Download a printable version Enterprise IT Security Incident Response Policy docx format of    Enterprise IT Security Incident Response Policy

Reference #: ITD-SEC-4.3

Issue #: 3

Revision Date: March 6, 2014

 

Table of Contents


Executive Summary

Who This Policy Applies To

Policy Statement

Roles and Responsibilities

Related Documents

Contact

Terms

Document History


Executive Summary

Commonwealth of Massachusetts entities that reside within the security perimeter managed by the Information Technology Division (ITD) comprise the wide area network (WAN) community known as MAGNet: the Massachusetts Access to Government Network.  MAGNet participants must be able to identify, report, and resolve security incidents in a manner that mitigates current and future risk to themselves and other potentially affected entities.  

Secretariats and their respective agencies are required to implement management controls that result in a consistent and effective approach for addressing incidents that is aligned with Enterprise Policies and Standards. This policy articulates the requirements for responding to Security Incidents and Attack Intrusions.

It is important to note that the term ”breach of security” has a special meaning in the Commonwealth’s Identity Theft Law, M.G.L., Ch 93H, which is limited to the protection of a small subset of data.  Although this policy’s requirements regarding security incidents pertain to events that would be defined as “security breaches” under M.G.L., Ch 93H, it also applies to a far broader range of security breaches in that it is not limited to events related to IT systems containing “personal information” as narrowly defined by M.G.L., Ch 93H.

Security Incidents

Security Incidents include, but are not limited to events compromising or potentially compromising the security or integrity of the Commonwealth’s Information Technology (IT) Resources:

  1. Security Incidents include among other things, Attack Intrusion and use or suspected use of Commonwealth systems and/or services for potentially criminal purposes, (“cybercrime”) including but not limited to:
  • Cyber-stalking, identity theft, or child pornography.
  • Unauthorized and illegal disclosure, destruction, and/or alteration of, files, Commonwealth IT systems and data.
  • Web page defacement, unauthorized use of system privileges and attempts (either failed or successful) to gain unauthorized access to a system or its data.
  • Compromised systems access such as the disclosure of passwords to anyone but the owner of the password.
  • Harassment and threats conducted via e-mail through the use of Commonwealth IT Resources.
  • Unwanted disruption or denial of service (DoS) attacks causing;
    • Network packet floods or         
    • System crashes.
  • Unauthorized use of a Commonwealth IT system for the transmission, processing or storage of data.
  • Changes to system hardware, firmware, or software characteristics intentionally concealed from the IT system’s owner and made without their knowledge or consent.

Who This policy applies to

All Secretariats and their respective Agencies and entities governed by the overarching Enterprise Information Security Policy must adhere to the requirements of this supporting policy. 

  • Executive Department Secretariats and their respective Agencies, in addition to any agency or third party that connects to the Commonwealth’s wide area network (MAGNet), must comply with this policy.
  • Executive Department Secretariats and their respective Agencies are required to ensure compliance by any business partner that accesses Executive Department IT Resources or shared environments, e.g. MAGNet; and
  • Executive Department Secretariats and their respective Agencies are required to ensure compliance by third parties in any aspect of the process of providing goods and services to their agency.  These include, but are not limited to, electronic data collection, storage, processing, disposal, dissemination and maintenance.  Third parties that interact in any way with Executive Department Commonwealth IT Resources, e.g. MAGNet, are required to comply with this policy. Other Commonwealth entities are encouraged to adopt, at a minimum, security requirements in accordance with this Enterprise IT Security Incident Response Policy or a more stringent agency policy that addresses agency specific and business related directives, laws, and regulations. 

Policy Statement

Secretariats and their respective Agencies are required to comply with this policy when responding to IT security incidents and events. Non-compliance with this policy may result in remediation actions that may include disconnection from MAGNet.  These requirements are intended to facilitate:

  • Rapidly identifying, detecting and remediating incidents.
  • Collecting and preserving evidence related to the incident as appropriate.
  • Minimizing loss and destruction.
  • Mitigating the weaknesses that were exploited.
  • Restoring systems and networks in a timely fashion.
  • Utilizing minimum logging procedures.
  • Reporting procedures including any and all statutory reporting requirements.
  • Complying with all applicable laws and regulations.

Secretariats and their respective Agencies must:

  • Report Security Incidents originating from, affecting, or potentially affecting Executive Department agencies using established Secretariat security incident handling procedures and ensure appropriate notification to the Commonwealth Chief Information Officer (CCIO) and Commonwealth Chief Security Officer (CSO) through their Secretariat Chief Information Officers (SCIOs).
  • In consultation with their SCIOs must initially contact the Governor’s Chief Legal Counsel and ITD about security incidents that may constitute criminal conduct prior to contacting law enforcement, except for cases where emergency or regulatory circumstances (e.g. immediate threat to health, public safety or critical financial services) require the immediate assistance and involvement of law enforcement or when failure to contact law enforcement would delay or otherwise interfere with their appropriate involvement, which case the contact with the Governor’s Chief Legal Counsel may occur after the SCIO contacts law enforcement.
  • Provide the notifications required by laws such as M.G.L., Ch 93H.
  • In consultation with their SCIOs must provide written (which may include email) notification of security incidents including breaches of security to the Information Technology Division and the Division of Public Records as soon as practical and without unreasonable delay.  Written notification must:
    • Describe the nature and circumstances of the breach.
    • Identify unauthorized acquisition or use of compromised data.
    • Comply with all policies and procedures adopted by both the Information Technology Division and the Division of Public Records pertaining to the reporting and investigation of such an incident.
  • If the security incident constitutes an attack intrusion, comply with Common Help’s Attack Intrusion Notification Procedures. 
  • In consultation with their SCIOs, designate IT personnel who have the authority to make the immediate technical and managerial decisions, which are necessary to protect affected or potentially affected IT environments.
  • In consultation with their SCIOs, proactively establish authorization procedures for expenditures associated with incident remediation that do not unreasonably impede IT staff from addressing a situation.
  • Conform internal agency IT security response policies to this policy. 
  • ITD may reserve the right to invoke self-help to implement emergency remediation where the agency fails to act quickly or appropriately to the security incident.  The agencies would be responsible to reimburse ITD for any reasonable self-help implementation. 

Roles and Responsibilities

If an entity fails to comply with this policy and associated procedures or restores an infected device that re-propagates the infection, CommonHelp will update the appropriate records and remove the infected device(s) and all other systems on the subnet from the WAN, until the site can be scanned to verify that there is no longer any intrusion threat.

All agencies and entities governed by the overarching Enterprise Information Security Policy are subject to the referenced roles and responsibilities in addition to those specifically stated within this supporting policy.  The roles and responsibilities associated with implementation and compliance with this policy follow:

Assistant Secretary for Information Technology

  • Issue policies requiring that agencies comply with the notice provisions of applicable laws and regulations and this policy pertaining to security breaches.
  • Approve and adopt the Enterprise IT Security Incident Response Policy and its revisions.

Secretariat Chief Information Officer (SCIO) and Agency Head

  • Exercise due diligence in adoption of this policy and the related procedures by ensuring that all local incident response policies and procedures comply with the Enterprise IT Security Incident Response Policy and related procedures.
  • Provide communication, training and enforcement of this policy that support the security goals of the Secretariat, its Agencies and the Commonwealth.
  • Provide proper third party oversight as it relates to the agency Incident Response Policy.
  • Identify adequately trained and knowledgeable primary, or primary and secondary, IT personnel to work with ITD in reporting and resolving security incidents.  A list of such personnel must be submitted to ITD annually, by January 1 of every year beginning January 1, 2009.  All lists must be submitted to CommonHelp, (CommonHelp@state.ma.us) via email.
  • Identify designated IT personnel, including agency/organization senior technical managers.  IT personnel must be added to the COMM-DL-Network Administration distribution list to ensure timely receipt of information regarding viruses, hacks and other potential threats. To join the Comm-DL- Network Administration, contact your agency’s network administrator or LAN manager for details.

Secretariat or Agency Information Security Officer (ISO)

  • Validate that the goals and requirements of Enterprise IT Security Incident Response Policy and related procedures are implemented and met.
  • Maintain all required documentation as specified in the Enterprise IT Security Incident Response Policy and related procedures promulgated by the Assistant Secretary for Information Technology and the Public Records Laws.
  • Ensure that should a security incident occur; the affected entity collaborates with ITD to protect both the entity and Commonwealth enterprise IT environments.
  • Ensure that the entity-designated IT personnel act in conformance with the Attack Intrusion Notification Procedures when an attack has or is occurring.
  • Ensure that the Security Incident Handling Reporting Procedures are executed immediately following detection of a security incident.
  • Ensure that the reporting agency's designated contact provides a follow-up report to ITD's Cybercrime Security Incident Response Team (CSIRT), as soon as reasonably practicable but in no event later than 24 hours after the incident.[1]
  • Ensure that the reporting agency's designated contact provides a daily status report to ITD in cases where incident resolution is ongoing.
  • Ensure that the agency’s investigation is coordinated with the Commonwealth’s CISO.

Enterprise Security Board (ESB)

  • Recommend revisions and updates to this policy and related standards.

Information Technology Division (ITD)

  • After review of any related recommendations of the Enterprise Security Board, issue revisions and updates to this policy and related standards.
  • Provide guidance, assistance, and recommendations that may include immediate countermeasure activities (e.g., deleting and/or isolating vulnerable or exploited elements, disabling individual and/or group access), referral to legal authorities, and other measures deemed necessary.
  • Collaborate with agency IT contacts to protect both the entity and Commonwealth Enterprise IT environments.
  • Through CommonHelp, establish an E2E Security Incident ticket and initiate contact with ITD's CSIRT as well as other event-relevant ITD technical support groups.
  • Notify the Commonwealth CIO and CSO of the nature and severity of the security incident and invoke established procedures when an Executive member of the CSIRT team deems necessary (e.g. multiple agency or statewide cyber-attack).
  • In the event that ITD determines the matter (e.g. cybercrime) is appropriate for referral to the Governor’s Office of Legal Counsel (OLC), the matter will be immediately referred to the Governor’s OLC. 
  • In the event of a statewide or isolated security incident that may impact or affect public safety, notify the Fusion Center for State Police support and involvement as articulated in the established procedures.

Third parties

  • Comply with agency implementation of an agency specific IT Security Incident Response Policy and related procedures.
  • At a minimum comply with this policy.

Related Documents

M.G.L. Chapter 93H Security Breaches

Enterprise Security Incident Handling Procedures

Enterprise Information Security Policy

Contact

Questions related to this policy should be directed to Standards@state.ma.us

CommonHelp (866)888-2808 CommonHelpServiceDesk@MassMail.state.ma.us

Cybercrime Security Incident Response Team CSIRT@state.ma.us

Fusion Center  fusion@pol.state.ma.us
 

Terms

Key terms used in this policy have been provided below for your convenience.  For a full list of terms please refer to the Information Technology Division’s web site where a full glossary of Commonwealth Specific Terms . is maintained.

Attack Intrusion - An Attack Intrusion is a propagation of a malicious event through a virus, worm, Trojan horses, botnet, OS vulnerability exploit, etc. that pose a risk to Commonwealth resources.

Entity - An agency, department, secretariat, authority, college or other unit of government of the Commonwealth of Massachusetts.

Fusion Center - The Fusion Center provides 24 hours a day statewide information sharing among local, state and federal public safety agencies and private sector organizations in order to facilitate the collection, analysis and dissemination of intelligence relevant to terrorism and public safety. The Commonwealth Fusion Center collects and analyzes information from all available sources to produce and disseminate actionable intelligence to stakeholders for strategic and tactical decision-making in order to disrupt domestic and international terrorism.

Incident Response - Incident response is the set of actions taken once an adverse event has occurred to minimize the damage.

Security Incident - An event, intentional or accidental, that threatens or exploits unauthorized and/or illegal access or use of Commonwealth electronic information systems and/or services inside of MAGNet. Additionally, any violations of Information Technology (IT) Resources security policies, standards or established security practices are considered security incidents.

Third Party – Private sector companies or individuals that conduct business with MAGNet members.                        

Document History

DateAction

Effective Date

Next Review Date
06/18/2010ITD-SEC-4.2 Enterprise IT Security Incident Response Policy (replaces ITD-Sec-4.00)06/18/201006/18/2011
02/06/2003ITD-Sec-4.00 Enterprise Cybercrime Security Incident Response Policy02/06/2003 
1/23/12Reviewed1/31/121/31/13
1/17/2014Updated3/6/20141/17/2015


[1] Non-Executive Department agencies are required by law to report this incident to the Attorney General’s Office and Director of Consumer Affairs of Business Regulations