28. HealthSafe Information Security Incident Management Policy



INFORMATION SECURITY INCIDENT MANAGEMENT POLICY



Document Identification 

HSNZ/POL/28

Document Name

Information Security Incident Management Policy

Master Copy

CISO

Version Number

1.3

Date Of Release 

15 Aug 2023

Prepared By

Eparama Tuibenau

CISO

Approved by

Kevin McAfee

Managing Director


 


VERSION HISTORY


Sl No

Version No.

Prepared by

Approved by

Description of Version

Date

Reason for Version Change

From

To

1

1.0

-

CISO

MD

First Release

14 Apr 2020 

No changes made

1

1.0

1.1

CISO

MD

Updated

03 Aug 2021 

Modifications due to changes in HealthSafe

1

1.1

1.2

CISO

MD

Reviewed

28 Jul 2022 

Annual review

1

1.2

1.3

CISO

MD

Reviewed

15 Aug 2023 

Annual review


DOCUMENT STATUS


Date

Document Status

14 Apr 2020

Modified

03 Aug 2021

Reviewed

28 Jul 2022

Review

15 Aug 2023

Current


Table of Contents

1 Purpose


2 Scope


3 Input


4 Output


5 Interacting Process


6 Abbreviations, Acronyms and Definitions


7 Procedure


8 Monitoring the Process


9 Records



  1. PURPOSE
    The purpose of this document is to establish and maintain a policy for Information Security Incident Management for HealthSafe NZ. To verify that an incident occurred, maintain or restore business continuity, reduce the incident impact, determine how the attack was done or the incident happened, prevent future attacks or incidents, improve security and incident response, prosecute illegal activity and keep management informed of the situation and response

  2. SCOPE
    These procedures applies to all aspects of information security incident management

  3. ABBREVIATIONS, ACRONYMS AND DEFINITIONS

Abbreviation

Description

FH

Functional Head

IT

Information Technology Department

TL

Team Lead

CISO

Chief Information Security Officer


4 INPUT

To identify the incidents and initiate appropriate action from recurrence.


5 OUTPUT

To take appropriate corrective actions for the incident identified


6 INTERACTING PROCESS

All the departments


7 PROCEDURE


Incident Definition

An incident is any one or more of the following: 

  • Non-availability of information (system failure)
  • Loss of information confidentiality (data theft) 
  • Loss of data arising from server crash
  • Compromise of information integrity (loss or damage to data or unauthorised modification). 
  • Theft of physical IT assets including laptops, storage devices, printers, etc. 
  • Damage to physical IT assets including laptops, storage devices, printers
  • Denial of service. 
  • Misuse of services, information, or assets. 
  • Infection of systems by unauthorised or hostile software. 
  • An attempt at unauthorised access. 
  • Unauthorised changes to organisational hardware, software, or configuration. 
  • Reports of unusual system behaviour. 
  • Non-compliances to policy and procedures. 
  • Power shutdown 
  • Natural calamities such as fire, earthquake, floods 
  • Disruptions arising from strikes, lockout, civil disturbance etc

Reporting information security events and weaknesses

To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. 


Information Security events

Information security events shall be reported through appropriate management channels as quickly as possible. 

A formal information security event reporting procedure is established, together with an incident response and escalation procedure, setting out the action to be taken on receipt of a report of an information security event. A point of contact is established for the reporting of information security events.

Information Security Weaknesses

All employees, contractors and third-party users of information systems and services shall be required to note and report any observed or suspected security weaknesses in systems or services.


Management of information security incidents and improvements

To ensure a consistent and effective approach is applied to the management of information security incidents.


Responsibilities and procedures

In addition to reporting of information security events and weaknesses, the monitoring of systems, alerts and vulnerabilities should be used to detect information security incidents.

The following are considered for the information security incident management:

Procedures should be established to handle different types of information security incidents including:

  • Information system failures and loss of service;
  • Malicious code;
  • Denial of service;
  • Errors resulting from incomplete or inaccurate business data;
  • Breaches of confidentiality and integrity;
  • Misuse of information systems;
  • In addition to normal contingency plans, the procedures should also cover:
  • Analysis and identification of the cause of the incident;
  • Containment;
  • Planning and implementation of corrective action to prevent recurrence, if necessary;
  • Communication with those affected by or involved with recovery from the incident;
  • Reporting the action to the appropriate authority;
  • Audit trails and similar evidence should be collected and secured as appropriate
  • Internal problem analysis;
  • Use as forensic evidence in relation to a potential breach of contract or regulatory requirement or in the event of civil or criminal proceedings;
  • Negotiating for compensation from software and service suppliers;
  • Action to recover from security breaches and correct system failures should be carefully and formally controlled; the procedures should ensure that:
  • Clearly identified and authorised personnel are allowed accesses to live systems and data;
  • All emergency actions taken are documented in detail;
  • Emergency action is reported to management and reviewed in an orderly manner;
  • The integrity of business systems and controls is confirmed with minimal delay.

Learning from information security incidents

In addition to the reporting of security incidents and the software malfunctions, the procedure also covers the details of the analysis of the occurrence of the incident/malfunction.


Mechanism has been defined to analyse the incident, take the necessary corrective and preventive actions to minimise the occurrence of the incident. 


Collection of evidence

It is necessary to have adequate evidence to support an action against a person or organisation. Whenever this action is an internal disciplinary matter the evidence necessary will be described by internal procedures. Where the action involves the law, either civil or criminal, the evidence presented should conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. In general, these rules cover:

  1. Admissibility of evidence: whether or not the evidence can be used in court;
  2. Weight of evidence: the quality and completeness of the evidence;
  3. Adequate evidence that controls have operated correctly and consistently (i.e. process control evidence) throughout the period that the evidence to be recovered was stored and processed by the system.

To achieve admissibility of the evidence, organizations should ensure that their information systems comply with any published standard or code of practice for the production of admissible evidence.

To achieve quality and completeness of the evidence, a strong evidence trail is needed. In general, such a strong trail can be established under the following conditions.

  1. For paper documents: the original is kept securely and it is recorded who found it, where it was found, when it was found and who witnessed the discovery. Any Investigation should ensure that originals are not tampered with.
  2. For information on computer media: copies of any removable media, information on hard disks or in memory should be taken to ensure availability. The log of all actions during the copying process should be kept and the process should be witnessed. One copy of the media and the log should be kept securely.
  3. When an incident is first detected, it may not be obvious that it will result in possible court action. Therefore, the danger exists that necessary evidence is destroyed accidentally before the seriousness of the incident is realised. It is advisable to involve a lawyer or the police early in any contemplated legal action and take advice on the evidence required.


Points to Remember:

  • CISO must be notified immediately in case of security weakness/incident is identified.
  • Staff are informed that they should not, in any circumstances; attempt to prove a suspected weakness. This is for their own protection, as testing weaknesses might be interpreted as a potential misuse of the system

8 MONITORING PROCESS

The senior production team monitor these processes.


9 RECORDS

  • JIRA Logs
  • Penetration Reports
  • Incident Management Record