|
Procedures for Handling a Minor Security Breach
Computing Device 1. If isolated to one computing device, the device must be disconnected from the network and scanned with an up to date anti-virus program. The virus is quarantined and removed from the system without any problem. 2. The incident is recorded in a security incident log and details such as how the virus occurred, the user, the device serial number and action taken to restore integrity to the device. 3. Ensure anti-virus definition files are up to date on every computing device connected to the network and run the scan to confirm that the incident is isolated. 4. Should the anti-virus program be unable to remove the virus, the IT Manager should be alerted. 5. The computing device may need to be rebuilt from scratch with trusted master copies of operating and application software. 6. Before reconnecting to the network change both the device and user passwords and check that all security controls are correctly configured. Server 1 Should the virus or Trojan be non-destructive, the Server must be disconnected from the network after work hours and scanned with an up to date anti-virus program. The virus is quarantined and removed from the system without any problem, the IT Manager advised and an entry made in the security incident log as detailed above. 2 Once fixed, systems administrator must run a file comparison utility to identify all changes to systems software, and then restore the systems operating software environment from trusted backup copies. 3 Before being reconnected to the network, all passwords and access controls must be changed and the current system log must be copied to separate data storage media and secured. 4 A check must be of every computing device connected to the network to ensure that anti virus definition files are up to date. Each device must be scanned to confirm that the incident has been controlled. 5 Should the anti-virus program be unable to remove the virus, resulting in systems being unavailable for more than 2 hours during normal working hours, the IT Manager must advise the CEO and the event upgraded to Major. 6 The incident must be recorded in the security incident log.
Deliberate deletion or falsification of electronic files by a staff member
1 Recover the files from the most recent backup media. 2 Interrogate audit logs to ascertain the user id responsible for the deletion activity. 3 Disable the user id. 4 Initiate a forced password change for all users. 5 Advise the IT Manager and provide audit trail as supporting evidence. 6 As this facilitates a breach of corporate IT and Information policies, the IT Manager must bring the problem to the attention to both the Human Resources Manager and the User’s immediate supervisor and it is handled as a disciplinary matter. 7 A meeting between the user, Human Resources manager and user’s immediate supervisor is to be scheduled to discover what happened and why. Further investigations may ensue. 8 The Human Resources manager advises the IT Manager whether the user id is to be fully reinstated, reinstated with changes to privileges or removed depending on the outcome of their discussion. The security incident log is to be updated.
1 Change the user’s password immediately. 2 Initiate a forced password change for all users. 3 Ascertain if any information has been altered or lost and if so, carry out the procedure for deliberate falsification or deletion of Electronic Files. 4 Double check the set up of both the default user and each individual user or service to ensure that the password and authentication policies are applied consistently. Follow up on all disabled accounts to determine if they should be irrevocably removed. 5 After the forced password change, run a password audit tool across the system to test for weak and non-compliant passwords and direct these users to the Password and Authentication Policy which describes password composition.
1 Deactivate the token’s ability to generate a password. 2 Reissue a new token to the user. 3 Record the loss of the token and the reissue in the security incident log.
Internal information disclosure or breach of confidentiality
1 Advise the IT Manager that an internal information breach has occurred. 2 The IT Manager requests a report of the names of all users that have access to the information disclosed. 3 Interrogate system audit logs to try and ascertain the user id responsible for the disclosure. Some evidence may show up as frequent access of specific files, particularly if the user has obtained the information by remote access. 4 If no obvious evidence is available, the issue must be escalated to the Human Resources Manager and the Manager directly responsible for the information. An investigation may need to be undertaken to ascertain how the breach occurred. The IT Manager may be involved if the investigation involves the email system, system activity logs, printer logs, interrogation of the file history on PCs and the tightening up of authentication and access controls. As information disclosure or breach of confidentiality can affect profitability and the reputation of the company, it should be handled as a disciplinary matter. 5 If evidence suggests that one person or a small group of people is involved, the IT Manager may be asked to disable the user account(s) pending the investigation. 6 A meeting between the user(s), Human Resources manager and user’s immediate supervisor(s) must be scheduled to discover what happened and why. Further investigations may ensue and the CEO notified. 7 The Human Resources manager will advise the IT Manager whether the user id(s) are to be fully reinstated, reinstated with changes to privileges or removed depending on the outcome of their investigations. The security incident log is to be updated. 8 A tightening up of procedure, or changes to policies or procedures may be required to ensure another breach does not occur in the same manner.
Identification of Spyware or Malware Computing Device 1 If isolated to one computing device, the device must be disconnected from the network and scanned with a program such as Adware which identifies and removes Spyware. Should the detection and removal be successful, no further action is required other than to update the security incident log. 2 Adware scans must be run on all other devices to confirm that the incident is isolated. 3 Should the spyware/malware program be unable to be removed because it has integrated itself with other applications, the IT Manager should be alerted. 4 The computing device will probably need to be rebuilt from scratch with trusted master copies of operating and application software. 5 Before reconnecting to the network change both the device and user passwords and check that all security controls are correctly configured. Server 1 If possible disconnect the Server from the network immediately, but if this will affect business continuity, ensure that any service that users email or the internet is disabled until the server can be taken offline after work hours. Scan with a program such as Adware which identifies and removes Spyware. 2 Once the Spyware/Malware is removed, the systems administrator must run a file comparison utility to identify all changes to systems software, and then restore the systems operating software environment from trusted backup copies. 3 Before being reconnected to the network, all passwords and access controls must be changed and the current system log must be copied to separate data storage media and secured. 4 Adware scans must be run on all other devices to confirm that the incident has been controlled. 5 Should the Spyware/Malware program be unable to be removed and it is ascertained that there is potential for a major security breach, and as a result of this, critical systems will be unavailable to users for more than 2 hours during normal working hours, the IT Manager must advise the CEO and the event upgraded to Major.
Unauthorised Access to a Restricted Area by a Staff Member
1 Advise the IT Manager who will have a chat with the offender to let him/her know the area is off limits. 2 Record the event in the security incident log. 3 Ascertain how the unauthorised access was accomplished and tighten up or change procedures if required. 4 Change access codes and reinitialise valid methods of authentication. 5 Should the staff member be discovered in the restricted area again, the IT Manager is to advise both the Human Resources Manager and the offender’s immediate supervisor and the disciplinary process will be initiated with an official first warning.
Unauthorised Removal of Equipment by a Staff Member
1 Record the event in the security incident log. 2 Advise the IT Manager who will ascertain how the unauthorised removal of the equipment was accomplished and tighten up or change procedures if required. 3 The IT Manager asks that the equipment be returned and advises the staff member of the policy relating to the removal of equipment. 4 The staff member’s immediate supervisor and the Human Resources Manager must be advised of the incident as this could lead to a serious breach of confidentiality if files have been copied or removed during the period the equipment has been away from its usual location. 5 Normal disciplinary procedures will follow and the IT Manager informed of any further information or actions required to be taken. These may include disabling the user’s id or removal of certain access privileges during the period of the investigation. Should the equipment not be recovered, legal action may also be instigated.
Introduction of Code with the intent to cause Denial Of Service
1 The removal of the code to be handled in the same way as a Virus, Trojan, Malware or Spyware. 2 If the perpetrator is identified, immediately disable the user id and inform the IT Manager. 3 The IT Manager must apprise the Human Resources Manager of the current situation immediately and provide any evidence or findings in support of the claim of interference with the computer systems which is a serious misconduct matter. The Human Resources Manager will deal with the immediate consequences and advise the CEO. There may be a directive that the staff member be placed on leave until a full investigation is completed. 4 Depending upon the scope of mischief and the likelihood of the event being escalated to a criminal incident, the IT Manager must decide whether to call in a computer forensic expert to uncover evidence that may be required in criminal proceedings. Should this be the case, the event is escalated to a serious security incident. 5 If no obvious evidence is available as to who introduced the code, the issue must still be reported to the Human Resources Manager and the CEO. An investigation will need to be undertaken to ascertain how the code was introduced and to prevent another occurrence. The IT Manager will lead the discovery process and depending upon the severity of the intent, call in outside experts for assistance. 6 The Human Resources manager will advise the IT Manager when the user id(s) are to be fully reinstated, reinstated with changes to privileges or removed depending on the outcome of investigations. 7 The security incident log is to be kept updated to record all events, findings, evidence as the investigation progresses.
|
||
|
© 2004 Kaon Technologies Ltd |
