If you are Department of Defense contractor, you have 72 hours to notify DoD of a Breach
The person(s) _________________who discovers the incident will call and report the events to appropriate person within the company at any hour to report the issue. An escalated high priority ticket will be generated and assigned to the senior engineer on-call or on help desk duty. The issue will be reviewed for criticality and impact based on the criteria and information collected as a result of this investigation.
The effected people or department head should call the designated numbers in order on the list. A log should be generated with the following information:
When IT head receives the call (or discovered the incident) will refer to their contact list for both management personnel to be contacted and incident response members to be contacted. The staff member will call those designated on the list. The staff member will contact the incident response manager using both email and phone messages while being sure other appropriate and backup personnel and designated managers are contacted. The staff member will log the information received in the same format as the previous step and log it in the ticket. The IT engineer could possibly add the following:
- Is the equipment affected business critical?
- What is the severity of the potential impact?
- Name of system being targeted, along with operating system, IP address, and location.
- IP address and any information about the origin of the attack.
Contacted members of the IT response team will meet or discuss the situation over the telephone or in person to determine a response strategy.
An incident ticket will be created. The incident will be categorized into the Company’s System and flagged by impact and severity with following categories:
IT team members will establish and follow predetermined procedures, basing their response on the incident assessment:
(The team may create additional procedures which are not foreseen in this document. If there is no applicable procedure in place, the team must document what was done and later establish a procedure for the incident)
IT Engineer will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses to determine how the incident was caused. Only client authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization.
IT Engineer will recommend changes to prevent the occurrence from happening again or infecting other systems.
Upon client approval, the changes will be implemented.
IT engineer will restore the affected system(s) to the uninfected state. Moore may do any or more of the following:
Documentation—the following shall be documented:
Evidence Preservation—makes copies of logs, email, and other communication. Keep lists of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in case of an appeal.
(If Required) Notify proper external agencies—notify the police and other appropriate agencies if prosecution of the intruder is possible. Agencies and contact numbers are list below.
- US Secret Service
- Local Police
- State Police
- Local County Sheriff
- DOD – http://dibnet.dod.mil
Assess damage and cost—assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts.
(Post Incident Review) Review response and update policies—plan and take preventative steps so the intrusion can’t happen again.