Category: Security Architecture
Applicability: Applies to all state government agencies, boards, and commissions, excluding higher education
History: Adopted on June 18, 2002. Amended on March 4, 2008.
Attachment A: Incident Response Form (Attachment A: Incident Response Form MS Word)
Attachment B: [Link to be added]
Attachment C: Incident Handling Lifecycle (Attachment C: Incident Handling Lifecycle Adobe PDF)
Computer systems are subject to a wide range of mishaps; from corrupted data files, to viruses, to natural disasters. These mishaps can occur at anytime of the day or night. Many mishaps are fixed through day-to-day operating procedures, while more severe mishaps are addressed in other plans, e.g. Continuity of Operations (COOP) plans. In some cases, incident handling actions will not be performed by a single person or on a single system. Responses to an incident can range from recovering compromised systems to the collection of evidence for the purpose of criminal prosecution. Therefore, preparation and planning for incidents, and ensuring the right resources are available, are critical to an agencies ability to adequately detect, respond and recover.
A formally documented and coordinated incident response capability is necessary in order to rapidly detect incidents, minimize loss and destruction, mitigate exploited weaknesses, and restore computing services. It prepares agencies to: efficiently respond, protect systems and data, and prevent disruption of services across multiple platforms and between agencies across the State network. Incorporated within these standards are accepted best practices within the law enforcement and Information Technology (IT) security communities. These standards will facilitate cooperation and information exchange among those responsible for responding to and reporting on incidents on any State of Nebraska information system.
It is the responsibility of all State of Nebraska agencies that support information systems to develop, disseminate, and periodically review/update a formal, documented, incident response capability that includes preparation, analysis, containment, eradication, and recovery. In addition, lessons learned from prior and ongoing incident activities should be incorporated into the incident response capability. Agency plans should cover all potential types of incidents, including but not limited to:
In addition to plans that recover systems or services as quickly as possible, the plan should also cover:
Agencies should identify knowledgeable staff that can rapidly respond to, manage, and support any suspected incident to minimize damage to State information system(s), network(s) and data by identifying and controlling the incident, properly preserving evidence, and reporting to appropriate entities. An agency contact list should be developed and maintained for incident response personnel, which includes the names, telephone numbers, pager numbers, mobile telephone numbers, e-mail addresses, organization names, titles, and roles and responsibilities for all key incident response resources, including but not limited to agency personnel and management, other key state agencies, vendors, and contacts.
Documentation of information is critical in situations that may eventually involve authorities, as well as provides a historical event of the actions taken to resolve the event. Manually written incident logs are preferable since electronic logs can be altered or deleted. The minimum information that should be recorded is:
The agency Information Security Officer (ISO) should review the incident information to determine if an actual incident has occurred. Incidents are classified into four tiers based on the severity of the incident: Tier 1, Tier 2, Tier 3, or Tier 4.
|Tier||Definition||Examples||Report to SISO
(See § 4.3.)
|Activate Agency IRP|
|1||Localized, minor incidents. Non-critical systems.||• Localized virus attacks
• Sustained attempts at intrusion, scanning or pinging of state devices
• Missing IT devices or equipment with storage capabilities
|Report aggregate results to the SISO on a monthly basis||No|
|2||Incidents affecting critical systems or information; or affecting more than one agency.||• Coordinated, distributed attacks
• Any attack which causes Denial of Service
• Financial fraud
• Unauthorized activity involving a server, host, or Confidential system (HR, Legal, Financial, etc.)
• Theft of proprietary information
• Internet abuses violating Federal/ State law
• Theft of IT devices with storage capabilities
|Report verbally to the SISO immediately for determination of escalation, and/or assistance.||Yes|
|3||Incidents impacting multiple agencies||• Service provider outage
• Core network outage
• Mainframe outage
|Report verbally to the SISO immediately.||Yes|
|4||Governor declared emergency||• Activation of COOP Plan||No||As directed|
Each agency shall securely maintain any information collected, generated, or assessed in the course of determining whether an incident is a potential cyber security incident warranting prosecution. Data collection shall focus on identifying who, what, when, where, and the how of an incident. Collected information shall be properly documented and safeguarded. Evidence such as system and network log files, user files, system administrator logs and notes, backup-up tapes, and intrusion detection system logs, alarms or alerts shall be securely maintained and the chain of custody preserved by:
If an incident is determined not to be a cyber security incident, agencies are still required to maintain any evidence and its chain of custody because future incidents may require the previously captured evidence.
An evidence file shall be created to record and maintain an inventory of all actions taken, action timestamps and correspondence associated with a security incident.
Agencies shall determine if the incident resulted in a breach to a system containing personal information and then notify affected individual as required by the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 (Neb. Rev. Stat. §§ 87-801 to 87-807) or other State or Federal regulatory guidelines.
Communication shall be on a need-to-know basis and shall be considered confidential during a security incident investigation. Incident responders are not to share any details with anyone other than the Incident Response team, agency management or the State Information Security Officer (SISO) (See Section 2.12).
Agencies shall report incident information to the SISO. The SISO will contact appropriate authorities in accordance with State or Federal incident reporting procedures, applicable laws, directives, policies, regulations, standards, and procedures; and to US-Cert and law enforcement, if necessary. Reporting to the SISO does not relieve agencies from other reporting requirements.
The SISO has the responsibility to inform other agencies about incidents impacting multiple agencies that may become a potential threat.
Agencies should periodically review the incident conditions and determine if escalation to a higher tier is appropriate. An incident may be escalated in any of the following ways:
Agencies should consider escalating an incident when certain conditions are met. The following thresholds of incident actions are examples of when to consider incident escalation:
Priority in incident response is given to preventing further damage to State information systems. Therefore, the Office of the CIO reserves the right to quarantine any potentially threatening agency or system.
Agencies shall identify containment strategies to control an incident's impact to compromised systems, limit the extent of the incident, prevent further damage and regain normal operations of affected systems. Agency containment measures should take into consideration available resources, the classification of an incident, agency Continuity of Operations Plans (COOP) and procedures regarding response methods. Containment measures shall also be evaluated against the potential loss or corruption of security incident evidence. Containment methods shall include as a minimum:
Agencies shall develop and employ mitigation strategies prior to returning compromised systems to service to protect against like or similar types of incidents in the future. Mitigation strategies may include, but are not limited to:
Agencies shall evaluate and determine when to return compromised systems to normal operations. Access to compromised systems shall be limited to authorized personnel until the security incident has been contained and root cause mitigated. Analysis and mitigation procedures shall be completed as soon as possible, recognizing agency systems are vulnerable to other occurrences of the same type. Recovery procedures shall address:
Recovery Requirements. The agency shall define and prioritize the requirements to be met before returning an affected or compromised system to normal operations. Recovery strategies may include, but are not limited to:
Validate Restored Systems. Agencies shall validate the restored systems through system or application regression tests, user verification, penetration tests, and vulnerability testing and test result comparisons.
Increased Security Monitoring. The agency shall heighten awareness and monitoring for a recurrence of the incident.
After an incident has been fully handled and all systems are restored to a normal mode of operation, a follow-up analysis should be performed within three to five days of recovering from the incident to discuss actions that were taken and lessons learned. Extended delays may reduce the effectiveness of relating critical information. Follow-up analysis include a review of the chronological events, identifying all containment and eradication actions taken, identification of mitigation strategies, examining the lessons learned, and assessing the incident costs. Questions to be addressed may include, but are not limited to:
Results of these questions should be documented and incorporated into existing procedures, if necessary.
Agencies should provide education and awareness programs for users in incident response procedures and reporting methods. The programs shall address:
Agency staff responding to incidents are encouraged to obtain the following training, according to their roles and responsibilities:
Testing should be conducted at least annually, either in response to an identified incident or as part of a formal readiness test, using defined tests, simulated events, and exercises to determine the effectiveness of the incident response capability.
Control of information during the course of an incident or investigation of a possible incident is very important. Only the affected agency can authorize the release of all incident information. Specific information concerning the incident, such as accounts involved, programs or system names, are not to be provided to any callers regardless of who they claim to be.
This standard applies to all state government agencies, boards, and commissions, excluding higher education.
No waivers are allowed for this standard.
The NITC shall be responsible for adopting minimum technical standards, guidelines, and architectures upon recommendation by the technical panel. (Neb. Rev. Stat. § 86-516(6))
The SISO serves as a security advisor to all State of Nebraska agencies and shall act as the incident response coordinator for the state. In that capacity, the SISO shall perform the following functions:
When a Tier 2, Tier 3, or Tier 4 incident occurs, agencies must provide a verbal report to the SISO based upon the guidelines listed in Section 2.3. A written preliminary report must be completed within two (2) working days using the Incident Reporting Form (see Attachment A). This report is to be completed by the individual handling the incident; however all people involved are responsible for providing information regarding their actions. Within ten (10) working days of the resolution of an incident, a written final report must be submitted. In cases where incident resolution is expected to take more than thirty (30) days, a weekly status report must be submitted to the SISO.
Should an incident be serious enough to warrant prosecution, law enforcement will need to demonstrate a chain of custody and provide records of actions taken; therefore a log must be kept, including recovery steps and other regular or routine work performed on the affected system(s). This log should be separate from normal system logs, since it may be used as evidence.
Agencies are responsible for submitting a monthly report (see Attachment B) that document the aggregate number of various types of incidents.
Agencies are responsible for training personnel in incident response capabilities according to their roles and responsibilities.
Agencies that support information systems shall provide a support resource, i.e. a Help Desk, which serves as the primary contact to report incidents.
Agencies are responsible for providing a primary and secondary point of contact to act as a liaison with the SISO. The agency point of contact can be the agency Information Security Officer (ISO) or some other designee. See Information Security Policy, Appendix B for Roles and Responsibilities of the (ISO).
All information system(s) users are responsible for understanding their role and complying with agency incident handling procedures. Users must immediately report suspicious activities to their manager and/or agency or State of Nebraska HelpDesk and fully cooperate with personnel tasked with resolving the incident.