Policy 7230A - Department of Administration
Policy 7230A - Department of Administration Policy 7230A - Department of Administration
8. Incident Response These Incident Response Non-Mandatory Baselines support the Enterprise Security Policy (ITEC 7230 Rev 1), the Computer Incident Response Policy (ITEC 7320) and the IT Security Response Protocols (ITEC 7320A). Mandatory Non-Mandatory Procedures Baselines Procedures Baselines 8. Incident Response 8.1. Incident Response 8.1.1. Build a Team and Provide Training (4 sets) (4 sets) 8.1.2. Build an Incident Response Capability (4 sets) (5 sets) 8.1.3. Test the Plan (3 sets) (2 sets) 8.1.4. Operate the Plan (5 sets) (3 sets) 8.2. Maintain Records 8.1. Incident Response The following are the Non-Mandatory Baselines that support the Incident Response section of the Default Security Requirements: 8.1.1. Build a Team and Provide Training Incident response is a security control that requires specialized capabilities. Building a team ensures those capabilities are always appropriately provided for: 8.1.1.a Incident Response (IR) Responsibilities • Communications and coordination skills are required to manage the various team members and activities and to share information with employees of the organization outside of the IR team. • Network management skills are required to ensure network functionality and availability during an incident as well as to understand the impact of the incident in regard to network functions. • Systems management skills are required to ensure system functionality and availability during an incident as well as to understand the impact of the incident in regard to system functions. • Security management skills are required to ensure security infrastructure functionality and availability during an incident as well as to understand the impact of the incident in regard to security functions. 24
8.1.1.b IR Roles • IR Team Managers should be assigned primary responsibilities of coordination and communication. Secondary responsibilities can extend into the various technical areas according to the skill set of the individual. • IR Network Leads should be assigned primary responsibilities of network analysis and trouble-shooting. Secondary responsibilities can extend into any area according to the skill set of the individual but are likely to match best to security infrastructure management. • IR Systems Leads should be assigned primary responsibilities of specific system analysis and trouble-shooting. Secondary responsibilities can extend into any area according to the skill set of the individual but are likely to match best to system management of alternate systems. • IR Security Leads should be assigned primary responsibilities of security infrastructure analysis and trouble-shooting. Secondary responsibilities can extend into any area according to the skill set of the individual. 8.1.1.c IR Training • IR training should, at a minimum, address the following: o How to recognize an incident. o How to analyze an incident. o How to contain and eradicate an incident. o How to return to normal operations. o How to communicate and escalate during an incident. o How to operate all IR tools and resources. 8.1.1.d IR Training Scheduling and Frequency • IR training should be provided for all IR team members within 30 days of initial assignment of the individual to the IR team. • IR training should be provided thereafter for all IR team members on an at least annual basis. Where possible, team members will be trained together as a group. 25
- Page 139 and 140: 6.2. Integrity Operations The follo
- Page 141 and 142: 6.3.2. Perform Patch and Vulnerabil
- Page 143 and 144: 6.4. Maintain Records Agencies shou
- Page 145 and 146: 7.1.1.3 Require Authenticated Acces
- Page 147 and 148: 8. Incident Response These Incident
- Page 149 and 150: 8.1.2.2 Develop Supporting Strategi
- Page 151 and 152: 9. Contingency Planning No applicab
- Page 153 and 154: 10.1.1.2 Implement Physical Access
- Page 155 and 156: 11. Personnel Security These Person
- Page 157 and 158: • Review created accounts and ass
- Page 159 and 160: 11.2.4.3 Recover all Organizational
- Page 161 and 162: 12.1.1.3 Required Test and Validati
- Page 163 and 164: State of Kansas Non-Mandatory Basel
- Page 165 and 166: 6.2. Integrity Operations .........
- Page 167 and 168: Introduction This Non-Mandatory Bas
- Page 169 and 170: • High risk constitutes high like
- Page 171 and 172: 2.3. Maintain Records Agencies shou
- Page 173 and 174: 4. Access Control These Assessment
- Page 175 and 176: • Systems that have very high ris
- Page 177 and 178: 5.1.1.c System and Component Docume
- Page 179 and 180: 5.2. Systems Protection No applicab
- Page 181 and 182: o Passwords in the clear. o Violati
- Page 183 and 184: o Penetration testing. o Password c
- Page 185 and 186: o The individuals to be notified. o
- Page 187 and 188: 7. Systems Audit These Systems Audi
- Page 189: eviewed weekly and every system and
- Page 193 and 194: 8.1.2.e IR Plan Update Scheduling a
- Page 195 and 196: 10. Physical Security These Physica
- Page 197 and 198: 10.2.1.b Power Delivery Specificati
- Page 199 and 200: 11. Personnel Security These Person
- Page 201 and 202: 11.2.2. Hire Employees in a Structu
8.1.1.b IR Roles<br />
• IR Team Managers should be assigned primary responsibilities<br />
<strong>of</strong> coordination and communication. Secondary<br />
responsibilities can extend into the various technical areas<br />
according to the skill set <strong>of</strong> the individual.<br />
• IR Network Leads should be assigned primary responsibilities<br />
<strong>of</strong> network analysis and trouble-shooting. Secondary<br />
responsibilities can extend into any area according to the skill<br />
set <strong>of</strong> the individual but are likely to match best to security<br />
infrastructure management.<br />
• IR Systems Leads should be assigned primary responsibilities<br />
<strong>of</strong> specific system analysis and trouble-shooting. Secondary<br />
responsibilities can extend into any area according to the skill<br />
set <strong>of</strong> the individual but are likely to match best to system<br />
management <strong>of</strong> alternate systems.<br />
• IR Security Leads should be assigned primary responsibilities<br />
<strong>of</strong> security infrastructure analysis and trouble-shooting.<br />
Secondary responsibilities can extend into any area according<br />
to the skill set <strong>of</strong> the individual.<br />
8.1.1.c IR Training<br />
• IR training should, at a minimum, address the following:<br />
o How to recognize an incident.<br />
o How to analyze an incident.<br />
o How to contain and eradicate an incident.<br />
o How to return to normal operations.<br />
o How to communicate and escalate during an incident.<br />
o How to operate all IR tools and resources.<br />
8.1.1.d IR Training Scheduling and Frequency<br />
• IR training should be provided for all IR team members within<br />
30 days <strong>of</strong> initial assignment <strong>of</strong> the individual to the IR team.<br />
• IR training should be provided thereafter for all IR team<br />
members on an at least annual basis. Where possible, team<br />
members will be trained together as a group.<br />
25