i-TX’s Data Security Breach Incident Response Plan
This plan outlines the steps to follow in the event secure data is compromised and identifies and describes the roles and responsibilities of the Incident Response Team. The Incident Response Team is responsible for putting the plan into action.
Incident Response Team
The Incident Response Team is established to provide a quick, effective and orderly response to computer related incidents such as virus infections, hacker attempts and break-ins, improper disclosure of confidential information to others, system service interruptions, breach of personal information, and other events with serious information security implications. The Incident Response Team’s mission is to prevent a serious loss of profits, public confidence or information assets by providing an immediate, effective and skillful response to any unexpected event involving computer information systems, networks or databases. The Incident Response Team is authorized to take appropriate steps deemed necessary to contain, mitigate or resolve a computer security incident. The Team is responsible for investigating suspected intrusion attempts or other security incidents in a timely, cost-effective manner and reporting findings to management and the appropriate authorities as necessary. The Chief Information Security Officer will coordinate these investigations. The Incident Response Team will subscribe to various security industry alert services to keep abreast of relevant threats, vulnerabilities or alerts from actual incidents.
Incident Response Team Members
Each of the following members will have a primary role in incident response.
- Information Technology Director / Chief Information Security Officer
- Information Technology Assistant Director / Security Manager
- Vice President Finance and Administration
- Information Technology Service Request Desk
Each of the following members may provide supporting roles during incident response.
- Information Technology Unix Systems Administrator / Security Analyst
- Information Technology Windows Systems Administrator
- Information Technology Network Engineer
- Internal Audit
Incident Response Team Roles and Responsibilities
Information Technology Service Request Desk
- Central point of contact for all computer incidents
- Notifies Chief Information Security Officer to activate computer incident response team
Information Technology Director / Information Technology Assistant Director
- Determines the nature and scope of the incident
- Contacts qualified information security specialists for advice as needed
- Contacts members of the Incident Response Team
- Determines which Incident Response Team members play an active role in the investigation
- Provides proper training on incident handling
- Escalates to executive management as appropriate
- Contacts auxiliary departments as appropriate
- Monitors progress of the investigation
- Ensures evidence gathering, chain of custody, and preservation is appropriate
- Prepares a written summary of the incident and corrective action taken
- Analyzes network traffic for signs of denial of service, distributed denial of
service, or other external attacks
- Runs tracing tools such as sniffers, Transmission Control Protocol (TCP)
port monitors, and event loggers
- Looks for signs of a firewall breach
- Contacts external Internet service provider for assistance in handling the
- Takes action necessary to block traffic from suspected intruder
- Monitors business applications and services for signs of attack
- Reviews audit logs of mission-critical servers for signs of suspicious activity
- Contacts the Information Technology Operations Center with any information relating to a suspected breach
- Collects pertinent information regarding the incident at the request of the Chief Information Security Officer
Windows / Unix Operating Systems Administrators
- Ensures all service packs and patches are current on mission-critical
- Ensures backups are in place for all critical systems
- Examines system logs of critical systems for unusual activity
- Periodically reviews policies and procedures for compliance with information security standards.
Incident Response Team Notification
First of all in case of a security breach, please reach out to firstname.lastname@example.org
The Information Technology Service Request Desk will be the central point of contact for reporting computer incidents or intrusions. The Service Request Desk will notify the Chief Information Security Officer (CISO). All computer security incidents must be reported to the CISO. A preliminary analysis of the incident will take place by the CISO and that will determine whether Incident Response Team activation is appropriate.
Types of Incidents
There are many types of computer incidents that may require Incident Response Team activation. Some examples include:
- Breach of Personal Information
- Denial of Service / Distributed Denial of Service
- Excessive Port Scans
- Firewall Breach
- Virus Outbreak
Breach of Personal Information - Overview
This Incident Response Plan outlines steps our organization will take upon discovery of unauthorized access to personal information on an individual that could result in harm or inconvenience to the individual such as fraud or identity theft. The individual could be either a customer or employee of our organization.
In addition to the internal notification and reporting procedures outlined below, credit card companies require us to immediately report a security breach, and the suspected or confirmed loss or theft of any material or records that contain cardholder data. Specific steps are outlined in Appendix A2. Selected laws and regulations require the organization to follow specified procedures in the event of a breach of personal information as covered in Appendix B1 and Appendix B2.
Personal information is information that is, or can be, about or related to an identifiable individual. It includes any information that can be linked to an
individual or used to directly or indirectly identify an individual. Most information the organization collects about an individual is likely to be considered personal information if it can be attributed to an individual.
For our purposes, personal information is defined as an individual’s first name or first initial and last name, in combination with any of the following data:
- Social Security number/Social Insurance Number
- Driver’s license number or Identification Card number
- Financial account number, credit or debit card number with personal identification number such as an access code, security codes or password that would permit access to an individual’s financial account.
- Home address or e-mail address
- Medical or health information
Definitions of a Security Breach
A security breach is defined as unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by us. Good faith acquisition of personal information by an employee or agent of our company for business purposes is not a breach, provided that the personal information is not used or subject to further unauthorized disclosure.
Data owners must identify and document all systems and processes that store or utilize personal information on individuals. Documentation must contain system name, device name, file name, location, database administrator and system administrator (primary and secondary contacts for each). The business area and the IT development group must maintain the contact list of database and system administrators.
Likewise, all authorized users who access or utilize personal information on individuals should be identified and documented. Documentation must contain user name, department, device name (i.e., workstation or server), file name, location, and system administrator (primary and secondary contacts).
Data Owner Responsibilities
Data owners responsible for personal information play an active role in the discovery and reporting of any breach or suspected breach of information on an
individual. In addition, they will serve as a liaison between the company and any third party involved with a privacy breach affecting the organization’s data.
All data owners must report any suspected or confirmed breach of personal information on individuals to the CISO immediately upon discovery. This includes notification received from any third party service providers or other business partners with whom the organization shares personal information on individuals. The CISO will notify the appropriate administrator and data owners whenever a breach or suspected breach of personal information on individuals affects their business area.
Note: For ease of reporting, and to ensure a timely response 24 hours a day, seven days a week, the Service Request Desk will act as a central point of contact for reaching the CISO.
The CISO will determine whether the breach or suspected breach is serious enough to warrant full incident response plan activation (See “Incident Response” section.) The data owner will assist in acquiring information, preserving evidence, and providing additional resources as deemed necessary by the CISO, Legal or other Incident Response Team members throughout the investigation.
Departmental Manager Responsibilities
Departmental managers are responsible for ensuring all employees in their unit are aware of policies and procedures for protecting personal information.
If a breach or suspected breach of personal information occurs in their department, the department manager must notify the Service Request Desk immediately and open an incident report. (See “Incident Response” Section, Information Technology Service Request Desk.)
Note: Education and awareness communication will be directed to all employees informing them of the proper procedures for reporting a suspected breach of personal information on an individual.
When Notification Is Required
The following incidents may require notification to individuals under contractual commitments or applicable laws and regulations:
A user (employee, contractor, or third-party provider) has obtained unauthorized access to personal information maintained in either paper or electronic form.
An intruder has broken into database(s) that contain personal information on an individual.
Computer equipment such as a workstation, laptop, CD-ROM, or other electronic media containing personal information on an individual has been lost or stolen.
A department or unit has not properly disposed of records containing personal information on an individual.
A third party service provider has experienced any of the incidents above, affecting the organization’s data containing personal information.
The following incidents may not require individual notification under contractual commitments or applicable laws and regulations providing the organization can reasonably conclude after investigation that misuse of the information is unlikely to occur, and appropriate steps are taken to safeguard the interests of affected individuals:
The organization is able to retrieve personal information on an individual that was stolen, and based on our investigation, reasonably concludes that retrieval took place before the information was copied, misused, or transferred to another person who could misuse it.
The organization determines that personal information on an individual was improperly disposed of, but can establish that the information was not retrieved or used before it was properly destroyed.
An intruder accessed files that contain only individuals’ names and addresses.
A laptop computer is lost or stolen, but the data is encrypted and may only be accessed with a secure token or similar access device.
Incident Response – Breach of Personal Information
Incident Response Team members must keep accurate notes of all actions taken, by whom, and the exact time and date. Each person involved in the investigation must record his or her own actions.
Information Technology Service Request Desk
Contacts Office Phone +1 956-897-8913 E-Mail email@example.com
Primary: Guard on Duty
Alternate: Marian Chavez -- supervisor
1. The IT Service Request Desk will serve as a central point of contact for reporting any suspected or confirmed breach of personal information on an individual.
2. After documenting the facts presented by the caller and verifying that a privacy breach or suspected privacy breach occurred, the IT Service Request Desk will open a Priority Incident Request. This will begin an automated paging process to immediately notify the Chief Information Security Officer.
3. The IT Service Request Desk will page the primary and secondary contacts in the Information Security Office. The IT Service Request Desk advises that a breach or suspected breach of personal information on an individual has occurred. After the Information Security Office analyzes the facts and confirms that the incident warrants incident response team activation, the Incident Request will be updated to indicate “Incident Response Team Activation – Critical Security Problem”.
Chief Information Security Officer
Primary: Chief Security Officer Alternate: Information Security Manager
1. When notified by the Service Request Desk, the CISO performs a preliminary analysis of the facts and assess the situation to determine the nature and scope of the incident.
2. Informs the Vice President of Finance and the Security Manager that a possible privacy breach has been reported and provides them an overview of the situation.
3. Contacts the individual who reported the problem.
4. Identifies the systems and type(s) of information affected and determines
whether the incident could be a breach, or suspected breach of personal information about an individual. Every breach may not require participation of all Incident Response Team members (e.g., if the breach was a result of hard copy disposal or theft, the investigation may not require the involvement of system administrators, the firewall administrator, and other technical support staff).
5. Reviews the preliminary details with the Security Manager.
6. If a privacy breach affecting personal information is confirmed, Incident
Response Team activation is warranted. Contact the Service Request Desk
and advise them to update the Incident Request with “Incident ResponseTeam Activation – Critical Security Problem”.
7. Notify the Public Relations Department of the details of the investigation and breach. Keep them updated on key findings as the investigation proceeds.
8. The Information Security Team is responsible for documenting all details of an incident and facilitating communication to executive management and other auxiliary members as needed.
9. Contact all appropriate database and system administrators to assist in the investigation effort. Direct and coordinate all activities involved with Incident Response Team members in determining the details of the breach.
10. Contact appropriate Incident Response Team members and First-Level Escalation members.
11. Identify and contact the appropriate Data Owner affected by the breach. In coordination with the Vice President of Finance and Administration, the Security Manager and Data Owner, determine additional notification requirements (e.g., Human Resources, external parties).
12. If the breach occurred at a third party location, determine if a legal contract exists. Work with the Business Office, the Security Manager and Data Owner to review contract terms and determine next course of action.
13. Work with the appropriate parties to determine the extent of the potential breach. Identify data stored and compromised on all test, development and production systems and the number of individuals at risk.
14. Determine the type of personal information that is at risk, including but not limited to: Name, Address, Social Security Number/Social Insurance Number, Account number, Cardholder name, Cardholder address, Medical and Health Information
15. If personal information is involved, have the Data Owner determine who might be affected. Coordinate next steps with the Vice President of Finance and Administration, Security Officer and Public Relations (e.g., individual notification procedures).
16. Determine if an intruder has exported, or deleted any personal information data.
17. Determine where and how the breach occurred. Identify the source of compromise, and the timeframe involved. Review the network to identify all compromised or affected systems. Consider e-commerce third party connections, the internal corporate network, test and production environments, virtual private networks, and modem connections. Look at appropriate system and audit logs for each type of system affected. Look at directory and file permissions. Document all internet protocol (IP) addresses, operating systems, domain name system names and other pertinent system information.
18. Take measures to contain and control the incident to prevent further unauthorized access to or use of personal information on individuals, including shutting down particular applications or third party connections, reconfiguring firewalls, changing computer access codes, and modifying
physical access controls. Change all applicable passwords for IDs that have access to personal information, including system processes and authorized users. If it is determined that an authorized user’s account was compromised and used by the intruder, disable the account. Do not access or alter the compromised system. Do not turn off the compromised machine. Isolate the system from the network (i.e., unplug cable). Change the wireless network Service Set Identifier (SSID) on the access point (AP) and other authorized devices that may be using the corporate wireless network.
19. Monitor systems and the network for signs of continued intruder access. 20. Preserve all system and audit logs and evidence for law enforcement and potential criminal investigations. Ensure that the format and platform used
is suitable for review and analysis by a court of law if needed. Document all actions taken, by whom, and the exact time and date. Each employee involved in the investigation must record his or her own actions. Record all forensic tools used in the investigation. Note: Visa has specific procedures that must be followed for evidence preservation.
21. Notify the Vice President of Finance and Administration as appropriate. Provide a summary of confirmed findings, and of the steps taken to mitigate the situation.
22. If credit cardholder data is involved, follow additional steps outlined under Appendix A. Bankcard companies, specifically Visa and MasterCard, have detailed requirements for reporting security incidents and the suspected or confirmed compromise of cardholder data. Reporting is typically required within 24 hours of compromise.
23. If an internal user (authorized or unauthorized employee, contractor, consultant, etc.) was responsible for the breach, contact the appropriate Human Resource Manager for disciplinary action and possible termination. In the case of contractors, temporaries, or other third-party personnel, ensure discontinuance of the user's service agreement with the company.
Customer Database Owners
1. If the Data Owners hear of or identifies a privacy breach, contact the Service Request Desk to ensure that the CISO and other primary contacts are notified.
2. The Data Owner will assist the CISO as needed in the investigation. Process Steps
1. Monitor access to customer database files to identify and alert any attempts to gain unauthorized access. Review appropriate system and audit logs to see if there were access failures prior to or just following the suspected breach. Other log data should provide information on who touched what file and when. If applicable, review security logs on any non-host device involved (e.g., user workstation).
2. Identify individuals whose information may have been compromised. An assumption could be “all” if an entire table or file was compromised.
3. Secure all files and/or tables that have been the subject of unauthorized access or use to prevent further access.
4. Upon request from the CISO, provide a list of affected individuals, including all available contact information (i.e., address, telephone number, email address, etc.)
1. If notified of a privacy breach affecting employee personal information, open an incident request with the IT Service Request Desk to activate the Incident Response Plan for suspected privacy breach.
2. When notified by the Information Security Office that the privacy breach incident response plan has been activated for a breach of information on an individual, perform a preliminary analysis of the facts and assess the situation to determine the nature of the incident.
3. Work with the IT Service Request Desk, CISO and business area to identify the extent of the breach.
4. If appropriate, notify the business area that a breach has been reported and is under investigation.
5. Work with the business area to ensure there is no further exposure to privacy breaches.
6. Work with the CISO and Legal Department to determine if the incident warrants further action.
1. When notified by the CISO that the privacy breach Incident Response Plan is activated, provide assistance as determined by the details of the potential breach.
2. Review firewall logs for correlating evidence of unauthorized access.
3. Implement firewall rules as needed to close any exposures identified during the investigation.