To maintain the trust of our clients and partners, and meet regulatory requirements, it is essential that we do everything we can to protect confidential information and systems in the face of a cyberattack. The better prepared we are to respond to a potential cyberattack, the faster we can eradicate any threat and reduce the impact on our business.
This document describes the plan for responding to information security incidents at Technical Penguins. This document will explain how to detect and react to cybersecurity incidents and data breaches, determine their scope and risk, respond appropriately and quickly, and communicate the results and risks to all stakeholders.
This plan will be updated annually to reflect organizational changes, new technologies and new compliance requirements that inform our cybersecurity strategy. We will conduct regular testing of this plan to ensure everyone is fully trained to participate in effective incident response.
ROLES, RESPONSIBILITIES & CONTACT INFORMATION
This Security Incident Response Plan must be followed by all personnel, including all owners, employees, temporary staff, consultants, contractors, suppliers and third parties operating on behalf of Technical Penguins. All personnel are referred to as ‘staff’ within this plan.
Below are details about the roles and responsibilities of each member of Technical Penguins to prevent and respond to a workplace incident. It is not an exhaustive list of duties but designed to give each person a general understanding of the entire organization in incident response and prevention.
Incident Response Team Responsibilities
The Incident Response Lead is responsible for:
- Making sure that the Security Incident Response Plan and associated response and escalation procedures are defined and documented. This is to ensure that the handling of security incidents is timely and effective.
- Making sure that the Security Incident Response Plan is current, reviewed and tested at least once each year.
- Making sure that staff with Security Incident Response Plan responsibilities are properly trained at least once each year.
- Leading the investigation of a suspected breach or reported security incident and initiating the Security Incident Response Plan when needed.
- Reporting to and liaising with external parties, including pertinent business partners, legal representation, law enforcement, etc., as is required.
- Authorizing on-site investigations by appropriate law enforcement or third-party security/forensic personnel, as required during any security incident investigation. This includes authorizing access to/removal of evidence from site.
Security Incident Response Team (SIRT) members are responsible for:
- Making sure that all staff understand how to identify and report a suspected or actual security incident.
- Advising the Incident Response Lead of an incident when they receive a security incident report from staff.
- Investigating and documenting each reported incident.
- Taking action to limit the exposure of sensitive data and to reduce the risks that may be associated with any incident.
- Gathering, reviewing, and analyzing logs and related information from various central and local safeguards, security measures and controls.
- Documenting and maintaining accurate and detailed records of the incident and all activities that were undertaken in response to an incident.
- Assisting law enforcement during the investigation processes. This includes any forensic investigations and prosecutions.
- Initiating follow-up actions to reduce likelihood of recurrence, as appropriate.
- Determining if policies, processes, technologies, security measures or controls need to be updated to avoid a similar incident in the future. They also need to consider whether additional safeguards are required in the environment where the incident occurred.
All staff members are responsible for:
- Making sure they understand how to identify and report a suspected or actual security incident.
- Reporting a suspected or actual security incident to the Incident Response Lead (preferable) or to another member of the Security Incident Response Team (SIRT).
- Reporting any security related issues or concerns to line management, or to a member of the SIRT.
- Complying with the security policies and procedures of Technical Penguins.
Roles, Responsibilities and Contact Information
- Strategic lead. Develops technical, operational, and financial risk ranking criteria used to prioritize incident response plan.
- Authorizes when and how incident details are reported.
Incident Response Team
- Central team that authorizes and coordinates incident response across multiple teams and functions through all stages of a cyber incident.
- Maintains incident response plan, documentation, and catalog of incidents.
- Responsible for identifying, confirming, and evaluating extent of incidents.
- Conducts random security checks to ensure readiness to respond to a cyberattack.
(ISP, MSP, Hosting, Testing Partners, etc.)
- Manages security controls to limit the progression of a cyberattack across third-party systems and organizations.
Incident Response Process Overview
Below is the structured 6-step process followed in this document. The six steps outlined are:
- Preparation — review and codify an organizational security policy, perform a risk assessment, identify sensitive assets, define which are critical security incidents the team should focus on, and build a Computer Security Incident Response Team (CSIRT).
- Identification — monitor IT systems and detect deviations from normal operations and see if they represent actual security incidents. When an incident is discovered, collect additional evidence, establish its type and severity, and document everything.
- Containment — perform short-term containment, for example by isolating the network segment that is under attack. Then focus on long-term containment, which involves temporary fixes to allow systems to be used in production, while rebuilding clean systems.
- Eradication — remove malware from all affected systems, identify the root cause of the attack, and take action to prevent similar attacks in the future.
- Recovery — bring affected production systems back online carefully, to prevent additional attacks. Test, verify and monitor affected systems to ensure they are back to normal activity.
- Lessons learned — no later than two weeks from the end of the incident, perform a retrospective of the incident. Prepare complete documentation of the incident, investigate the incident further, understand what was done to contain it and whether anything in the incident response process could be improved.
Incident Response Checklist
- Incident Discovery and Confirmation
- Describe how the team first learned of the attack (security researcher, partner, employee, customer, auditor, internal security alert, etc.).
- Analyze audit logs and security applications to identify unusual or suspicious account behavior or activities that indicate a likely attack and confirm attack has occurred.
- Describe potential attacker, including known or expected capabilities, behaviors, and motivations.
- Identify access point and source of attack (endpoint, application, malware downloaded, etc.) and responsible party.
- Prepare an incident timeline to keep an ongoing record of when the attack occurred and subsequent milestones in analysis and response.
- Check applications for signatures, IP address ranges, files hashes, processes, executables names, URLs, and domain names of known malicious websites.
- Evaluate extent of damage upon discovery and risk to systems and privileged accounts. Audit which privileged accounts have been used recently, whether any passwords have been changed, and what applications have been executed.
- Review information assets list to identify which assets have been potentially compromised. Note integrity of assets and evidence gathered.
- Collect meeting notes in a central repository to use in preparing communications with stakeholders.
- Inform employees regarding discovery.
- Containment and Continuity
- Enable temporary privileged accounts to be used by the technical and security team to quickly access and monitor systems.
- Protect evidence. Back up any compromised systems as soon as possible, prior to performing any actions that could affect data integrity on the original media.
- Change passwords for all privileged users, service, application, and network accounts.
- Remove systems from production or take systems offline if needed.
- Inform team and affected clients regarding breach containment.
- Close firewall ports and network connections.
- Test devices and applications to be sure any malicious code is removed.
- Compare data before and after the incident to ensure systems are reset properly.
- Inform team and affected clients regarding eradication.
- Download and apply security patches.
- Close network access and reset passwords.
- Conduct vulnerability analysis.
- Return any systems that were taken offline to production.
- Lessons Learned
- Review forensic evidence collected.
- Write an Executive Summary of the incident.
- Implement additional training for everyone involved in incident response and all employees.
- Update incident response plan.