Security Incident Reporting

Security Incident Reporting Procedures

1. PURPOSE

a. This section establishes mandatory procedures for Information Resources (IR) security incident reporting within the Office of the State Attorney. It is designed to provide office-wide guidance to staff on the proper response to and efficient and timely reporting of computer security related incidents, such as computer viruses, unauthorized user activity, and suspected compromise of SAO data. These procedures are intended to meet required mandates of the State of Florida and to assist in the protection of SAO IR resources from unauthorized access, disclosure, modification, destruction, or misuse

b. An IR security incident reporting system is necessary to identify a violation or incident, assess damage as a consequence of a violation, record the violation or incident, report the incident, and to use information to prevent the occurrence or violations. The reporting process outlined in these procedures are intended to discover and respond to IR security incidents as they occur, will assist in preventing future incidents through awareness and, when combined with existing IR security procedures, will augment SAO IR security controls.

c. These procedures apply throughout the SAO and to the security of IR resources, including IR, data stored and processed on those systems, data communication transmission media, and personnel who use IR.

2. RESPONSIBILITIES:

a. The State Attorney is responsible for administering SAO security and ensuring a SAO IR security program is implemented.

b. The CIO, as delegated by the State Attorney, is responsible for ensuring that IR security incident reporting is included in the SAO IR security program.

c. The Deputy CIO is responsible for:

Overseeing and ensuring that the SAO IR Security Program requirements and practices are implemented for all SAO automated information resources through the Network Administrator and Division Supervisors.
Ensuring that SAO IR Security Incident Reporting policy is developed and issued.
Reporting to and advising the State Attorney and CIO on major IR security incidents.
Serving as primary point-of-contact for IR security matters and specifically, major IR security incidents.
Developing and issuing Departmental IR Security Incident Reporting policy.
Monitoring, reviewing, and evaluating compliance with IR Security Incident Reporting procedures and tracking major IR incidents annually.
Identifying causes for IR security violations/incidents. Recommending corrective measures and solutions to resolve incidents.
If necessary coordinating information exchange of VA IR security violations and incidents with Computer Emergency Response Team (CERT) organizations.

d. Remote Office Chief is responsible for:

Implementing the IR security requirements of their respective facility.
Ensuring that the Deputy CIO investigates, reviews and records IR security incidents at the facility and reports the incidents appropriately.
Ensuring that the assigned Incident Response team is notified when a reportable incident occurs.

e. The Information Officer (IO) is responsible for:

Implementing the IR security incidents reporting system.
Logging, investigating, and reviewing IR security incidents at the facility and reporting the incidents appropriately.
Establishing contact with the assigned Incident Response team when a reportable incident occurs.

f. Managers and Supervisors are responsible for:

Implementing the requirements of their respective Administration or staff office Information Security Officer IR Security Incident Reporting procedures within their assigned areas of management control.
Ensuring that IR security violations/incidents occurring within their assigned area of management control are reported to the appropriate facility ISO.
Ensuring on a regular basis that all assigned employees, contractors and other individuals, who develop, operate, administer, maintain, or use VA IR, understand they are responsible for reporting actual or suspected IR security incidents to their immediate supervisor or facility ISO.

All SAO employees, contractors, and other individuals with access to sensitive areas or automated information systems are responsible for reporting IR security violations or incidents to their supervisor or ISO.

Investigative Division - security incidents.

SAO - IR SECURITY INCIDENT REPORTING SYSTEM

Security Incident Standards

1. Computer security incidents can range from a single virus occurrence to a hacker attacking many networked systems, or such things as unauthorized access to sensitive data and loss of mission-critical data. An incident refers to a computer security problem arising from a threat.
2. IR security incidents to be reported and tracked can be categorized as follows (these types of acts are not all-inclusive):

(a) Circumvention of IR security controls, safeguards and/or procedures;

(b) Unauthorized access, use, disclosure, alteration, manipulation, destruction, or other misuse of data and IR;

(d) Theft, loss or vandalism of IR hardware, software or firmware;

(e) Issues affecting confidentiality, integrity and availability of data and IR; and

(f) Unauthorized downloading or copying of VA sensitive information.

(3) Examples of specific reportable incidents which can be reported under the six categories of incidents include (but are not limited to):

(a) Unauthorized access to or use of sensitive data for illegal purposes;

(b) Unauthorized altering of data, programs, and IR hardware;

(d) Environmental damage/disaster (greater than $10,000) causing loss of IR services or data, or which may be less than $10,000 in damage yet have affected the Administration's or staff office's capabilities to continue day-to-day functions and operations;

(e) Infection of sensitive systems or software by malicious code, i.e. virus, Trojan Horse, etc.;

f) IR perpetrated theft, fraud and other criminal computer activity;

(g) Telecommunications/network security violations, i.e., networks (including local area networks (LANs), metropolitan area networks (MANs), and wide area networks (WANs)) which experience service interruptions that cause an impact to an indefinite number of end users;

(h) Theft or vandalism of IR hardware, software or firmware whose loss did or may affect the organization's capabilities to continue day-to-day functions and operations;

(i) Unauthorized access to data when in transmission over communications media;

(j) Loss of system availability impacting the ability of users to perform the functions required to carry out day-to-day responsibilities; and

(k) Unauthorized access to and/or unauthorized use of the Internet.

(4) Remote offices and facilities are to report IR security incidents, which the organization interprets as damaging to the organization's mission, to the CIO.

Reporting Procedures

(1) IR security incidents will be reported by the person observing or discovering the occurrence to the facility IO. The facility IO is responsible for recording and reporting security incidents to the CIO for tracking and reconciliation of the suspected incident. Suspected IR security incidents will be reported to the CIO within 1 hours of the occurrence. Additionally, those incidents which are determined to affect an Administration or staff offices' capability to accomplish critical functions, restrict the availability of a system or communications medium, i.e. LAN, MAN, WAN, network, etc., or result in a monetary impact to the Administration or staff office, will be reported within 1 hour of the occurrence to the CIO.

(2) IR security incidents shall be recorded on a security incident form or log as defined by the facility. Essential information about the security incident should be identified in as much detail as possible, at the time of occurrence. Some information may need to be added at a later time based on the investigation/closure of the incident. The following minimum information about a security violation or incident shall be entered on the IR security violation/incident form:

(a) Location of incident and organization filing report;

(b) Reported by (Name, Title and Organization);

(d) Date and time of incident;

(e) Details of incident (include names of personnel involved and description of the who, what, when, where, how, and why);

(f) The name and title of the person to whom the incident initially was reported to;

(g) Identification of whether the Inspector General or appropriate law enforcement organization has been notified;

(h) Incident impact on day-to-day operations;

(i) Action taken to contain the incident and resources required to correct the incident (in cases of system outage note what vendors have been contacted);

(j) Short-range corrective action, such as discontinuing the use of an infected computer diskette, immediately removing a terminated employee's access privileges;

(k) Long-range corrective actions, as necessary;

(l) Estimated monetary damage; and

(m) Additional information, as appropriate.

(3) The information collected on the IR security incident form shall be reported to the and CIO in a confidential manner, which may include the following methods. Initial reports of serious incidents or violations may be reported by telephone. Reports may be sent by mail using the double-envelope method, couriers, or secure facsimile. Follow-up contact will be established with the reporting facility or office by the Administration or staff office IO , and tracking for each incident will be continued until final closure. Each facility, local or office level IO, or manager/supervisor will be responsible for making the determination of whether the IR security incident at their level is reportable based on the definitions provided in this procedure and ensuring that reports are filed with their respective Administration or staff office IO.

(4) Significant IR security incidents shall be reported first to the CIO who will inform State Attorney and Chief Investigator and identify and assist in resolving reported incidents.

Protection of Report Information: IR security incident report information will be treated as sensitive information and safeguarded as equivalent to Privacy Act information, at a minimum. Access to IR security incident information should be restricted and shall be stored in locked areas.

Tracking of IR Security Incidents

(1) Each division or office the IO is responsible for tracking IR security violations and incidents for their organization. Tracking will include monitoring each incident through final closure and maintaining a copy of the incident report for a period of three (3) years. Reports of security violations and incidents shall be prepared and maintained by the Administration or staff office ISO. Those security violations and incidents which threaten critical organization functions shall be reported within 48 hours to the CIO.

Handling of Reported IR Security Violations and Incidents

1) The SAO IR shall establish a log of reported security incidents. Automated files of reported incidents shall be protected against unauthorized access and not accessible through a network.

(2) Major elements of security incident records created and maintained by the SAO IR shall include: name of person or office making the report; number of violations and incidents by type or nature, total number of violations and incidents; number of unresolved violations and incidents; and the estimated monetary loss attributable to all reported incidents.

Reporting of Security Incidents and Violations to the Media. All SAO components shall refer questions from the media (e.g., newspapers, television, and radio) concerning IR security violations or incidents to SAO Public Affairs Office. The PAO will respond to media requests for records concerning security under the Freedom of Information Act (FOIA) in accordance with Public Record procedures for responding to FOIA requests rather than with the procedures specified here.

REFERENCES:

a. National Institute of Standards and Technology (NIST), NIST Special Publication 800-3, Establishing a Computer Security Incident Response Capability (CSIRC), November 1991.

b. SAO Office Policy and Procedures Manual