsibilities in recognising and reporting suspected and actual information security incidents.

This policy should be read in conjunction with the following policies and procedures:

Internet Acceptable Use Policy Email Policy.

Software Policy.

GCSx Acceptable Usage Policy and Personal Commitment Statement. IT Access Policy.

Information Protection Policy.

(5)

Remote Working Policy. Removable Media Policy. Data Protection Policy.

Communications and Operation Management Policy. IT Infrastructure Policy.

3.0

Scope

This Policy applies to all Herefordshire Council Members, employees, consultants, agency staff and independent contractors.

4.0 Indentifying

Incidents

For the purpose of this policy an information security incident is defined as:

''An identified occurrence or weakness indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation which may be security relevant.''

Both incidents and weaknesses have the potential to affect the confidentiality, integrity and availability of information.

Some common examples of information security incidents are listed below. Please note that this list is not exhaustive and should be used as guidance:

 The loss or theft of information.

 The transfer of sensitive or confidential information to those not entitled to receive it.  Attempts to gain unauthorised access to data, information storage or a computer system.  The unauthorised use of a system by an individual.

 The inappropriate disposal of sensitive or confidential information.  The loss of computer equipment.

 The loss of computer media e.g. CDs, DVDs and Memory Sticks.  Attempts to gain unauthorised access to secure areas.

 Management of information assets when a member of staff is suspended.  Attempts to commit fraud

5.0 Reporting

Incidents

All Information Security Incidents should be reported to the Information Governance Team as soon as they are detected emailing informationgovernance@herefordshire.gov.uk

5.1 Logging

Incidents

The following information must be provided when reporting an information security incident to the Information Governance Team:

 Date, Time and location of the incident  Who discovered the incident

(6)

 Information Affected  Department involved  Description of what happened  Who has been informed  Actions taken so far

5.2 Escalation

When considering what action to be taken the following people will be informed and consulted as appropriate:

 Data Protection Officer

 Senior Information Risk Owner

 Information Asset Owner/Data Steward  Chief Executive

 Information Commissioner

6.0 Managing

Incidents

All incidents reported to the Information Governance team will be managed following the process below. 

6.1

Incident Classification

Once a security incident is reported, the Information Governance Team must classify the incident as follows:

“High” risk incidents pose a severe risk to Herefordshire Council information and will be classified as critical security incidents. These incidents include, for example, a widespread risk of compromising systems or compromising sensitive or critical data

“Medium” risk incidents pose a medium risk to Authority information and as such will be classified as medium-severity security incidents. These incidents include, for example, compromising an information system that does not contain sensitive data and will not pose a widespread risk to other Authority information systems.

“Low” risk incidents pose a low risk to Authority information and will be classified as low-severity security incidents. These incidents include, for example, compromise of a system that does not contain critical or sensitive data or pose the risk of compromising other systems.

6.2

Investigating the Incident

The purpose of an investigation is not to set out to find someone to blame, it is to learn and improve. All incidents will be investigated in order to establish facts and any corrective and/or preventative actions required. Not all incidents will need the same depth of investigation to find out the full facts and determine what went wrong.

(7)

 Find out all of the facts.  Determine what went wrong.

 Identify risks that are appropriate for follow up and action.  Make recommendations to address the risks.

Investigation of the incident will include the collection and recording of evidence and it is important the Information Governance Team find out the following:

a) The extent of the breach.

b) They amount of information involved. c) The sensitivity of the information involved.

d) The Potential for loss or damage to individuals, the council or any other body. e) What measures need to be taken and how quickly to address:-

i. Restoring any lost information to our custody or control.

ii. Whether to warn people about the loss, including who and when.

iii. Whether to report the loss to the Information Commissioner (if it involves personal data) and when to do so.

iv. Whether to report the loss to the Police. The investigation process may also include the following:

 Taking statements, formal or informal, from those involved, especially where the quality of evidence may be lost through time or people may not be present for long.  Convening a meeting as appropriate involving people who are likely to have an active

role in remedying the incident or dealing with any of the outside parties involved.  Involving the council’s Public Relations team

 Involving the Information Commissioners Office and dealing with any subsequent action arising from it.

 Consider measures that can be put in place to eliminate or reduce the chances of a re-occurrence.

 Involve legal services where there is a risk of a claim against the council and update risk registers.

6.3 Forensic

Evidence

As part of the investigation process a forensic examination of equipment may be required for evidential purposes. Although the investigation may not be a criminal case there may be an internal case requiring disciplinary procedures. If a forensic examination needs to take place the following must be adhered to:

 Evidence must be logged in and out of the evidence store.

 If evidence needs to be handed to a third party (i.e. the police) this must be signed for by the third party.

 Evidence returned by a third party must be signed back into the evidence store and kept along with confirmation that it is no longer required.

 Evidence must be retained for a minimum of 6 months after the end of the investigation.

(8)

6.4

Closure and reporting

All incidents classified as ‘High’ will have a closure report written which will be provided to the relevant parties.

Any risks identified as a result of the incident occurring will be recorded on the Information Security Risk Treatment Plan and assigned to the relevant business owners for corrective and/or preventative actions to be implemented.

All incidents will be summarised in a monthly report to the KIS Steering Group and where appropriate to the IM&T Steering Group. A quarterly trend report will be provided to the IM&T Board.

6.5

Follow-up

Some incidents require considerable time and effort. Performing follow-up activity is, however, one of the most critical activities in responding to incidents. Following up afterwards will help the Authority improve their incident handling procedures and review their ISMS (information Security Management System) as well as continue to support any efforts to prosecute those who have broken the law. Follow-up activities include the following:

 Analysing what has transpired and what was done to intervene.  Analysing the cost of the incident.

 Preparing a report for the IM&T Board

 Revising the ISMS. “Lessons learned” contained in the report described above should be used as the basis for modifying Authority information incident response policies and procedures.

7.0

Enforcement

Enforcement of this policy is the responsibility of all managers as part of their management role. The Internal and External Audit may undertake reviews on a planned and ad-hoc basis as part of the audit process. The Information Governance team will conduct quality reviews on cyclical basis as part of their security role.

A violation of standards, procedures, or guidelines established in support of this policy will be brought to the attention of the Information Governance Officer for investigation. The Information Governance Team enforces this policy by continuously monitoring, through the use of software tools. Business Unit Management, Human Resources, Internal Audit and External Audit will be notified when it is considered a breach has taken place. It is the responsibility of all users (as defined within the Scope of this document) to ensure compliance with the policy. Failure to adhere to the policy may result in a breach of Financial Regulations, Standing Orders and or current legislation. In the event of a breach by an Authority employee, disciplinary action may be taken in accordance with the Disciplinary Code of Conduct. Action against non-Herefordshire council employees may result in removal/suspension of IT facilities, removal from site, cancellation of any contracts and possible legal action.

References

Related documents

Profit after tax decreased by 8% to €522.8m compared to €569.3m in the year ended March 31, 2013 primarily due to a 5% increase in total operating expenses and a 4%

Incident Response Plans shall include reasonable and appropriate methods to control and remediate information security incidents affecting critical information technology

As soon as security incidents are detected they should be immediately reported to a member of the Security Incident Response Team or the Security Officer.. A Security

The internal reporting of security risks, incidents or near misses should be in accordance with the Trust Risk Management Strategy or Trust Incident Reporting Policy as

Incident trends (which include moderate incidents), the lessons learnt and actions taken will be reviewed through the Divisional Governance and Quality Group and escalated through

Dapri et al., ‘Laparoscopic Placement of Non-Adjustable Silicone Ring for Weight Regain after Roux en Y Gastric Bypass’, Obes Surg (2009). 6 patients with hyperphagia Loosely

Step 1: Determine what route across the Internet traffic takes to the remote server. Now that basic reachability has been verified by using the ping tool, it is helpful to look

 Ensure that clinically urgent patients are treated or seen in clinical priority order, and thereafter in strict chronological order within the target timescales set out in this