1.0 TITLE: Enterprise Computer Incident Response Policy
1.1 EFFECTIVE DATE: October 23, 2008
1.2 TYPE OF ACTION: New Policy
1.3 KEY WORDS: Kansas Information Technology Security Council, Enterprise Security Policy, Information Security, User Security, Personally Identifiable Information, Security Incident Response.
2.0 PURPOSE: To define the requirements related to actions and activities before, during and after an IT system security incident. Agencies may require other policies to address needs relating to privacy or other losses not related to paragraph 5.1 below.
3.0 ORGANIZATIONS AFFECTED: All Branches, Boards, Commissions, Departments, Divisions and Agencies of state government, hereafter referred to as Entities.
4.1 K.S.A. 1998 Supp. 75-7203 authorizes the ITEC to: Adopt information resource policies and procedures and provide direction and coordination for the application of the state's information technology resources for all state agencies.
4.2 Kansas Information Technology Executive Council (ITEC), ITEC Policy 7300R1, Information Technology Security Council Charter
4.3 Kansas Information Technology Executive Council (ITEC), ITEC Policy 7230, Revision 1, General Information Technology Enterprise Security Policy.
4.4 Regents Information Technology Council (RITC) Security Incident Policy and Procedure, RITC Security Incident Policy
4.5 Department of Administration Intrusion Detection Incident Response Security Policy and Procedure.
4.6 USDA Cyber Security Incident Handling Procedures manual (March 20, 2006)
4.7 National Institute of Standards and Technology Special Publication 800-61 “Computer Security Incident Handling Guide”
4.8 National Institute of Standards and Technology Special Publication 800-100 “Information Security Handbook: A Guide for Managers.
4.9 Carnegie Mellon University Software Engineering Institute “Handbook for Computer Security Incident Response Teams (CSIRTs)”
4.10 Forum of Information Response and Security Teams (FIRST)
http://www.first.org/resources/guides/csirt_case_classification.html (November 17, 2004)
5.1 Security incident is defined as a compromise of a system that has critical, sensitive, or confidential data; any compromise that significantly affects agency resources; the act of violating an explicit or implied security policy; the act of violating any Federal, State or local law which may result in the loss of confidentiality, integrity or availability. Compromises may be the result of failed or successful unauthorized access attempts; unwanted disruption of service; or use of a system to change or damage system hardware, firmware or software.
5.2 Incident response is defined as the activities and actions undertaken before, during and after a security incident. This includes the four phases of the Incident Response Life Cycle: 1) preparation, 2) detection and analysis, 3) containment, eradication and recovery, and 4) post-incident activity.
6.1 Statement of Responsibility: The Chief Information Security Officer (CISO) is designated as the central point of contact and coordinating authority for enterprise IT Security incidents.
6.2 The CISO is responsible for establishing a Computer Security Incident Response Team (CSIRT) and for the conducting activities according to the Enterprise IT Security Reporting Protocols (ITEC 7320A).
6.3 The CISO is responsible for notification of incidents to entities and Regents institutions according to parameters and guidelines contained in the Enterprise IT Security Reporting Protocols (ITEC 7320A)
6.4 Entities are responsible for following the Enterprise IT Security Reporting Protocols (ITEC 7320A).
6.5 Regents institutions will report enterprise IT security incidents to the KBOR President & CEO and/or KBOR Chief Information Officer (CIO) of the Board of Regents within 24 hours of a major security incident. The KBOR President & CEO or KBOR CIO will then notify the CISO and Executive Branch CITO.
7.1 The practices and procedures for Enterprise Computer Incident Response shall conform to the requirements set forth in the “Enterprise IT Security Reporting Protocols”, as amended, included as Attachment A to this policy.
8.1 Heads of entities are responsible for establishing procedures for their organizations to comply with the requirements of this policy.
8.2 The Chief Information Security Officer is responsible for the maintenance of this policy.
9.0 CANCELLATION: None