Incident Response Policy and Plan
Effective Date: 9/1/2021
Last Revised: 7/27/2022
Incident Response Policy and Plan
This incident response plan defines what constitutes a security incident and outlines the incident response phases. This policy is designed to protect the organizational resources against intrusion and to ensure correct notification and documentation of substantial system issues causing outages.
- Incident Response Goals
- Verify that an incident occurred.
- Maintain or restore business
- Reduce the incident
- Determine how the attack was done or the incident
- Prevent future attacks or
- Improve security and incident
- Prosecute illegal activity.
- Keep management and other affected parties informed of the situation and
- Incident Definition. An incident is any one or more of the following:
- Loss of information confidentiality (data theft)
- Compromise of information integrity (damage to data or unauthorized modification).
- Theft of physical IT asset including computers, storage devices, printers,
- Damage to physical IT assets including computers, storage devices, printers,
- Denial of
- Misuse of services, information, or
- Infection of systems by unauthorized or hostile
- An attempt at unauthorized
- Unauthorized changes to organizational hardware, software, or
- Reports of unusual system
- Responses to intrusion detection
- Unauthorized installation of a wireless device on Fuuz’s
- First Response
Immediately upon learning of failure, if available, a Fuuz in close proximity to the Information Security Coordinator shall be given a high-level overview of the situation and shall be assigned the responsibility of contacting all necessary Fuuz associates through the available channels. This person is referred to as the Contact Associate. This may be through voice or email, depending upon the nature of the failure. The contact shall include a brief description of the problem, the scope of users/systems affected, any known work-arounds, and an estimated time for repair to be completed, if known. In the event that the issue occurs on a night or weekend, the Information Security Coordinator shall email or voicemail affected parties the information. The Information Security Coordinator is responsible for determine who and when to notify other Incident Response Team Members and in defining their roles. Incident Response Team Members will be assigned according to their specific roles within Fuuz and will likely include team members from HR, IT, marketing/public relations, and executives (who will be charged with notifying and coordinating with upper management and the Board of Directors).
- Ongoing Incident Communications
Significant changes to the initial situation or updates to the estimated completion time shall be communicated to the Information Security Coordinator who will notify the Incident Response Team members of the updated information as above in First Response.
- Documentation of Incident
A written review of the failure, events leading to it, cause and repair shall be submitted by IT to the Information Security Coordinator within 24 hours of resolution. In the event of hardware failure, availability of parts for future occurrences and their cost is to be provided so that management can determine whether to keep these parts on hand.
Further review by cross-functional team shall be initiated by entry of a Corrective Action Request (CAR). Resolution shall include review of client and financial impact and in-depth analysis of the actions taken along with measurement of their effectiveness. Additional action items may be specified as mandatory elements of the Incident Plan going forward.
- Incident Response Life Cycle
(a) Discovery. Someone discovers something not right or suspicious. This may be from any of several sources:
- Tech Support Issue
- Intrusion detection system
- A system administrator
- A firewall administrator
- A business partner
- A monitoring team
- A manager
- The security department or a security person
- An outside source
(b) Notification. The emergency contact procedure is used to contact the Information Security Coordinator and members of the Incident Response Team.
(c) Analysis and Assessment. Many factors will determine the proper response including:
- Is the incident real or perceived?
- Is the incident still in progress?
- What data or property is threatened and how critical is it?
- What is the impact on the business should the attack succeed? Minimal, serious, or critical?
- What system or systems are targeted, where are they located physically and on the network?
- Is the incident inside the trusted network?
- Response Strategy – Determine a response
- Is the response urgent?
- Can the incident be quickly contained?
- Will the response alert the attacker and do we care?
(d) Containment. Take action to prevent further intrusion or damage and remove the cause of the problem. Determine the proper response per the Analysis and Assessment and take the appropriate.
- Disconnect the affected system(s)
- Change passwords.
- Block some ports or connections from some IP
- Prevention of re-infection
- Determine how the intrusion happened – Determine the source of the intrusion whether it was email, inadequate training, attack through a port, attack through an unneeded service, attack due to unpatched system or
- Take steps to prevent an immediate re-infection which may include one or more of:
- Close a port on a firewall
- Patch the affected system
- Shut down the infected system until it can be re-installed
- Re-install the infected system and restore data from backup. Be sure the backup was made before the infection.
- Change email settings to prevent a file attachment type from being allowed through the email
- Plan for some user
- Disable unused services on the affected
- Restore Affected Systems – Restore affected systems to their original state. Be sure to preserve evidence against the intruder by backing up logs or possibly the entire system. Depending on the situation, restoring the system could include one or more of the following
- Re-install the affected system(s) from scratch and restore data from backups if necessary. Be sure to preserve evidence against the intruder by backing up logs or possibly the entire
- Begin notification process.
- Make users change passwords if passwords may have been
- Be sure the system has been hardened by turning off or uninstalling unused
- Be sure the system is fully
- Be sure real time virus protection and intrusion detection is
- Be sure the system is logging the correct items
- Notification. Notify the police if prosecution of the intruder is possible. Refer to outside privacy counsel notification procedures and requirements.
- Documentation. Document what was discovered about the incident including how it occurred, where the attack came from, the response, whether the response was effective. This documentation shall be saved as a tech support issue as well as forwarded to the Information Security Coordinator Business Continuity Planner for inclusion in Fuuz’s archives.
- Evidence Preservation. Make copies of logs, email, and other documentable communication. Keep lists of witnesses.
- Assess Damage and Cost. Assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts. Forward documentation to TGI’s CFO for Cyber Insurance notification.
- Post-Incident Review. Review response and update policies – Plan and take preventive steps so the intrusion can’t happen again. Provide a detailed report to the Information Security Coordinator including recommendations for purchase of additional security features. The Information Security Coordinator including shall review and present recommendations to Fuuz’s executive management team for approval and will initiate purchase of approved improvements.
- Discipline. Violations of this policy will be treated like other allegations of wrongdoing. Allegations of misconduct will be adjudicated according to established procedures. Sanctions for non-compliance may include, but are not limited to, one or more of the following:
- Disciplinary action according to applicable Fuuz’s policies;
- Termination of employment; and/or
- Legal action according to applicable laws and contractual agreements.