Department of Public Health

Transcription

1 PAGE 1 of 13 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: CISSPCISSP/C Distribution: DPH-wide Other: n/a phil.mcdown@sfdph.org 1. POLICY INTENT This document establishes the policy for assembly, functions and organizing a San Francisco Department of Public Health (SFDPH) Information Technology Division Security Incident Response Team. It creates a mechanism and defines roles for responding to serious breaches of Information Security at SFDPH. This policy is intended to comply with those sections of the Code of Federal Regulations that govern HIPAA requirements for Information Security. The section that relates to Security Incident Response is CFR (a)(6). POLICY SCOPE This policy is intended to complement the existing Malicious Software Prevention and Surveillance policy and the Disaster, Contingency and Business Continuity Planning policies. It is also intended to define the mechanism for investigating and remediating security incidents that require actions in excess of day-to-day I.T. operations management and employee disciplinary procedures (refer to the Security Violation, Discipline and Sanctions Policy). History has shown that a malware incident that exceeds local I.T. staff s ability to control and remedy is the most likely type of event to require Enterprise-wide action. For this reason, the text of this policy reflects the assumption that a malware crisis is the type of event to be dealt with. However the roles, procedures and actions defined and specified are adaptable to other types of crisis and would be part of SFDPH-IT s overall response to a natural disaster or other pervasive event. DEFINITIONS Unusual Occurrence: Any event that is considered to be out of the ordinary or disruptive to the normal

2 PAGE 2 of 13 conduct of business affairs, that should be reported and investigated to determine the facts and the appropriate response. For the purposes of this document, Unusual Occurrences (UO s) that can be normally reported and dealt with under other existing policies and regulations (e.g., JCAHO) or which can be dealt with using day-to-day I.T. operations management, trouble-shooting and employee disciplinary procedures, are excluded from this policy. Developing Situation: For the purposes of this policy, a Developing Situation is an IT related UO that persists in the face of normal remedial measures or which is duplicated in more than one portion of the Enterprise (e.g., at SFGH and LHH simultaneously). It may be an OU that is spreading or has negative impacts beyond localized or initial ones. Developing Situations require increased surveillance and communications support and decision-making beyond the I.T. staff s normal scope. Malware Alert: For the purposes of this policy a Malware Alert Situation is one where actual Malware activity has been detected or a widespread vulnerability to a particular threat has been identified. In such situations central communications and coordination of the Enterprise-wide remediation efforts is the primary need. Emergency: For the purposes of this policy an Emergency is a Developing situation has escalated to the point where local, limited efforts to control, contain or stop it no longer work and major negative impacts on Enterprise business operations are being experienced or a Malware Alert Situation that impacts the entire Enterprise and the remedial activities to mitigate it will require coordination of efforts throughout the Department. If a coordinated division-wide approach becomes necessary is the point at which Incident Response shifts into the mode of Emergency Response and may include Disaster Recovery. C 3 : Command, Communications and Control The critical functions necessary to operate in response to an incident that has evolved into a situation, emergency or disaster. 2. POLICY STATEMENTS The SFDPH Information Technology Division shall create and maintain rosters of Incident

3 PAGE 3 of 13 Response roles to be assumed by its staff when responding to a Security Incident or larger scale disaster situation. The roles on the roster are to be filled by volunteers and management-selected staff who have the particular skill-sets required to perform the role for which they have volunteered or been assigned. During Incident or Emergency Response training or drills, these staff members will rehearse the roles for which the roster has them designated. When assigning the roles on the roster, each role must have at least two staff assigned to perform it and that at least one of those staff members resides where there is direct surface travel access to the Data Center (i.e., with no intervening bridges or ferry travel). 2.1 Developing Situation Roles: Developing Situations require increased surveillance, communications support and decision-making beyond the I.T. staff s normal scope. This requires that certain staff members assume roles outside of their normal I.T. operational responsibilities Data Collection, Analysis and Communication Collecting information about a developing malware situation and using various reporting mechanisms (e.g., Help Desk tickets), tools (logs, IDS/IPS, Qualys scans) and industry alerts to track developments and trends and to inform and alert management or a Command Center when a worsening trend appears to be occurring. This is essentially an extension and enhancement of the day-to-day malware prevention and surveillance process (refer to the Malicious Software policy) and may use the same staff Decision Making I Management Determination of: Which and how many resources to reallocate to the response. When a developing situation exceeds the capabilities of local response. Whether to declare an Emergency. 2.2 Malware Alert Situation Roles: When Malware activity or a significant widespread vulnerability are detected, a Malware Alert occurs, such situations require surveillance,

4 PAGE 4 of 13 investigation/decision-making, notification/communication and focused remedial activities that are within the I.T. staff s normal scope but become higher than each staff member s normal dayto-day top priorities Surveillance/Detection Malware activity and vulnerabilities are either detected by one or more of the existing surveillance tools (e.g., Trend, Qualys-Scan, Damballa etc.) or by system behavior that is reported to IT Technical Staff or the Help Desks Investigation Assigned staff research the extent of the activity and readily available remedial steps or tools Notification A select group of senior technical staff have been designated to be the Malware First Response team (refer to Appendix A) who are alerted by the Surveillance Team, who maintain and monitor the Detection tools. Depending on whether the detected activity or threat is localized, the Surveillance team notifies specific locations team members or sends out an Enterprise alert via , with follow-up by phone as appropriate Remediation On-site staff locate the affected devices and perform the recommended remedial actions (e.g., patching, disconnecting from the network, re-imaging etc.) and report back to the Incident Response team leads Communication Following issuing an alert, the Surveillance team, led by the Information Security Taskforce Chair person, coordinates the remediation efforts and collects results reports. 2.3 Emergency Response Roles: Developing Situations can evolve unpredictably into true emergency situations which require more frequent decision making, coordination of diverse activities, enhanced communications support and monitoring of the situation s extent and rate/direction of change - this will require that most I.T. staff members assume roles utilizing skill sets that may not be in their normal job description (Refer to the All-Hands list in Appendix A):

5 PAGE 5 of Decision-Making II Management assumes control of the Incident Response effort and determining: Whether to declare an emergency. When to activate other Incident Response Roles. When to initiate 24 by 7 and/or 12-hour shift operations Centralized Response Communication and Coordination Collecting, collating and analyzing information from malware-response related activities throughout the Enterprise. Communicating with vendors and consultants. Disseminating (as a single authoritative source) information on news, tools found and recommended, current virus/patch/repair engine versions, where to obtain them and other necessary information. Retaining a record of communications including s so that the events can be reconstructed after the fact Affected Device Detection and Targeting Compiling the available information and reporting it to the decision-maker(s), including: Determining which devices, nodes, applications, subnets etc. are affected. How the infestation is manifesting. The affected devices Anti Virus, patch etc. status. The affected devices identification (device name, device type, IP address, MAC address, subnet location, etc.). The affected devices physical location, network connection and operational status.

6 PAGE 6 of 13 Locally responsible parties. Retaining a record of communications including s so that the events can be reconstructed after the fact Situation Status Monitoring and Reporting Compiling and reporting the information to the decision-maker(s) and central communications and coordination for determining progress in the response effort, including: Monitoring overall trends - number of existing infestations cleaned up, new ones appearing etc. Hot spots Operational impacts and priorities Retaining a record of communications including s so that the events can be reconstructed after the fact Response Strike Team Personnel who are organized and dispatched to specific locations to reinforce local efforts and/or to complete one or more response-related tasks, such as: Mass cleaning/removing of malware and restoration of operating systems and applications Mass (re)hardening of devices that requires hands-on intervention Providing technical skills or knowledge not present in the local I.T. staff Providing coordination and communication of strike team activities 2.4 Post Response Roles: After the Incident or Emergency has been controlled or alleviated, systems reimaged, several other actions need to take place: Decision Maker(s) Need to determine when and how to declare an end to the incident

7 PAGE 7 of STANDARDS or emergency Role Players Especially those with data collection, communication, tracking and coordinating duties; need to assemble the event history data, perform a post-mortem analysis of causes and vulnerabilities that were exploited and report their findings to management and the Security Taskforce Strike Teams May be required to continue clean-up and restoration activities until the entire environment has been restored to stability and complete functionality Duties of Response Team: As required by the circumstances of the incident, the Response Team may be required to do any or all of the following: Initial Evaluation and Damage Control Rapid determination of the general nature and extent of the malware incident: changes in functionality, loss of data, system damage or malfunction and taking immediate action to halt or limit the effects and/or stop them from spreading Diagnosis More detailed analysis of the problem, focusing on precise determination of the nature, cause and extent of the problem and location and evaluation of options for remediating it or preventing it from spreading to unaffected systems Forensics Reconstruction and analysis of the events and symptoms (electronic and/or physical) that led to the determination that an incident was occurring or had occurred. The primary focus of this activity is to identify the vulnerabilities that permitted the incident to occur and define remedial and/or preventative actions to be taken to avoid recurrences. The secondary focus is the identification of causative persons or agencies in order to take appropriate action to deter reoccurrences Solution Investigation and Communications Using vendor contacts, the internet and

8 PAGE 8 of 13 other resources to seek out and obtain diagnostic and cleaning tools, patches and procedures Cleaning, Repair and Restoration The process of removing malware, bringing the system up to a properly hardened state (refer to the Anti-malware Policy), repairing the malware induced damage and restoring or improving systems and data to their state of currency, functionality and integrity prior to the incident Follow-up and Reporting Debriefing the team and other participants who responded to the incident or were involved in the incident response and recovery activities. Reporting to management: The conditions and vulnerabilities that led to the incident and its probable cause. The timeline and events of the incident and the response. The resolution of the incident what was done and the final result. Lessons learned. Recommendations for prevention of repetition Makeup of Response Team: As required for the actions appropriate to the circumstances of the incident (see 3.1), Response Team(s) may include any or all of the following classifications or personnel: An overall Response Effort commander to run the Command Center and direct and coordinate communications and the activities of the local and strike team response activities An onsite leader for local or strike team operations The System and Network Engineers and Administrators responsible for the hardware, software and network components involved in the incident.

9 PAGE 9 of Other System and Network Engineers, Administrators, Analysts and other I.T. staff with needed skill sets or experience or representing other involved or concerned sites (As appropriate) A representative of the system and network hardware vendor(s) (As appropriate) A representative of the application software vendor (As appropriate) A representative of the (current) Hardware Maintenance contractor (As appropriate) A representative of the Firewall Security contractor Makeup of Extended Response Staff - An Extended Staff may be required in extreme circumstances, and may include persons from other agencies as warranted by the incident circumstances, such as: 4. RESPONSIBILITIES Representative(s) of SFDT if the incident involves, or potentially involves City-wide systems or data Representative(s) of HR and/or the City Attorney s Office if severe personnel sanctions and/or civil legal action is a possibility Representatives of the Police Department if the incident may have been caused by or result in criminal action Representatives of the FBI or the Homeland Security Agency if the incident may have been caused by or result in interstate or international illegal, criminal or terrorist action(s) SFDPH Executive Management is responsible for:

10 PAGE 10 of Developing, reviewing, approving and publishing Incident Response policy and its associated standards and guidelines Delegating authority to the Response Team to use specified management powers and prerogatives in the course of their duties Establishing Standards and Guidelines for the Enterprise-wide application of this policy, including but not limited to: Composition of the Team, including authorizing previously undefined job descriptions and classifications Types of situations requiring team response Specific sanctions for parties found culpable in security incidents Coordinating Incident Response Procedure development and implementation efforts across divisional lines DPH Chief Information Officer/Chief Information Security Officer is responsible for: Reviewing and recommending to management all exceptions to Security Incident Response policy In the absence of a separately appointed person performing the role of Incident Response Team Leader (see 4.4) Directing and overseeing the development of standards and procedures for Incident Response activities: Ensuring the technical security of the SFDPH Data Network. He/she is responsible for implementing Incident Response policy and providing the detailed monitoring, and

11 PAGE 11 of 13 enforcement tools and procedures Performing or delegating the role of Incident Response Team Leader or general oversight of ad-hoc Incident Response Teams which are composed of technical staff Overseeing the maintenance of the Incident Response Roles Roster and determining the assignment of DPH-IT staff to fill the roles in the event of and Incident Directing the development, planning and staging training, practices and drills to prepare DPH-IT staff for actual Incident Response when called for SFDPH Information Technology (DPH-IT) is responsible for: Providing the personnel for implementing Security Incident Response Policy including providing the system engineers and other technical members of the team Appointing Authority / Local-Unit Management is responsible for: Assigning workforce members job duties: Including avoiding security policy violations, preventing security incidents and reporting possible incidents that they may become aware of First-level investigation and reporting of possible incidents reported by their staff Establishing local operational standards and procedures for the avoidance, detection and reporting of malware incidents Workforce members are responsible for: Protection of the information that has been entrusted to their care. The avoidance, detection and reporting of security incidents as part of their day-to-day responsibilities..

12 PAGE 12 of Participating in SFDPH provided training and orientation sessions and events regarding Security Incident detection and reporting Vendors or Contractors are responsible for: Instructing their SFDPH workforce members of their responsibilities to comply with the goals of the SFDPH internal security policies Permitting necessary access to their workforce and facilities to the Response Team. 5. PENALTIES FOR VIOLATIONS: 5.1. General Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures are subject to the same progressive discipline processes and sanctions as any other violation of the terms and conditions of employment at SFDPH Individual Non-Employee and Third Party Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures by persons employed through a third party or otherwise not subject to the progressive discipline processes and sanctions of the terms and conditions of employment at SFDPH are subject to the sanctions provided under the terms and conditions of the agreement(s) whereby their services are provided Trusted Workforce member Violations: Managers, System Engineers, System Administrators and other classifications who are given greater than routine access to and control of critical information systems and data may be subject to stricter standards of security behavior and more abrupt and stringent penalties in the case of violations 5.4. Contractor and Third Party Entity Violations: In addition to the individual sanctions noted in 2.1 and 2.2 above, third party organizations, business entities and others who are contractually required to comply with SFDPH Security Policies and standards may be subject to specified monetary fines or penalties or termination of the agreement as required for by the written

13 PAGE 13 of 13 contract and criminal penalties provided for in the applicable laws and regulations. 6. ATTACHMENTS: Procedures to be developed and documented 6.1. Appendix A Incident Response Team Composition and Escalation Procedures. This appendix, for reasons of keeping up-to-date with staffing additions and removals as well as changing role assignments, is maintained in a separate document.