NUKG Business Solutions Pvt Ltd. Information Security Incident Management Procedure (IS-IMG)

Transcription

1 NUKG Business Solutions Pvt Ltd Information Security Incident Management Procedure (IS-IMG) Version No 1.0 Document Classification Prepared by Vasu Reviewed by Ravi Kanduri Approved by Ravi Kanduri Date C-2 Internal 01 June-2018 This document is the copy right of NUKG Business Solutions Pvt Ltd., No part of this document may be photocopied, reproduced, stored or transmitted in any form or by any means without the prior permission of the company.

2 Document Amendment Record A Added, M Modified, D Deleted Version No Date Section No Page No Change Mode (A/M/D) June 2018 Initial Version Brief description of change Version 1.0 Effective date: 01-June-2018 C-2 Internal Page i

3 Table of Contents 1.0 PURPOSE SCOPE DEFINITIONS RESPONSIBILITIES INFORMATION SECURITY INCIDENT MANAGEMENT MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS Responsibilities and procedures Reporting information security events Reporting information security weaknesses Assessment of and decision on information security events Response to information security incidents Learning from information security incidents Collection of evidence RECORDS... 4 Version 1.0 Effective date: 01-June-2018 C-2 Internal Page ii

4 1.0 Purpose Information Security Incident Management Procedure (IS-IMG) This document defines the activities that need to be implemented towards reporting, resolving, and management of Information Security events and incidents. Incident security incident management objective is - To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. 2.0 Scope The scope of these guidelines covers the entire ISMS activities of the company. The guidelines support the initiatives of the company to provide a quick resolution of security events and incidents and initiate improvements 3.0 Definitions ISMS Information Security Management System ISMF Information Security Management Forum CISO Chief Information Security Officer Information Security event An Information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant. Information security incident Information security incident is a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security Information security incident management Information security management is the process for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents 4.0 Responsibilities Definition of the Policies Head Delivery Review and Approval Vice President and Director Implementation of the Policies Employees, Contractors and Third Party Users Monitoring of the implementation of Policies ISMF Version 1.0 Effective date: 01-June-2018 C-2 Internal Page 1 of 4

5 5.0 Information Security Incident Management 5.1 Management of information security incidents and improvements Responsibilities and procedures CISO is the nodal point for information security incidents and improvements. Reporting Procedures Any employee or third party service provider (security, electrician, housekeeping, catering, pantry, etc.,) can report any observed information security event or weakness. The information security events or incidents are reported in an information security events or incident form and sent to a group of the company. The report provides details of Date and time, location of the event, description of the event, and any other details that are required for investigation and action. On receipt of the , CISO identifies the department that has responsibility to investigate and resolve the reported incident, and forwards the information security events or weakness form. Management Responsibilities For each category of security incidents, IT Infrastructure Department has established some generic steps to be taken to resolve the reported incident. IT Infrastructure Department implements the required actions to recovery of the systems. Similarly, Administration, HR and Projects have established some generic steps to be taken to resolve the reported incident Reporting information security events Occurrence of Information security event in itself does not necessarily compromise information security, but could result in it being compromised. An example is a multiple logging failure on a single user account leading to that account being locked out An information security breach can be regarded, as a series of information security events whose ultimate results is damage to or loss of data from an information system. All employees, contractors and third party users who have come across any security event such as security breach, threat, weakness or malfunction that has an impact on the security of organizational assets report any observed or suspected event as quickly as possible. Some situations that can be considered for reporting information security events include: Ineffective physical entry controls Human errors Malfunctioning of hardware or software Malfunctioning of infrastructure facilities (such as UPS, Generator, Access control, Fire safety etc.,) Access violations In case of computer systems, software and networking they reports to IT Infrastructure department. In case of facilities related events, they reports to Administration Department. Reporting information by IT Department In addition to the information security events and weakness reported by the users, IT Infrastructure department compiles information on security events and weaknesses through monitoring of systems & network and from published sources of information. Version 1.0 Effective date: 01-June-2018 C-2 Internal Page 2 of 4

6 5.1.3 Reporting information security weaknesses All employees, contractors and third party users who have come across any security weaknesses that have an impact on the security of organizational assets report any observed or suspected weakness as quickly as possible. In case of computer systems, software and networking they reports to IT Infrastructure department. In case of facilities related events, they reports to Administration Department Assessment of and decision on information security events On receipt of a report on information security event, CISO assesses and classifies the event as Information security incident, based on the criticality and impact of the event. Any event that has potential to violate any information security control can be classified as information security incident. CISO identifies the department that has responsibility to investigate and resolve the reported event or incident, and forwards the same for investigation and resolution Response to information security incidents The procedure for treating both information security events and incidents is similar. The department responsible for responding to the information security event or incident provides following details: Severity of the incident or event Collecting evidence Root cause analysis Corrective action to eliminate the cause of the incident or event Responsibility for implementing the corrective action Target date for implementing the corrective action Verification of the implanted corrective action CISO tracks the status of the proposed corrective action and closes the incident or event form. Note: All events are classified as minor All incidents are classified as major or critical Definition and time targets to close the events or incidents Category Definition Target time for closure Critical Will stop project /department work if not resolved Within working one day Major Likely move the project/department work back in terms of Within three working days budget or timeline, or will materially affect quality or scope Minor Has moderate effect on the project/department, but will Within ten working days require resources to address. Version 1.0 Effective date: 01-June-2018 C-2 Internal Page 3 of 4

7 5.1.6 Learning from information security incidents CISO analyses the information on security incidents to capture lessons and to identify the nature, impact and effects of information security incidents. This also may result in identifying risks that have not been identified as a part of risks analysis. This may indicate the need for enhanced or additional controls or review of the policies. CISO submits a report to the management on a quarterly basis The applications developed by the company or used within the company ensure that the processing failures are minimized to avoid loss of integrity Collection of evidence Where a follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal), evidence is collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). CISO in consultation with HR Department collects the required evidence and keeps in safe custody. The applications ensure that the right messages are generated and protected 6.0 Records S.No Record 1 Information Security Events/incidents reporting form 2 Information Security Incidents Quarterly Report Version 1.0 Effective date: 01-June-2018 C-2 Internal Page 4 of 4