Week 8 Incident Response Plan

Posted by cmayo012 on

Virginia State Archive Incident Response Plan

Purpose: This document is to be used to inform and be adhered to in the possibility of a Data Security Breach or security incident, developed using the NIST Incident Response Plan.

Roles and Responsibilities:

Incident Response Team Leader: Responsible for the overall mission of the Incident Response Team and delegates roles based on expertise and experience. Team Leader also has the final authority on all decisions within the Incident Response Team’s objectives and tasks.

Incident Response Team Lead Technician: Main technical expertise on incident response and mitigation tactics.

Incident Response Team Customer Support Lead: Assists users in need during incident response along with user guidance.

Social Media Lead: Communicates Incident Response Status to users and the public in compliance with Information Security policies and data regulations.

Incident Response Scribe: Responsible for recording all operations and actions taken by the Incident Response Team during any incident.

Incident Response and Procedures

Preparation

  • All critical systems and assets that maintain system functionality should be well documented and properly secured in accordance with Information Security Standards and Policy
  • Important documents and data should be identified and prioritized as such and stored, handled, documented and accessible to authorized parties.
  • Exit Routes and emergency precautions in the case of a natural disaster or emergency needing personnel to leave the building must be identified and easily accessible for all personnel.
  • Data Backups should be done periodically to maintain data integrity.
  • Periodic Updates to Firmware and Software in use

Detection and Analysis

  • Physical Security: To prohibit the destruction or theft of important LVA Historical Assets, physical security should be implemented to deter and stop unauthorized activities.
  • Network Analysis: Continuous Monitoring of LVA Activities with Event Logging and Vulnerability Scanning is to be put in place. Not only that, but Firewall, Antivirus software and Encryption on all digital assets should be available and functioning.
  • Surveillance Systems should be up and always running to maintain visibility of all archive content and documents.
  • Periodic Audits and Scans for unusual or insecure activities are mandatory and reviewed by the authorized personnel on the Incident Response Team.

Containment and Eradication

Physical Security Breach: 

  • In the case of a physical security breach with the  possibility of theft of Library of Virginia property, all on-premises security should be alerted and local law enforcement is to be notified.

Power Outage or Physical Infrastructure Failure:

  • Depending on the reason of the power outage and how long operations are halted, all personnel should follow standard procedure for system malfunction.

Distributed Denial of Service (DDOS):

  • In the possibility of a DDOS attack from threat actors, the Incident Response Team is to contact the organization’s Internet Service Provider and confirm that there is an attack occurring on the network.
  • If a DDOS attack is confirmed by your ISP, all digital archives are to be monitored and firewall access is to be limited by IP and packet size until the attack is mitigated and operations can continue.

Data Corruption:

  • Once the corrupted data is found, it should be isolated from the rest of the system to mitigate further corruption.
  • After data isolation, the Incident Response Team is to restore the data from backups and/or recover the data if possible.

Natural Disasters:

  • After the immediate safety of personnel and stabilization of the incident, all historical and valued documents should be temporarily stored in an identified and up to standard backup location.
  • All the archives digital records and collections are to be restored from backups and verified for integrity.

Post-Incident Activity and Recovery

  • Once the incident has been remediated, the next step is to get the infrastructure back to full system functionality.
  • The Incident Response Team is required to have a Post-Incident Meeting to understand what happened, the cause, and how well the Team Responded to it and remediate the issue.
  • A message to the public notifying the required parties in compliance with regulations (Agency Heads, Personnel, etc.) on the incident will be released at most 24 hours after the incident.
  • Review the efficiency of the Incident Response Plan and Update for later use.

Resources:

https://www.vita.virginia.gov/media/vitavirginiagov/it-governance/psgs/pdf/SEC501-Information-Security-Standard.pdf

https://www.ncsl.org/energy/cybersecurity-and-physical-security

https://www.fema.gov/sites/default/files/2020-06/rsf_infrastructure_systems.pdf

https://www.cisa.gov/sites/default/files/publications/understanding-and-responding-to-ddos-attacks_508c.pdf

https://www.cynet.com/incident-response/nist-incident-response/#:~:text=Incident%20response%20is%20a%20structured,%3B%20and%20post%2Dincident%20activity.

Leave a Reply

Your email address will not be published. Required fields are marked *