INFORMATION SECURITY INCIDENT MANAGEMENT POLICY
Document Identification |
HSNZ/POL/28 |
|
Document Name |
Information Security Incident Management Policy |
|
Master Copy |
CISO |
|
Version Number |
1.3 |
|
Date Of Release |
15 Aug 2023 |
|
Prepared By |
Eparama Tuibenau |
CISO |
Approved by |
Kevin McAfee |
Managing Director |
VERSION HISTORY
Sl No |
Version No. |
Prepared by |
Approved by |
Description of Version |
Date |
Reason for Version Change |
|
From |
To |
||||||
1 |
1.0 |
- |
CISO |
MD |
First Release |
14 Apr 2020 |
No changes made |
1 |
1.0 |
1.1 |
CISO |
MD |
Updated |
03 Aug 2021 |
Modifications due to changes in HealthSafe |
1 |
1.1 |
1.2 |
CISO |
MD |
Reviewed |
28 Jul 2022 |
Annual review |
1 |
1.2 |
1.3 |
CISO |
MD |
Reviewed |
15 Aug 2023 |
Annual review |
DOCUMENT STATUS
Date |
Document Status |
14 Apr 2020 |
Modified |
03 Aug 2021 |
Reviewed |
28 Jul 2022 |
Review |
15 Aug 2023 |
Current |
Table of Contents
1 Purpose
2 Scope
3 Input
4 Output
5 Interacting Process
6 Abbreviations, Acronyms and Definitions
7 Procedure
8 Monitoring the Process
9 Records
- PURPOSE
The purpose of this document is to establish and maintain a policy for Information Security Incident Management for HealthSafe NZ. To verify that an incident occurred, maintain or restore business continuity, reduce the incident impact, determine how the attack was done or the incident happened, prevent future attacks or incidents, improve security and incident response, prosecute illegal activity and keep management informed of the situation and response - SCOPE
These procedures applies to all aspects of information security incident management - ABBREVIATIONS, ACRONYMS AND DEFINITIONS
Abbreviation |
Description |
FH |
Functional Head |
IT |
Information Technology Department |
TL |
Team Lead |
CISO |
Chief Information Security Officer |
4 INPUT
To identify the incidents and initiate appropriate action from recurrence.
5 OUTPUT
To take appropriate corrective actions for the incident identified
6 INTERACTING PROCESS
All the departments
7 PROCEDURE
Incident Definition
An incident is any one or more of the following:
- Non-availability of information (system failure)
- Loss of information confidentiality (data theft)
- Loss of data arising from server crash
- Compromise of information integrity (loss or damage to data or unauthorised modification).
- Theft of physical IT assets including laptops, storage devices, printers, etc.
- Damage to physical IT assets including laptops, storage devices, printers
- Denial of service.
- Misuse of services, information, or assets.
- Infection of systems by unauthorised or hostile software.
- An attempt at unauthorised access.
- Unauthorised changes to organisational hardware, software, or configuration.
- Reports of unusual system behaviour.
- Non-compliances to policy and procedures.
- Power shutdown
- Natural calamities such as fire, earthquake, floods
- Disruptions arising from strikes, lockout, civil disturbance etc
Reporting information security events and weaknesses
To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
Information Security events
Information security events shall be reported through appropriate management channels as quickly as possible.
A formal information security event reporting procedure is established, together with an incident response and escalation procedure, setting out the action to be taken on receipt of a report of an information security event. A point of contact is established for the reporting of information security events.
Information Security Weaknesses
All employees, contractors and third-party users of information systems and services shall be required to note and report any observed or suspected security weaknesses in systems or services.
Management of information security incidents and improvements
To ensure a consistent and effective approach is applied to the management of information security incidents.
Responsibilities and procedures
In addition to reporting of information security events and weaknesses, the monitoring of systems, alerts and vulnerabilities should be used to detect information security incidents.
The following are considered for the information security incident management:
Procedures should be established to handle different types of information security incidents including:
- Information system failures and loss of service;
- Malicious code;
- Denial of service;
- Errors resulting from incomplete or inaccurate business data;
- Breaches of confidentiality and integrity;
- Misuse of information systems;
- In addition to normal contingency plans, the procedures should also cover:
- Analysis and identification of the cause of the incident;
- Containment;
- Planning and implementation of corrective action to prevent recurrence, if necessary;
- Communication with those affected by or involved with recovery from the incident;
- Reporting the action to the appropriate authority;
- Audit trails and similar evidence should be collected and secured as appropriate
- Internal problem analysis;
- Use as forensic evidence in relation to a potential breach of contract or regulatory requirement or in the event of civil or criminal proceedings;
- Negotiating for compensation from software and service suppliers;
- Action to recover from security breaches and correct system failures should be carefully and formally controlled; the procedures should ensure that:
- Clearly identified and authorised personnel are allowed accesses to live systems and data;
- All emergency actions taken are documented in detail;
- Emergency action is reported to management and reviewed in an orderly manner;
- The integrity of business systems and controls is confirmed with minimal delay.
Learning from information security incidents
In addition to the reporting of security incidents and the software malfunctions, the procedure also covers the details of the analysis of the occurrence of the incident/malfunction.
Mechanism has been defined to analyse the incident, take the necessary corrective and preventive actions to minimise the occurrence of the incident.
Collection of evidence
It is necessary to have adequate evidence to support an action against a person or organisation. Whenever this action is an internal disciplinary matter the evidence necessary will be described by internal procedures. Where the action involves the law, either civil or criminal, the evidence presented should conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. In general, these rules cover:
- Admissibility of evidence: whether or not the evidence can be used in court;
- Weight of evidence: the quality and completeness of the evidence;
- Adequate evidence that controls have operated correctly and consistently (i.e. process control evidence) throughout the period that the evidence to be recovered was stored and processed by the system.
To achieve admissibility of the evidence, organizations should ensure that their information systems comply with any published standard or code of practice for the production of admissible evidence.
To achieve quality and completeness of the evidence, a strong evidence trail is needed. In general, such a strong trail can be established under the following conditions.
- For paper documents: the original is kept securely and it is recorded who found it, where it was found, when it was found and who witnessed the discovery. Any Investigation should ensure that originals are not tampered with.
- For information on computer media: copies of any removable media, information on hard disks or in memory should be taken to ensure availability. The log of all actions during the copying process should be kept and the process should be witnessed. One copy of the media and the log should be kept securely.
- When an incident is first detected, it may not be obvious that it will result in possible court action. Therefore, the danger exists that necessary evidence is destroyed accidentally before the seriousness of the incident is realised. It is advisable to involve a lawyer or the police early in any contemplated legal action and take advice on the evidence required.
Points to Remember:
- CISO must be notified immediately in case of security weakness/incident is identified.
- Staff are informed that they should not, in any circumstances; attempt to prove a suspected weakness. This is for their own protection, as testing weaknesses might be interpreted as a potential misuse of the system
8 MONITORING PROCESS
The senior production team monitor these processes.
9 RECORDS
- JIRA Logs
- Penetration Reports
- Incident Management Record