ISMS 8: Major Incident Management Procedure

The procedure for major / crisis incident response

This major incident report procedure contains policies and guidelines necessary to identify and report system disruptions and security incidents, system disruptions are included since they are often the first indication of an incident.

There are no exceptions to the application of this procedure allowed.

In this document the terms MUST & SHOULD are used and when in upper case have the following meaning:

  • MUST means mandatory. It is an absolute requirement.
  • MUST NOT means forbidden. It is an absolute prohibition.
  • SHOULD means a requirement. Any non-compliance MUST follow the formal Exceptions to Policy Process.
  • SHOULD NOT means a prohibition. Any non-compliance MUST follow the formal Exception to Policy Process

This procedure specifically addresses MAJOR Information Security Incidents for ALL systems at Upmind Automation Limited globally.

Objectives

The objectives of the procedure is to protect the Upmind Automation Limited system, data stored and processed on the system, and to minimise loss or theft of information or disruption of critical computing services when major incidents occur. Furthermore this procedure will include how to manage major incident response according to legal and guidance requirements.
To accomplish this objective, it is necessary to:

  • Coordinate proactive activities to reduce the risk to Upmind Automation Limited systems;
  • Determine the size and trends of the incident issue;
  • Coordinate preparation for and response to disruptions and incidents;
  • Help Upmind Automation Limited site quickly and effectively recover from incidents and enable it to return to normal operation as soon as possible.

The guidelines provided within this procedure do not comprise an exhaustive set of incident handling procedures. Please refer to Incident Management standard

Definitions

Crisis - Where Upmind Automation Limited is no longer able to control the critical external dynamics of the situation and where a group of Upmind Automation Limited managers agree upon the necessity of convening a formal crisis team.
Extended Response Team - members of the Extended Response Team may include external security, forensics, PR and legal specialists.

Major incidents examples

  • Any intrusion into a classified network with a perceived unauthorised result.
  • Any ongoing unauthorised privileged user, administrator, or root level access of the system.
  • Any indications of denial of service or distributed denial of service attacks.
  • Any new virus or worm for which no published countermeasures exist, any new virus. whose propagation could outrun existing containment capabilities, or any new virus that affects network services.
  • Any root level access on a system using new methods that exploit significant vulnerabilities.
  • Unavailability of hosting provider’s data center.
  • Unavailability of Upmind Automation Limited office access.

Escalation process

Direct the Incident Response Support team to:

  • Set-up communications between all Response Team members;
  • Assume occupancy of the Company back up center - invoke Disaster Recovery plan;
  • Initiate an incident voice mail box where status messages can be displayed to keep staff notified;
  • Threat is wide spread or impact is significant. Determine course of action for containment and eradication. Message employees / customers. Prepare to take legal action for financial restitution etc;
  • Alert the Extended team of the incident notifying them of the severity level.
    Extended Team
  • Ensure that all needed information is being collected to support legal action or financial restitution;
  • Advise Upmind Automation Limited accordingly.

Post Incident

Prepare a report for the Director to include:

  • Estimation of damage / impact;
  • Action taken during the incident (not technical);
  • Follow on efforts needed to eliminate or mitigate the vulnerability;
  • Policies or procedures that require updating;
  • Efforts taken to minimise liabilities or negative exposure;
  • Provide the chronological log and any system audit logs requested by the extended team;
  • Document lessons learned and modify the Incident Report Plan accordingly.
    -Extended Team actions, including, but not limited to:
  • Legal and finance work with external authorities in case the incident originated from an external source;
  • HR and security work with management to determine disciplinary action in the case that the incident was from an internal source.

Response Timeline

After an incident has been identified, Upmind Automation Limited personnel will utilise the following table as guidance for reporting the event.

CategoryReporting TimelineMethod of Reporting
High / P210 minutes from detectionTelephone , Email
Approved methods
Urgent / P1Outbreak in progress: 10 minutes after detection.Telephone , Email
Approved methods
CrisisOngoing: 1 hour from detection.Telephone , Email
Approved methods