This is the current version of this document. To view historic versions, click the link in the document's navigation bar. Show
(1) This guideline document describes the standard approach for planning for, and responding to, information security incidents involving the University's ICT resources and information assets. It specifies an appropriate incident response based on the nature and severity of the incident, the data involved, and other factors. (2) This document provides guidance to the Incident Handler and associated stakeholders to better respond to information security events and incidents, and provides a structured approach to:
(3) These guidelines form part of the University's hierarchy of IT related incident management processes: (4) All users of the University's ICT services and systems have a responsibility to:
Scope(5) This guideline applies to the ICT resources and the information assets of the University, and to any person or device who gains access to these systems or data. (6) This guideline document must be read in conjunction with the IT Services Critical Incident Management Guide, and the University's Business Continuity Management Framework, Business Continuity Management Policy, Information Security Policy, and Information Technology Conditions of Use Policy. Interface with IT Incident Management(7) IT Incident Management is responsible for incident processes related to a significant deterioration, degradation, or disruption of an IT business process or service. (8) The Information Security Team is responsible for information security incident management processes, running in conjunction with the IT incident management process. (9) While investigating a particular IT incident, it may become evident or there may be indications that the root cause is information security related. (10) If, during an standard IT incident response, ITS staff suspect that an outage or service disruption may be security-related, these guidelines should be followed. (11) If it is determined that an incident is not information security related, the Information Security Team will discontinue its participation in that incident response process. Interface with IT Services’ Critical Incident Management(12) Major and significant incidents require immediate escalation to the IT Service Continuity Coordinator, who is responsible for the Information Technology Services’ Critical Incident Management process. (13) Information Technology Services Critical Incident Management process will in turn interface with the University Business Continuity process should an incident require such escalation. Top of PageSection 2 - Information Security Incident Management Process(14) Information Security Incident Management is a structured approach, and is composed of four phases:
(15) The sensitivity of information communicated during all phases of incident response must be carefully considered. The University's Information Security Data Classification and Handling Manual defines the four security classification levels in use across the University. (16) The Incident Handler may, whilst undertaking incident response, liaise with external organisations such as the ACSC, ASD, ASIO, AusCERT, CERT Australia, security consultants, application vendors and specialists in order to manage the technical incident response. This will not form part of any official notification process, and must be done in strict confidence. (17) In cases where the Incident Handler communicates with external parties, the industry standard Traffic Light Protocol (TLP) should be used. The four University data security classifications align closely with those of the TLP: Table 1 – TLP Classifications and University Data Classifications
Phase 1: Preparation(18) The first phase deals with preparing a team to be ready to handle an incident at short notice. Regardless of the cause of the incident, preparation is the most crucial phase, as it will determine how well the team will be able to respond to the event. Preparing to handle an Incident(19) Preparation includes those activities that enable the Incident Handler to respond to an incident: Phase 2: Detection and Incident Analysis(20) An information security incident begins when a security-related event is reported. This could come from an automated system diagnostic, an incident ticket submitted by a user to the IT Service Desk, or other sources. (21) When an information security incident is reported or assigned to the Information Security Team, the incident is assigned to an Incident Handler who is responsible for investigating the incident and coordinating the response until the incident is resolved, closed or escalated to the IT Service Continuity Coordinator as an ITS Critical Incident. (22) The first step for an Incident Handler is to perform a detailed incident analysis and risk assessment, using the University's Risk Management Framework. (23) Process steps:
Table 2 – Incident Categories
Incident Prioritisation(24) The Incident Handler shall perform an assessment of the incident priority using the factors in the table below. Table 3 – Incident Prioritisation Levels
(25) Given the established priority, the incident will be allocated a service level which determines the timelines attached to next steps. Incident Service Levels(26) The Incident Handler shall ensure that an incident is managed and responded to as per the below service levels. This service level applies to the Incident Response commitments for all types of information security incidents. Incident response times vary according to the priority level assigned to the incident. Table 4 – Incident Service Levels
*Notification – Initial notification of a suspected or actual incident to the relevant stakeholders. **Contain / Remediate – Maximum time to either contain the threat or to permanently remediate. (27) Based on the analysis of the incident category and classification, the information security incident can be addressed in the following ways:
Escalation(28) Major and significant incidents require escalation so that senior management within the University are made aware of, and may respond accordingly to, serious and potentially serious information security incidents. The initial point of escalation is to the IT Service Continuity Coordinator, who is responsible for the Information Technology Services’ Critical Incident Management Guide. Phase 3: Containment, Eradication and Recovery(29) This phase begins once the suspected event has been classified as a Confirmed Incident. This phase involves identifying the immediate response actions to deal with the information security incident and, where applicable, informing the appropriate team of the required actions. The primary objective is to confine any adverse impact to the University's operations, followed by eradication of the threat and the return of the ICT services and systems to their normal state. (30) The Incident Handler shall manage this phase. Incident containment, eradication and recovery steps may vary based on the incident type, and the incident response responsibility may be split over multiple teams which shall be managed and coordinated by the Incident Handler. (31) Incident Handlers will require investigation expertise to effectively manage the incident response, or must have access to or agreements with third parties with appropriate skill sets to perform investigations. (32) An appropriate combination of the following actions must be used to complete this phase:
Phase 4: Post-Incident Activity(33) This phase takes place once the information security incident has been resolved or closed. Compile Summary of Actions and Findings(34) The Incident Handler(s) must document the actions taken during the process. If the incident involved support from external parties such as AusCERT, CERT Australia, or contracted security consultants, their steps and reports must also be documented by the Incident Handler. (35) The Incident Handler shall collate the details and prepare the closure report. Closure Report(36) The Incident Handler is responsible for documenting an incident closure report which contains (at the minimum) the following information:
(37) The completed incident closure report is shared with CIO for review and approval. Submit Recommendations to Appropriate Management(38) The Incident Handler delivers the incident closure report, including recommendations for changes in technology, process or policy, to appropriate stakeholders for the development of a follow-up action plan. Lessons Learnt(39) Information security threats evolve over time, and thus it is imperative that regular improvements are made to information security controls. Any proposed control improvements should consider the outcomes and findings of information security incidents investigations. Top of PageSection 3 - Roles and Responsibilities(40) As service owners and users of IT resources, ITS staff are expected to recognise potential security incidents. Responsibilities include:
Information Security Team(41) The Information Security Team is the team of IT security professionals within Information Technology Services assigned to handle the information security needs for Information Technology Services. Responsibilities include:
Incident Handler(42) The Incident Handler will typically be a member of the Information Security Team who is assigned operational responsibility for the management of an Information Security Incident. Responsibilities include:
Definitions(43) In the context of this document:
|