Sample Incident Response Policy Template
Contents
This policy defines the requirement for reporting and responding to incidents related to company information systems and operations. Incident response provides the company with the capability to identify when a security incident occurs.
Free Security Policy Templates
Get a step ahead of your cybersecurity goals with our comprehensive templates.
Definitions
- Security incident: Refers to an adverse event in an information system, and/or network, or the threat of the occurrence of such an event. Incidents can include, but are not limited to, unauthorized access, malicious code, network probes, and denial of service attacks.
Overview
Security Incident Management at {COMPANY-NAME} is necessary to detect security incidents, determine the magnitude of the threat presented by these incidents, respond to these incidents, and if required, notify {COMPANY-NAME} members of the breach.
Purpose
This policy defines the requirement for reporting and responding to incidents related to {COMPANY-NAME} information systems and operations. Incident response provides {COMPANY-NAME} with the capability to identify when a security incident occurs.
If monitoring were not in place, the magnitude of harm associated with the incident would be significantly greater than if the incident were noted and corrected.
This policy applies to all information systems and information system components of {COMPANY-NAME}. Specifically, it includes:
- Mainframes, servers, and other devices that provide centralized computing capabilities.
- Devices that provide centralized storage capabilities.
- Desktops, laptops, and other devices that provide distributed computing capabilities.
- Routers, switches, and other devices that provide network capabilities.
- Firewalls, Intrusion Detection/Prevention (IDP) sensors, and other devices that provide dedicated security capabilities.
In the event a breach of member’s information occurs, {COMPANY-NAME} is required by [state] state law to notify the individual(s) as described in [State Statute Section XXXXXX(2)].
Scope
This policy applies security incidents affecting all {COMPANY-NAME} owned and customer-owned information assets managed facilities, networks, systems, and technology assets that store, process, or transmit information within the scope of the Information Security Management System (ISMS).
Policy Detail
Program Organization
- Computer Emergency Response Plans – {COMPANY-NAME} management must prepare, periodically update, and regularly test emergency response plans that provide for the continued operation of critical computer and communication systems in the event of an interruption or degradation of service. For example, Charter connectivity is interrupted or an isolated malware discovery.
- Incident Response Plan Contents – The {COMPANY-NAME} incident response plan must include roles, responsibilities, and communication strategies in the event of a compromise, including notification of relevant external partners. Specific areas covered in the plan include:
- Specific incident response procedures
- Business recovery and continuity procedures
- Data backup processes
- Analysis of legal requirements for reporting compromises
- Identification and coverage for all critical system components
- Reference or inclusion of incident response procedures from relevant external partners, e.g., payment card issuers, suppliers
- Incident Response Testing – at least once every year, the IT Department must utilize simulated incidents to mobilize and test the adequacy of response. Where appropriate, tests will be integrated with testing of related plans (Business Continuity Plan, Disaster Recovery Plan, etc.) where such plans exist. The results of these tests will be documented and shared with key stakeholders.
- Incident Response and Recovery – A security incident response capability will be developed and implemented for all information systems that house or access {COMPANY-NAME} controlled information. The incident response capability will include a defined plan and will address the seven stages of incident response:
- Preparation
- Detection
- Analysis
- Containment
- Eradication
- Recovery
- Post-Incident Activity
- To facilitate incident response operations, responsibility for incident handling operations will be assigned to an incident response team. If an incident occurs, the members of this team will be charged with executing the incident response plan. To ensure that the team is fully prepared for its responsibilities, all team members will be trained in incident response operations on an annual basis.
- Incident response plans will be reviewed and, where applicable, revised on an annual basis. The reviews will be based on the documented results of previously conducted tests or live executions of the incident response plan. Upon completion of plan revision, updated plans will be distributed to key stakeholders.
- Intrusion Response Procedures – The IT Department must document and periodically revise the Incident Response Plan with intrusion response procedures. These procedures must include the sequence of actions that staff must take in response to a suspected information system intrusion, who has the authority to perform what responses, and what resources are available to assist with responses. All staff expected to follow these procedures must be periodically trained in and otherwise acquainted with these procedures.
- Malicious Code Remediation – Steps followed will vary based on scope and severity of a malicious code incident as determined by Information Security Management. They may include but are not limited to: malware removal with one or more tools, data quarantine, permanent data deletion, hard drive wiping, or hard drive/media destruction.
- Data Breach Management – {COMPANY-NAME} management should prepare, test, and annually update the Incident Response Plan that addresses policies and procedures for responding in the event of a breach of sensitive customer data.
- Incident Response Plan Evolution – The Incident Response Plan must be updated to reflect the lessons learned from actual incidents. The Incident Response Plan must be updated to reflect developments in the industry.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Program Communication
- Reporting to Third Parties – Unless required by law or regulation to report information security violations to external authorities, senior management, in conjunction with legal representatives, the Security Officer, and the VP of IT must weigh the pros and cons of external disclosure before reporting these violations.
- If a verifiable information systems security problem, or a suspected but likely information security problem, has caused third party private or confidential information to be exposed to unauthorized persons, these third parties must be immediately informed about the situation.
- If sensitive information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties, both its Owner and the Security Officer must be notified immediately.
- Display of Incident Reporting Contact Information – {COMPANY-NAME} contact information and procedures for reporting information security incidents must be prominently displayed in public communication mediums such as bulletin boards, break rooms, newsletters, and the intranet.
- Member Notification – The notification will be conducted and overseen by {COMPANY-NAME}’s Director of Risk Management. The notification should contain, at a minimum, the following elements:
- Recommendations for the member to protect him/herself
- Contact information for the Federal Trade Commission
- Contact information for the credit bureaus
Sample Notification Letter:
{enter date here}
Dear [enter member’s name here],
We, at {COMPANY-NAME} LLC, believe in acting quickly in our member’s best interest. We recently became aware of an incident involving unauthorized access to certain member’s confidential information. {describe here the incident in general terms}
We have taken steps to mitigate the incident and protect our member’s information from further risk. {describe here the steps taken by {COMPANY-NAME} in general terms}
This incident may have increased the probability of your information being used for fraudulent purposes. It is impossible to know with certainty whether you will experience trouble, but there are steps you can take to protect yourself. Here are some recommendations:
- Carefully review your account statements. If anything looks suspicious, promptly report the suspicious activity to {COMPANY-NAME}.
- Visit the Federal Trade Commission’s (FTC) website or call their toll-free number to obtain identity theft guidance and to report suspected incidents of identity theft.
- http://www.ftc.gov/bcp/edu/microsites/idtheft//
- Phone: 1-877-438-4338
- TTY: 1-866-653-4261
- The Fair Credit Reporting Act allows you, under certain circumstances, to place a fraud alert in your consumer credit report. A fraud alert indicates to anyone requesting your credit file that you suspect you are a victim of fraud. Placing a fraud alert in your file entitles you to order one free copy of your credit report from each agency. Review your credit reports carefully for unauthorized inquiries or accounts you did not open.
TransUnion:
Fraud Victim Assistance Division PO Box 6790
Fullerton, CA 92834-6790
1-800-680-7289
Equifax:
PO Box 740241
Atlanta, GA 30374-0241
1-800-525-6285
Experian:
PO Box 9554
Allen, TX 75013
1-888-397-3742
- You will need to remain observant for the next 12 to 24 months in checking your accounts for suspicious activity. Promptly report incidents of suspected identity theft to {COMPANY-NAME}.
- It is recommended that you obtain credit reports periodically from each of the nationwide credit reporting agencies and have information relating to fraudulent transactions deleted. Subscription services are available that can provide notification to you anytime there are changes or inquiries in your credit record.
Please do not hesitate to contact {COMPANY-NAME} LLC at 608-755-6065 or 800-779-5555 for assistance and information related to this incident.
Sincerely,
{COMPANY-NAME} LLC
Responsibilities
Roles and responsibilities regarding specific access assignments are as follows.
- The Senior Security Lead {insert other titles here and throughout as appropriate} is responsible for:
- maintaining and assuring that the incident management process is faithfully followed;
- appropriate logs and records are maintained;
- company management is notified and remains informed
- law enforcement or regulatory agencies are notified and informed as required.
- timely resolution of individual incidents;
- collection of incident information and evidence to support ongoing continuous improvement and risk reduction.
- Incident Managers are assigned to manage assigned incidents from point of identification through resolution.
- Employees and system users are responsible for:
- identifying and reporting security incidents immediately upon detection;
- supporting the efforts of remediation, analysis, and prevention measures that they may be directly or indirectly affected by under the leadership of the Incident Manager.
- Adherence to this policy is a requirement of employment at {COMPANY-NAME}. (See HR Security Policy).
- Awareness training for this policy is provided through the Security Awareness Training.
Procedures
Identifying And Reporting Information Security Events And Weaknesses
Employees and contractors have a duty to be aware of the types of information security incidents and to report them immediately to the Senior Security Lead.
Information security incidents are any events that threaten the confidentially, integrity, or availability (CIA) of in-scope information. Events that might constitute a security incident include:
- Penetration or compromise of a system by an unauthorized agent thereby granting unauthorized access to protected information.
- Unintentional human errors leading to a breach, such as sending an email containing unencrypted personally identifying information or clicking on a dangerous link in a phishing email.
- Loss or theft of information or a controlled asset.
- Intentional human actions such as sharing login credentials that grant unauthorized access to systems.
- Unauthorized physical entry of office or data center.
- Hardware failures impacting CIA.
- Software failures impacting CIA.
Employees and contractors also have a duty to be aware of potential weaknesses and vulnerabilities in systems or processes that might potentially be exploited and cause a security incident. Weaknesses should also be reported to the Senior Security Lead.
Examples of potential weaknesses or vulnerabilities include:
- Unlocked physical access points (doors, windows).
- Sensitive information left unattended (paper or electronic).
- Sharing of login credentials.
- Unlocked cabinets containing sensitive data.
Assessment Of And Decision On Information Security Events
The Senior Security Lead takes the following actions when informed of a security event or a potential security weakness:
- The Security Incident Log records the event’s time, date, report, description of the event or weakness, and the affected facilities, systems, or process.
- Assesses the reported event or weakness and decides whether it should be classified as a security incident based on the real or potential harm to CIA of in-scope protected information.
- For events/weaknesses classified as a security incident (see Response to information security incidents below):
- Takes immediate remedial action directly or with the help of the Organizational Controls Lead and/or the Technical Controls Lead. Action will vary depending on circumstances, but its goal is always to immediately prevent further harm.
- Identifies an Incident Manager to take responsibility for causal analysis and preventive action. (Note, the Senior Security Lead may serve as the Incident Manager)
- Notifies law enforcement agencies, if merited by the severity of the incident, with company-management approval. (Reference the Information Security Manual, Appendix A for law enforcement contact information.)
- Notifies company management, and other interested parties (including customers) if the incident is externally or customer-facing.
- For events/weaknesses that are not classified as a security incident.
- Takes any immediate remedial action necessary to resolve the event or reduce the weakness.
- Records actions taken in the Security Incident Log.
Response To Information Security Incidents
When an event or weakness is identified as a security incident the Incident Manager assures that a complete understanding of the incident cause is established. That appropriate corrective, preventive, and verification actions are in place, by taking the following steps:
- Collects information and evidence from various sources, as quickly after the incident as possible.
- Assures that the accuracy, integrity, protection, and chain-of-custody of collected evidence is assured by appropriate means.
- Logs all evidence including interview responses from involved or affected individuals.
- Conducts any security forensics analysis, as required.
- ensures that all response activities are properly logged for later analysis;
- communicates the status of the investigation to company management.
- Document factors/events that caused the incident.
- Directs actions to eliminate or reduce causes and to implement preventive changes to systems or processes.
- Verifies that implemented actions have been effective.
- Closes out the security incident in the Security Incident Log.
Learning From Information Security Incidents
The Senior Security Lead will periodically analyze the types, volumes costs (if known) of security incidents to identify and evaluate trends, and high-impact risks, and drive systemic improvement actions aimed at reducing risk levels and increasing the effectiveness of the ISMS.
The results of analyses are reviewed in Management Review meetings and resulting actions are tracked in the Corrective Action system.
Access Control Records
- Refer to the Security Incident Log policy.
Reference Documents
- Refer to the HR Security policy.
Article by
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Share This Page
Our Editorial Process
Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.
Categories
The Breach Report
Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.
Related Templates
An acceptable use policy outlines the use of computer equipment. Inappropriate use exposes the company to risks including virus attacks, compromise of network systems and services, and legal issues.
This policy governs how the firewalls will filter Internet traffic to mitigate the risks and losses associated with security threats.
A penetration testing policy provides guidance for managing a penetration testing program and performing penetration testing activities with the goal of improving defensive IT security
The purpose of an internet usage policy is to establish the rules for the use of company Internet for access to the Internet or the Intranet.
The company must prioritize its assets and protect the most critical ones first; however, it is important to ensure patching takes place on all machines.
