Information Security Incident Handling - OGCIO
Office of the Government Chief Information OfficerINFORMATIONSECURITYPractice GuideforInformation Security Incident Handling[ISPG-SM02]Version 1.1November 2017 Office of the Government Chief Information OfficerThe Government of the Hong Kong Special Administrative RegionThe contents of this document remain the property of and maynot be reproduced in whole or in part without the expresspermission of the Office of the Government Chief Information Officer
COPYRIGHT NOTICE 2017 by the Government of the Hong Kong Special Administrative RegionUnless otherwise indicated, the copyright in the works contained in this publication is ownedby the Government of the Hong Kong Special Administrative Region. You may generallycopy and distribute these materials in any format or medium provided the followingconditions are met –(a)(b)(c)(d)the particular item has not been specifically indicated to be excluded and is thereforenot to be copied or distributed;the copying is not done for the purpose of creating copies for sale;the materials must be reproduced accurately and must not be used in a misleadingcontext; andthe copies shall be accompanied by the words "copied/distributed with the permissionof the Government of the Hong Kong Special Administrative Region. All rightsreserved."If you wish to make copies for purposes other than that permitted above, you should seekpermission by contacting the Office of the Government Chief Information Officer.
Amendment HistoryAmendment HistoryChangeNumberRevision DescriptionPagesAffectedRevisionNumberDate1G54 Information Security IncidentHandling Guidelines version 5.0 wasconverted to Practice Guide forInformation Security Incident Handling.The Revision Report is available at thegovernment intranet portal t1.0December20162Added a new chapter on informationsecurity management and alignedreferences with other practice guides.Wholedocument1.1November2017Practice Guide for Information Security Incident Handlingiii
Table of ContentsTable of ContentsIntroduction . 11.1Purpose. 11.2Normative References . 21.3Definitions and Conventions. 21.4Contact . 3Information Security Management . 4Introduction to Security Incident Handling . 63.1Information Security Incident . 63.2Objectives of Security Incident Handling . 83.3Disclosure of Information about Incident . 8Organisation Framework . 104.1Government Information Security Incident Response Office (GIRO) . 114.2Government Computer Emergency Response Team Hong Kong(GovCERT.HK) . 124.3Departmental Information Security Incident Response Team (ISIRT) . 12Overview of Steps in Security Incident Handling . 18Planning and Preparation . 216.1Security Incident Handling Plan . 216.2Reporting Procedure . 236.3Escalation Procedure . 246.4Security Incident Response Procedure. 256.5Training and Education . 266.6Incident Monitoring Measure . 26Detection and Reporting . 277.1Detection Measure . 277.2Reporting. 27Assessment and Decision . 288.1Assessment of Incident . 288.2Escalation . 288.3Log the Incident . 318.4Obtain System Snapshot . 31Practice Guide for Information Security Incident Handlingiv
Table of ContentsResponse to Security Incident . 329.1Containment . 329.2Eradication . 349.3Recovery . 35Post-Incident Actions . 3710.1Post-Incident Analysis . 3710.2Post-Incident Report . 3810.3Security Assessment . 3910.4Review Existing Protection. 3910.5Investigation and Prosecution . 39Annex A: Departmental IT Security Contacts Change Form . 40Annex B: Checklist for Incident Handling Preparation . 41Annex C: Reporting Mechanism . 42Annex D: Escalation Procedure . 53Annex E: Workflow of Information Security Incident Response Mechanism . 56Annex F: Identification of Incident. 57Practice Guide for Information Security Incident Handlingv
IntroductionIntroductionEffective information security management involves a combination of identification,prevention, detection, response and recovery. In addition to deploying strongsecurity protection, bureaux and departments (B/Ds) should also be able to respondto incidents and invoke proper procedures in case an information security incident(hereafter referred to as security incident or incident) occurs. Proper and advancedplanning ensures the incident response and recovery activities are known,coordinated and systematically carried out. B/Ds shall establish, document, test andmaintain a security incident handling/reporting procedure for their informationsystems.1.1PurposeThis document provides guidance notes for the management, administration andother technical and operational staff to facilitate the development of informationsecurity incident handling planning, and to be used for preparation for, detection ofand response to information security incidents. As information security incident ofdifferent information systems will have different effects and lead to differentconsequences, B/Ds should customise the information security incident handlingprocedures for their information systems according to their specific operationalneeds.This document is intended to provide practical guidance on and reference forinformation security incident handling in the Government. It is not intended tocover technical descriptions of a specific computer hardware or operating systemplatform. B/Ds should consult corresponding system administrators, technicalsupport staff and product vendors for these technical details.Practice Guide for Information Security Incident Handling1
Introduction1.2Normative ReferencesThe following referenced documents are indispensable for the application of thisdocument. 1.3Baseline IT Security Policy [S17] , the Government of the Hong Kong SpecialAdministrative RegionIT Security Guidelines [G3] , the Government of the Hong Kong SpecialAdministrative RegionInformation technology - Security techniques - Information securitymanagement systems - Overview and vocabulary (fourth edition),ISO/IEC 27000:2016Information technology - Security techniques - Information securitymanagement systems - Requirements (second edition), ISO/IEC 27001:2013Information technology - Security techniques - Code of practice for informationsecurity controls (second edition), ISO/IEC 27002:2013Information technology - Security techniques - Information security incidentmanagement - Part 1: Principles of incident management,ISO/IEC 27035-1:2016Information technology - Security techniques - Information security incidentmanagement - Part 2: Guidelines to plan and prepare for incident response,ISO/IEC 27035-2:2016Definitions and ConventionsFor the purposes of this document, the definitions and conventions given in S17, G3,and the following shall apply.Abbreviation and TermsInformationSecurity EventInformationSecurity IncidentOccurrence indicating a possible breach of informationsecurity or failure of controls.One or multiple related and identified information securityevents that can harm the government information systemsand/or data assets or compromise its operations.Practice Guide for Information Security Incident Handling2
Introduction1.4Contact1.4.1GeneralThis document is produced and maintained by the Office of the Government ChiefInformation Officer (OGCIO). For comments or suggestions, please send to:1.4.2Email:it security@ogcio.gov.hkLotus Notes mail:IT Security Team/OGCIO/HKSARG@OGCIOGovernment Information Security Incident Response Office (GIRO)Standing OfficeThe contact information of GIRO Standing Office is as follows:24 hours incident report hotline:2827 8585Email:cert@govcert.gov.hkLotus Notes mail:GIRO Standing Office/OGCIO/HKSARG@OGCIOFor more information about useful contacts for incident handling in the Government,please refer to the Government intranet portal ITG InfoStation: IT Security ThemePage contacts.shtml).Practice Guide for Information Security Incident Handling3
Information Security ManagementInformation Security ManagementInformation security is about the planning, implementation and continuousenhancement of security controls and measures to protect the confidentiality,integrity and availability of information assets, whether in storage, processing, ortransmission and its associated information systems. Information securitymanagement is a set of principles relating to the functions of planning, organising,directing, controlling, and the application of these principles in harnessing physical,financial, human and informational resources efficiently and effectively to assure thesafety of information assets and information systems.Information security management involves a series of activities that requirecontinuous monitoring and control. These activities include but not limited to thefollowing functional areas: Security Management Framework and the Organisation;Governance, Risk Management, and Compliance;Security Operations;Security Event and Incident Management;Awareness Training and Capability Building; andSituational Awareness and Information Sharing.Security Management Framework and OrganisationB/Ds shall establish and enforce departmental information security policies,standards, guidelines and procedures in accordance with the business needs and thegovernment security requirements.B/Ds shall also define the organisation structure on information security and provideclear definitions and proper assignment of security accountability and responsibilityto involved parties.Governance, Risk Management and ComplianceB/Ds shall adopt a risk based approach to identify, prioritise and address the securityrisks of information systems in a consistent and effective manner.B/Ds shall perform security risk assessments for information systems and productionapplications periodically and when necessary so as to identify risks andconsequences associated with vulnerabilities, and to provide a basis to establish acost-effective security program and implement appropriate security protection andsafeguards.Practice Guide for Information Security Incident Handling4
Information Security ManagementB/Ds shall also perform security audit on information systems regularly to ensurethat current security measures comply with departmental information securitypolicies, standards, and other contractual or legal requirements.Security OperationsTo protect information assets and information systems, B/Ds should implementcomprehensive security measures based on their business needs, covering differenttechnological areas in their business, and adopt the principle of "Prevent, Detect,Respond and Recover" in their daily operations. Preventive measures avoid or deter the occurrence of an undesirable event;Detective measures identify the occurrence of an undesirable event;Response measures refer to coordinated actions to contain damage when anundesirable event or incident occurs; andRecovery measures are for restoring the confidentiality, integrity andavailability of information systems to their expected state.Security Event and Incident ManagementIn reality, security incidents might still occur due to unforeseeable, disruptive events.In cases where security events compromise business continuity or give rise to risk ofdata security, B/Ds shall activate their standing incident management plan toidentifying, managing, recording, and analysing security threats, attacks, or incidentsin real-time. B/Ds should also prepare to communicate appropriately with relevantparties by sharing information on response for security risks to subdue distrust orunnecessary speculation. When developing an incident management plan, B/Dsshould plan and prepare the right resources as well as develop the procedures toaddress necessary follow-up investigations.Awareness Training and Capability BuildingAs information security is everyone’s business, B/Ds should continuously promoteinformation security awareness throughout the organisations and arrange trainingand education to ensure that all related parties understand the risks, observe thesecurity regulations and requirements, and conform to security best practices.Situational Awareness and Information SharingAs cyber threat landscape is constantly changing, B/Ds should also constantly attendto current vulnerabilities information, threat alerts, and important noticesdisseminated by the security industry and the GovCERT.HK. The security alerts onimpending and actual threats should be disseminated to and shared with thoseresponsible colleagues within B/Ds so that timely mitigation measures could betaken.B/Ds could make use of the cyber risk information sharing platform to receive andshare information regarding security issues, vulnerabilities, and cyber threatintelligence.Practice Guide for Information Security Incident Handling5
Introduction to Security Incident HandlingIntroduction to Security Incident HandlingIn information security management, the "Security Operations" functional areaincludes the deployment of proper security protection and safeguards to reduce therisk of successful attacks. However, despite all these measures, security incidents dooccur. Therefore, information security incident handling plans need to be preparedin advance and this is a major area under the "Security Event and IncidentManagement". These plans help B/Ds prepare for responding to security incidentsand resuming the services from the incidents if the services are degraded orsuspended. Assigning appropriate personnel and responsibilities, reservingresources, and planning for the handling procedures should be addressed to preparefor the emergence of security incidents. In case an incident is detected, suchpreparation will facilitate incident response and allow information system to recoverin a more organised, efficient and effective manner.3.1Information Security IncidentA threat is a potential event or any circumstance with the potential to adverselyimpact the information assets, systems and networks (e.g. exploit vulnerabilities ininformation systems or networks) to cause information security events. Aninformation security event is an event indicating a possible breach of informationsecurity or failure of controls. The occurrence of an information security event doesnot necessarily mean that an attack has been successful. It does not mean allinformation security events are classified as information security incidents. Theterm 'information security incident' used in this document means one or multiplerelated and identified information security events that can harm the governmentinformation systems and data assets or compromise its operations. For example, aninformation security incident may refer to information leakage that will beundesirable to the interests of the Government or an adverse event in an informationsystem and/or network, which impacts computer or network security in respect ofconfidentiality, integrity and availability. As this practice guide is focusing onincidents related to information security, adverse events such as natural disaster,hardware/software breakdown, data line failure, power disruption, etc. are outsidethe scope of this practice guide, and should be addressed by the correspondingsystem maintenance and disaster recovery plan.Examples of security incidents include: denial of service attack, compromise ofprotected information systems or data assets, leaks of classified data in electronicform, malicious destruction or modification of data, abuse of information systems,massive malware infection, website defacement, and malicious scripts affectingnetworked systems.Practice Guide for Information Security Incident Handling6
Introduction to Security Incident HandlingThe following diagram illustrates the relationship of threat, information securityevent and information security incident:ThreatexploitscausesInformation securityeventcausesVulnerabilityclassified asInformation securityincidentcompromisesimpactsInformation assetOperationsFigure 3.1 Relationship of Security Event and Security Incident3.1.1Security Incident HandlingSecurity incident handling is a set of con
security controls (second edition), ISO/IEC 27002:2013 Information technology - Security techniques - Information security incident . In information security management, the "Security Operations" functional area includes the deployment of proper security protection and safeguards to reduce the
Incident handling requires people, process and technology. 36 Security Operation Centers Well-Defined Methodology ISO/IEC 27035:2011 Information technology -- Security techniques -- Information security incident management ards ENISA Good Practice Guide for Incident Management NIST SP 800-61 Rev. 2 Computer Security Incident Handling Guide
Incident Management Process Map 1. Incident Management Process Map 1. Incident Management Description and Goals 9. Incident Management Description and Goals 9. Description 9. Description 9. Goals 9. Goals 9. Incident Management RACI Information 10. Incident Management RACI Information 10. Incident Management Associated Artifacts Information 24
assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident.
assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident.
security SANS Computer Security Incident Handling Step -by-Step Guide "an adverse event in an information system and/or network, or the threat of the occurrence of such an event" NIST Computer Security Incident Handling Guide "a violation or imminent threat of violation of computer security policies, acceptable use
security controls (second edition), ISO/IEC 27002:2013 . Information security risk management (second edition), ISO/IEC 27005:2011 . Introduction Practice Guide for Security Risk Assessment and Audit 2 1.3 Definitions and Conventions . Security Operations To protect information assets and information systems, B/Ds should implement .
planning, incident mitigation, and resource availability. The Incident Management Program is structured to assist the system entities, as well as provide a well- rounded incident management platform. e. System Incident Management Oversight and Authorities The System Incident Management staff is comprised of a Division of the Corporate Security
Alex Rider [7] Horowitz, Anthony Walker Books Ltd (2008) Rating: Product Description Alex Rider bites back. Splashing down off the coast of Australia, Alex is soon working undercover - this time for ASIS, the Australian Secret Service - on a mission to infiltrate the criminal underworld of South-East Asia: the ruthless world of the Snakehead. Faced with an old enemy and .
