5.3 Incident Management
USG institution, USO, GPLS, and Georgia Archives management must investigate incidents involving loss, damage, misuse of information assets, or improper dissemination of information. All USG institutions, the USO, the GPLS, and the Georgia Archives are required to report information security incidents consistent with the security reporting requirements as noted in Section 5.10 of this Handbook.
Proper incident management includes the formulation and adoption of a written incident management plan, which provides for the timely assembly of appropriate staff that is capable of developing a response to, appropriate reporting about, and successful recovery from a variety of incidents.
In addition, incident management includes the application of lessons learned from incidents, together with the development and implementation of appropriate corrective actions directed to preventing or mitigating the risk of similar occurrences in the future. All institution, USO, GPLS, and Georgia Archives incident management policies and plans must be on file at USG Information Security & ePrivacy. The USO and the USG CISO will file an electronic copy of the USG-USO Incident Response Plan with the State CISO and the Georgia Bureau of Investigation (GBI), per the State Incident Response Reporting Standard.
The process by which computer abuse cases are handled and escalated is shown in the Abuse Notification document posted on the Information Security website at: http://www.usg.edu/infosec/incident_management.
5.3.1 Information Security Incident Reporting Requirements
All USG institutions, the USO, the GPLS, and the Georgia Archives must establish a Computer Security Incident Response (CSIR) plan to respond to and manage adverse activities or actions that threaten the successful conduct of teaching, instruction, research and operations in the USG. This plan should follow existing USG policies and standards, industry best practices, and International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) guidelines. This plan must be on file with USG Information Security & ePrivacy per the Reporting Requirements noted in Section 5.10 of this Handbook.
5.3.2 Criteria for Reporting Incidents
USG institution, USO, GPLS, and Georgia Archives management must promptly investigate incidents involving loss, damage, misuse of information assets, or improper dissemination of information. All USG institutions, the USO, the GPLS, and the Georgia Archives are required to report information security incidents consistent with the security reporting requirements of this policy. Reports must be submitted to USG Information Security & ePrivacy per the Reporting Requirements noted in Section 5.10 of this Handbook.
5.3.3 Incident Follow-up Report
In addition, an incident follow-up report must be submitted that includes the application of lessons learned from incidents, together with the development and implementation of appropriate corrective actions directed to preventing or mitigating the risk of similar occurrences in the future. Reports must be submitted to USG Information Security & ePrivacy per the Reporting Requirements noted in Section 5.10 of this Handbook.
5.3.4 Incidents Involving Personal Information
Every USG institution, the USO, the GPLS, and the Georgia Archives that collects, uses, or maintains records containing personal information shall establish and maintain in its incident management plan, procedures for ensuring that any breach of security involving personal information, regardless of its medium (e.g., paper, electronic, verbal) immediately trigger the incident response procedures. Procedures must be documented and address, at a minimum, the following:
- Incident Response Team. Procedures shall identify the positions responsible for responding to a breach of personal information. A response team must include, at a minimum, an escalation manager, the program manager of the program or office experiencing the breach, the ISO, the Senior Official for Privacy, the Public Information or Communications Officer, Legal Counsel, and a representative from the institution, USO, GPLS, or Georgia Archives IS organization. Some incidents will require the involvement of others not mentioned above. For example, if the source of the compromised information was a computer system or database, the USG CIO should also be involved in the response activity. If the incident involves unauthorized access, misuse, or other inappropriate behavior by an employee, or the security breach involves employee’s personal information, the institution, the USO, the GPLS, or the Georgia Archives Personnel Officer or Human Resource Manager should be involved.
- Protocol for Internal Reporting. Procedures shall outline the method, manner, and progression of internal reporting to ensure that executive management is informed about breaches involving personal information; the institution, USO, GPLS, or Georgia Archives Incident Response Team is assembled; and, the incident is addressed immediately.
- Decision Making Criteria and Protocol for Notifying Individuals. Procedures shall include documentation of the methods and manner for determining when and how a notification is to be made. The procedures shall be consistent with and comply with USG policies and applicable state and federal laws. At a minimum, these procedures will address the following elements:
- Whether the notification is required by law;
- Whether the notification is required by USG or state or federal policy;
- Timeliness of notification;
- Source of notice;
- Content of notice;
- Approval of notice prior to release;
- Method(s) of notification;
- Preparation for follow-on inquiries; *Other actions that can be taken to mitigate harm to individuals; and,
- Other situations when notification should be considered.
- Notice to Affected Individuals. Notice to individuals when a breach of notice-triggering data elements occurs, regardless of the media involved (electronic or paper), and in accordance with criteria set forth above.
- Breach Notification Trigger. The USG requires a notification be made to individuals when the breach involves unencrypted “Notice Triggering” personal information as defined in the section. Technically, the law is applicable to a breach involving computerized data. However, the USG has taken the position that a notification should be made when a breach of this same “Notice Triggering” data involves paper or other types of media, as the breach would expose individuals to the same financial/identity theft risk and concerns. Safeguarding all personal, confidential, or sensitive information, no matter the format, is essential to maintaining trust in USG. The objective is to make timely notification to individuals so that they may take appropriate steps to protect themselves.
For more information, refer to the USG Computer Security Incident Management Standard and the USG Incident Response and Reporting Standard below.
5.3.5 USG Computer Security Incident Management Standard
This section establishes a requirement that each USG institution, the USO, the GPLS, and the Georgia Archives establish a process for detecting and responding to security incidents.
The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Through implementing solid security policies, limiting access to networks and computers, improving user security awareness, and early detection and mitigation of security risks are some the preventative actions that can be taken to reduce the risk, frequency and the cost of security incidents, not all incidents can be prevented. Therefore, an incident response capability is necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services.
This standard establishes the requirement for each USG institution, the USO, the GPLS, and the Georgia Archives to establish an internal capability for handling computer security incidents.
220.127.116.11 Scope, Authority, Enforcement, and Exceptions
Each USG institution, the USO, the GPLS, and the Georgia Archives shall establish and document an internal information security incident management capability that provides for prevention, monitoring, detection, containment, response, recovery, reporting and escalation appropriate to the level of risk and threats to the participant organization.
USG institution, USO, GPLS, and Georgia Archives management must promptly investigate incidents involving loss, damage, misuse of information assets, or improper dissemination of information. All USG institutions, the USO, the GPLS, and the Georgia Archives are required to report information security incidents according to the security reporting requirements in this standard.
18.104.22.168 Related Enterprise Policies, Standards, and Guidelines
- Please see NIST Document 800-61, Computer Security Incident Handling Guide: http://csrc.nist.gov/publications/nistpubs.
5.3.6 USG Incident Response and Reporting Standard
This section sets minimum requirements for information security incident response and reporting.
In support of the USG Computer Security Incident Management Standard, each institution, the USO, the GPLS, and the Georgia Archives must implement an information security incident handling capability. This standard establishes the minimum incident response and reporting requirements.
22.214.171.124 Scope, Authority, Enforcement, and Exceptions
- Each USG institution, the USO, the GPLS, and the Georgia Archives must implement an incident management capability including documented processes and procedures for monitoring, detection, data collection, analysis, containment, recovery, response, reporting and escalation.
- All incident response reporting and escalation procedures must be formally documented and approved by the USG CISO with review by the GBI as required by state law.
- Upon discovery of any incident that meets the defined criteria below:
- The incident must be reported following the USG Information Security Incident Notification and Reporting Instructions found at the USG Information Security & ePrivacy web site: http://www.usg.edu/infosec.
- The report must be submitted to USG Information Security & ePrivacy within five (5) days of the participant organization becoming aware of an incident involving the theft of such information, including information stolen in conjunction with the theft of a computer or data storage device.
- Each participant organization must train its employees on how to recognize and report incidents in accordance with the reporting and escalation procedures.
- Participant organizations must have a designated and recorded incident management point of contact.
- USG institutions, the USO, the GPLS, and the Georgia Archives must report all security incidents or events of interest affecting systems or data categorized as moderate or high for any of the security objectives of confidentiality, integrity, or availability to USG Information Security & ePrivacy through the ITS Helpdesk (email@example.com) at 706-583-2001, or 1-888-875-3697 (Toll free within Georgia).
126.96.36.199 Incident Categories and Reporting Timeframes
The following table identifies all incident categories and their descriptions.
|CAT 0||Exercise/Network Defense Testing||Used during state, federal, and USG exercises, and approved activity testing of internal/external network defenses or responses.|
|CAT 1||Unauthorized Access*||A person gains logical or physical access without permission to a network, system, application, data, or other USG resource.|
|CAT 2||Denial of Service*||An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting USG resources.|
|CAT 3||Malicious Code*||A virus, worm, Trojan horse, or other code-based malicious entity that infects a host.|
|CAT 4||Inappropriate Usage*||A person violates appropriate computing/network use policies.|
|CAT 5||Probes and Reconnaissance Scams||This category includes any activity that seeks to access or identify a critical/high category system, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.|
|CAT 6||Investigation||Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.|
|PII||Personally Identifiable Information (PII) Exposure||Any information about an individual including, but not limited to, education, financial transactions, medical history, and criminal or employment history, and information that can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information that is linked or linkable to an individual.|
|PHI||Protected Health Information (PHI)||Any individually identifiable health information. Identifiable refers not only to the data that is explicitly linked to a particular individual (identified information), but also includes health information with data items that reasonably could be expected to allow individual identification.|
Note: Categories marked with an * have as their source NIST Special Publication 800-61.
The following table identifies the applicable reporting timeframe for each incident category described above.
|CAT 0||Not Applicable. This category is for USG Information Security & ePrivacy’s internal use during exercises. Do not report to USG Information Security & ePrivacy.|
|CAT 1||Within one (1) hour of discovery/detection. Report to USG Information Security & ePrivacy.|
|CAT 2||Within two (2) hours of discovery/detection if the successful attack is still ongoing and the USG participant organization is unable to successfully mitigate activity. Report to USG Information Security & ePrivacy.|
|CAT 3||Daily, within one (1) hour of discovery/detection if widespread across the USG participating organization.|
|CAT 4||Weekly. Notify USG Information Security & ePrivacy via aftermath meeting.|
|CAT 5||Monthly. If system is classified, report within one (1) hour of discovery.|
|CAT 6||Not Applicable. This category is for the USG participant organization’s use to categorize a potential incident that is currently being investigated. Do not report to USG Information Security & ePrivacy.|
|PII||Within one (1) hour of discovery/detection. Report to USG USG Information Security & ePrivacy.|
188.8.131.52 Related Enterprise Policies, Standards, and Guidelines
- USG Office of Information Security & ePrivacy: http://www.usg.edu/infosec/incident_management/.
- These documents can be found in PDF and zipped PDF formats at: http://csrc.nist.gov/publications/nistpubs
- NIST SP 800-61, Computer Security Incident Handling Guide
- NIST SP 800-83, Guide to Malware Incident Prevention and Handling
- NIST SP 800- 28 Guidelines on Active Content and Mobile Code
- NIST SP 800-19 Mobile Agent Security
Return to Top