Cynthia Bonnette, the Director of Information Security Risk Assessment for NETBankAudit in Arlington, VA wrote a sample incident response policy which appeared in this issue of the AML Compliance Alert here.

Here’s an exerpt:

INCIDENT IDENTIFICATION, CLASSIFICATION AND ESCALATION

Once detected, suspected incidents (e.g., anomalous activity) must be reported. The nature and severity of the incident will determine the appropriate response strategy. The Information Security Officer (ISO) or Security Officer classifies the threat severity based on the definitions below. The ISO or Security Officer is also responsible for determining when to escalate or downgrade the severity level of an incident based on changes in circumstances and the discovery of additional information.

Severity levels are as follows:

High. A high level event is an event that can cause significant damage, corruption, or loss (compromise) of confidential, critical and/or strategic bank and customer information. The event can result in potential damage and liability to the bank and to its public image and may degrade customer confidence concerning the bank’s products and services (e.g., online banking). Examples: computer intrusions, compromise of critical information, widespread virus infection, attacks against the IT infrastructure (e.g., domain name servers, firewalls and backup systems) and denial-of-service attacks that disable a critical service or impede business performance.

Medium. A medium level event is an event that may cause damage, corruption, or loss of replaceable information without compromise or may have a moderate impact on the bank.s operations or reputation. Examples: misuse or abuse of authorized access, accidental intrusion, confined virus infection, unusual system performance or behavior, system crashes, installation of unauthorized software, unexplained access privilege changes or unusual after-hour activities.

Low. A low level event is an event that causes inconvenience, aggravation, and/or minor costs associated with recovery, unintentional actions at the user or administrator level, or unintentional damage or minor loss of recoverable information. The event will have little, if any, material impact on the bank.s operations or reputation. Examples: sharing of passwords, policy or procedural violations, and scans of bank systems (except online banking or investing systems, which are medium level events).

Worth looking at for a jump start on developing your own incident response policy. Check it out!

Randy Bias wrote a helpful article called Architecting Practical Corporate Security Policies here. I especially liked the Example Policy Framework and the suggestions on what should be included in a Corporate Security Policy.

Here’s an excerpt:

Corporate Security Policy
 ^{Audience: Executive Management, particularly the CSO, CISO, and Senior INFOSEC Staff}

This element is really the overarching framework within which the rest of your policies would be designed. It provides context for the entire policy framework, policy on creating policy, and pointers to which portions of the policy are relevant for which audiences.

Encompassed within the corporate security policy might be 5 key areas (in order):

• Risk Management Policy
• Core Policies
• Vendor & Service Provider Evaluation Policies
• Processes & Procedures
• Compliance Policy

Very useful info! Check it out!

During the course of incident response you’ll want a handy resource to follow while conducting your security investigation. A new special report was published by the National Institute of Justice called “Investigations Involving the Internet and Computer Networks” which you can download here.

It’s extremely thorough and covers these topic areas:

• Tracing an Internet Address to a Source
• Investigations Involving E-Mail
• Investigations Involving Web Sites
• Investigations Involving Instant Message Services, Chat Rooms, and IRC
• Investigations Involving File Sharing Networks
• Investigations of Network Intrusion/Denial of Service
• Investigations Involving Bulletin Boards, Message Boards, Listservs, and newsgroups
• Legal Issues

I especially like the appendix sections:

• Sample Subpoenas and Reports
• Examples of Potential Sources of Evidence in Network Investigations

Check it out!

Here’s a great resource for sample security policies from the North Carolina Healthcare Information and Communications Alliance. Tons of sample policies are available for download on a wide variety of topics including:

• Security Management Process
• Risk Analysis
• Risk Management
• Sanction Policy
• Information System Activity Review
• Assigned Security Responsibility
• Workforce Security
• Authorization and/or Supervision
• Workforce Clearance Procedure
• Termination Procedures
• Information Access Management
• Access Authorization
• Access Establishment and Modification
• Security Awareness and Training
• Security Reminders
• Protection from Malicious Software
• Log-in Monitoring
• Password Management
• Security Incident Procedures
• Response and Reporting
• Contingency Plan
• Data Backup Plan
• Disaster Recovery Plan
• Emergency Mode Operation Plan
• Testing and Revision Procedure
• Applications and Data Criticality Analysis
• Evaluation
• Business Associate Contracts and Other Arrangements
• Facility Access Controls
• Contingency Operations
• Facility Security Plan
• Access Control and Validation Procedures
• Maintenance Records
• Workstation Use
• Workstation Security
• Device and Media Controls
• Disposal
• Media Re-Use
• Accountability
• Data Backup and Storage

So far this is the most comprehensive source of sample security policies that I’ve found. Check it out!

Here is a good example of an online incident reporting form that you can use as part of your incident response process. It’s from the State of North Carolina Office of Information Technology Services.

Here are some of the areas covered on the form:

• Physical location (s) of victim’s computer system/network
• IP Address of attacked or compromised host/network
• Is the affected system/network critical to the organization’s mission?
• Which Critical Infrastructure sector was affected?
• Nature of Problem?
  • Intrusion
  • System impairment/denial resources
  • Unauthorized root access
  • Web site defacement
  • Compromise of system integrity
  • Hoax
  • Theft
  • Damage
  • Unknown
  • Other
• Has this problem been experienced before?
• Suspected method of intrusion/attack
  • Virus (provide name if known)
  • Vulnerability exploited (explain)
  • Denial of Service
  • Trojan horse
  • Distributed Denial of Service
  • Trapdoor
  • Unknown
  • Other
• Suspected perpetrator(s) or possible motivation(s) of the attack
• The apparent source (IP address) of the intrusion/attack
• Evidence of spoofing?
• What computer system (hardware and/or software) was affected?
• Did this incident involve a suspected or actual breach of confidential or personally identifiable information?
• Did the intrusion/attack result in damage to system(s) or data?
• What actions and/or technical mitigation have been taken?
• Incident Priority

Here’s an archived copy of the form: Incident Reporting Form

First.org has several good examples of Windows hardening guides in their Best Practices Guide Library.

Jay Ward wrote the very comprehensive Windows 2003 / IIS 6.0 DMZ Hardening Guidelines. The hardening guide is has 27 steps and is more than 100 pages long.

Some of the steps include:

• Boot up Windows Server 2003 Standard Edition (Build 3790) CD-ROM to begin installation and configuration.
• Create a partition for the Operating System.
• Network Settings
• Install the latest Patch Releases
• Installing SSH Server for Remote Management
• Media Configuration and Permissions
• Installing the Anti-Virus Engine
• Disabling Protocols and Setting a Fixed IP for the Server.

This hardening guide would be a great resource for anyone developing their data security standards for Windows servers.

Check it out!

The document library at first.org is an excellent resource for anyone developing data security policies and standards.

There you can find papers and presentations, a best practices guide library and a security reference index.

Best practices guides include:

• Acceptable Use Policy Template
• CERT-in-a-box
• Checking Microsoft Windows Systems for Signs of Compromise
• Checking UNIX/LINUX Systems for Signs of Compromise
• CSIRT Case Classification (Example for enterprise CSIRT)
• CSIRT Setting up Guide
• CVSS based patch policy for enterprise (example)
• Guide to Tunneling Windows NT VNC traffic with SSH2
• IIS and NTS 4.0 Hardening Guide
• Online Forensics of Win32 System Guide
• Secure BGP Template
• Secure BIND Template
• Secure IOS Configuration Template
• SSH Public Key Configuration Windows NT/2000/XP Guide
• Windows 2000 / IIS 5.0 DMZ Hardening Guide
• Windows 2003 / IIS 6.0 DMZ Hardening Guidelines

Definitely worth a look!

The Forum of Incident Response and Security Teams (first.org) has a great Acceptable Use Policy template available for download in their Best Practices Guide Library. You can download it here.

Here’s an excerpt from the Overview:

The purpose of this policy is to establish acceptable and unacceptable use of electronic devices and network resources at [Company Name] in conjunction with its established culture of ethical and lawful behavior, openness, trust, and integrity.

[Company Name] provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives and must manage them responsibly to maintain the confidentiality, integrity, and availability of its information assets. This policy requires the users of information assets to comply with company policies and protects the company against damaging legal issues.

Other sections of the policy include:

• General Requirements
• System Accounts
• Computing Assets
• Network Use
• Electronic Communications
• Enforcement

An archived copy of the policy is here.

You might want to read this classic article called “How to Design a Useful Incident Response Policy” here.

I love this visual representation of a simplistic incident response process: