Text of Presented by The OISPP Team and Guest Speakers The Benefits of Incident Reporting
Presented by The OISPP Team and Guest Speakers The Benefits of Incident Reporting
September 2008www.infosecurity.ca.gov2 Discussion Topics What is an Incident? Metrics -Why it is important to track and report incidents Why employees should be trained to recognize and report Why it is important to have an incident response plan Roles and Responsibilities
September 2008www.infosecurity.ca.gov3 Discussion Topics The States reporting process Whats coming from OISPP on Incident Management? Additional Resources Case Studies Open Discussion
September 2008www.infosecurity.ca.gov4 What is an Incident? The definition may differ among organizations and their employees Definitions may be very specific and granular or broad and all-encompassing Or something in between Lets look at a few examples including Events versus Incidents
September 2008www.infosecurity.ca.gov5 Examples An event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a Web page, a user sending electronic mail (email), and a firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, network packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malicious code that destroys data. Source: National Institute of Standards and Technology (NIST) www.nist.govwww.nist.gov
September 2008www.infosecurity.ca.gov6 Examples (Continued) A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Source: National Institute of Standards and Technology (NIST) www.nist.govwww.nist.gov A security incident is an alert to the possibility that a breach of security may be taking, or may have taken, place. A breach of security is where a stated organizational policy or legal requirement regarding Information Security, has been contravened. However every incident which suggests that the Confidentiality, Integrity and Availability of the information has been inappropriately changed, can be considered a Security Incident. Source: ISO 17799 Toolkit Glossary and Reference Manual
September 2008www.infosecurity.ca.gov7 Examples (Continued) Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Source: FIPS 200 Incident: An occurrence that could have led, or did lead, to an undesirable outcome. Source: CERT/Coordination Center www.cert.orgwww.cert.org
September 2008www.infosecurity.ca.gov8 Reportable Under Current State Policy Loss, theft, damage, misuse, or inappropriate use of state information assets Information Assets is defined as: (1) All categories of automated information, including (but not limited to) records, files, and data bases; and (2) information technology facilities, equipment (including personal computer systems), and software owned or leased by state agencies. http://www.oispp.ca.gov/government/definitions.asp
September 2008www.infosecurity.ca.gov9 Criteria For Reporting Incidents (SAM Section 5320.2) State Data (includes electronic, paper, or any other medium). Theft, loss, damage, unauthorized destruction, unauthorized modification, or unintentional or inappropriate release of any data classified as confidential, sensitive or personal. (See SAM Section 5320.5). Possible acquisition of notice-triggering personal information by unauthorized persons, as defined in Civil Code 1798.29. Deliberate or accidental distribution or release of personal information by an agency, its employee(s), or its contractor(s) in a manner not in accordance with law or policy. Intentional non compliance by the custodian of information with his/her responsibilities. (See SAM Section 5320.3).
September 2008www.infosecurity.ca.gov10 Criteria For Reporting Incidents (SAM Section 5320.2) Inappropriate Use & Unauthorized Access - This includes actions of state employees and/or non-state individuals that involve tampering, interference, damage, or unauthorized access to state computer data and computer systems. This includes, but is not limited to, successful virus attacks, web site defacements, server compromises, and denial of service attacks. Equipment - Theft, damage, destruction, or loss of state-owned Information Technology (IT) equipment, including laptops, tablets, integrated phones, personal digital assistants (PDA), or any electronic devices containing or storing confidential, sensitive, or personal data. Computer Crime - Use of a state information asset in commission of a crime as described in the Comprehensive Computer Data Access and Fraud Act. See Penal Code Section 502. Any other incidents that violate agency policy.
September 2008www.infosecurity.ca.gov11 Clarification on Criteria For Reporting Incidents Unauthorized access includes access which exceeds the limits of an individuals authorized access to information or information systems (e.g., snooping) Other criminal activity, such as fraud and embezzlement Any other incidents that violate agency policy, such as unauthorized use of peer-to-peer technology, copyright infringement, and obscene/offensive material
September 2008www.infosecurity.ca.gov12 Alignment with the NIST and ISO Standards Definitions Adverse event Events with a negative consequence, such as system crashes, network packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malicious code that destroys data. Computer security incident - A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
Management and Metrics Why it is important to track and report incidents
September 2008www.infosecurity.ca.gov14 Helps reporting organization to: Measure organizational performance Pinpoint business problems, risk and liabilities Control losses and risk management costs Comply with legal and policy requirements Demonstrate due diligence Improve its monitoring and prioritization of threats and vulnerability management
September 2008www.infosecurity.ca.gov15 Entity responsible for taking the report may be able to: Provide technical assistance in responding to the incident Put you in touch with others involved in or having had a similar experience Collect and distribute better information about lessons learned through its statistical reports Prepare and distribute better information about mitigation strategies through its guideline documents Provide a larger picture of the States overall security posture
September 2008www.infosecurity.ca.gov16 Why it is important to track and report incidents Incidents Impact the Business Bottom Line Tracking and reporting Identifies business problems Provides metrics that substantiate cost associated with correcting or not correcting a business problem Establishes accountability We learn much from them
September 2008www.infosecurity.ca.gov17 AndOh By the Way Enhanced security may be the solution or part of the solution Being the solution or part of the solution is a good place for security to be!
September 2008www.infosecurity.ca.gov18 What we have learned thus far There are benefits to knowing about them Response activities can be and often are costly The human factor is the weakest link The heads-will-roll approach does not prevent a recurrence of an incident or serve to promote a willingness by employees to report incidents
September 2008www.infosecurity.ca.gov19 What we may still have to learn from incidents The true cause of an incident in some cases it may be a long and arduous road The true cost of a broken process, procedure, and/or system Three feet of ice does not result from one day of freezing weather. - Chinese Proverb Its relation to other incidents across jurisdictions (city, county, state, country)
September 2008www.infosecurity.ca.gov20 Other Sage Advice Emphasize flexibility and re-looking at problems vs. a quick fix or one-shot solutions. Adopt a systems approach to problem solving. Look at the whole system, not just your piece of the problem in developing solutions. Utilize the planning process to forge better relationships with your partners, key stakeholders, and community networks.
September 2008www.infosecurity.ca.gov21 Why employees must be trained to recognize and report Definition may be unclear Culture may be counter intuitive Perceived lack of concern by management Perceived as negative impact to the bottom line Fear of reprisal Need to reaffirm agencys reporting requirements and needs for employees
Why it is important to have an incident response plan No wind is favorable if we do not know into which port we are tr