Documente Academic
Documente Profesional
Documente Cultură
Information Security
Incident Management
Policy and Procedure
Revision History
30/08/2011 Bryan Alford 0.5 Final review & revisions for publication
Development of this policy was assisted through information provided by the following
organisations:
Devon County Council Sefton Metropolitan Borough Council
1. Policy Statement 5
2. Purpose 5
3. Scope 5
4. Definition 5
5. Risks 6
6. Procedure for Incident Handling 6
7. Policy Compliance 6
8. Policy Governance 6
9. Review and Revision 7
10. Key Messages 7
11. Related Policies, Procedures and Information. 7
12. Appendix A Process Flow; Reporting an Information Security Event or Weakness 9
13. Appendix B Examples of Information Security Incidents 10
14. Appendix C - Procedure for Incident Handling 11
14.1 Reporting Information Security Events or Weaknesses 11
14.1.1 Reporting Information Security Events for all Employees 11
14.1.2 Reporting Information Security Weaknesses for all Employees 12
14.1.3 Reporting Information Security Events for IT Support Staff 12
14.2 Management of Information Security Incidents and Improvements 13
14.2.1 Collection of Evidence 13
14.2.2 Responsibilities and Procedures 13
14.2.3 Learning from Information Security Incidents 14
15. Appendix D - Risk Impact Matrix 15
15.1 Risk Impact Matrix 15
Misuse
Theft / Loss
The reporting procedure must be prompt and have redundancy built in. All events
must be reported to the ICT Manager and the Managed ICT Services Service
Delivery Manager who are both required to take the appropriate actions. The
reporting procedure must set out the steps that are to be taken and the time frames
that must be met. They will be responsible for deciding on the level of reporting
required, e.g. who needs to be informed and when.
An escalation procedure must be incorporated into the response process so that
users and support staff are aware who else to report the event to if there is not an
appropriate response within a defined period.
Incidents must be reported to the relevant Service Managers, General Manager or
Senior Management Team should the incident become affect service availability or
customer service.
The process must also include a section referring to the collection of any evidence
that might be required for analysis as forensic evidence. The specialist procedure
for preserving evidence must be carefully followed.
The actions required to recover from the security incident must be under formal
control. Only identified and authorised staff should have access to the affected
systems during the incident and all of the remedial actions should be documented in
as much detail as possible.
Reputational Loss
Financial Loss /
Reputational within Government and / Failure to meet
Type of Commercial Disruption to Personal Privacy
Media and or Failure to Meet Contractual Loss Legal
Impact Confidentiality Activities Infringement
Member Damages Statutory / Regulatory Obligations
Loss
Obligations
None None None None None None None
Contained Internal investigation or Minor contractual Civil lawsuit / Less than 100,000 Minor disruption to Personal details
Low internally within the disciplinary involving one problems / minimal SLA small fine - less service activities that revealed or
council individual failures than 10K can be recovered compromised within
Unfavorable council department
member response
Unfavorable local Government authorised Significant client Less than 100K 100,000 - Disruption to service Personal details
media interest investigation by nationally dissatisfaction. Major Damages and 500,000 that can be recovered revealed or
Unfavorable council recognised body or SLA failures. Failure to fine with an intermediate compromised
member response disciplinary involving 2 to attract new business level of difficulty. internally within
Medium
9 people One back up not authority. Harm
backing up for 2 or mental or physical to
more days one members of staff
or public
Sustained local Government intervention Failure to retain Greater than 500,000 - Major disruption to Severe
media coverage, leading to significant contract(s) at the point 100K damages 1,000,000 service which is very embarrassment to
extending to business change. Internal of renewal and fine difficult to recover individual(s)
High national media disciplinary involving 10 or from. Two or more
coverage in the more people systems not being
short term backed up for two or
more days