4.7. Metodología, plan de acción
4.7.1. Ejercicios de calentamiento
Purpose
In support of the USG Computer Security Incident Management Standard, each institution, the USO, the GPLS, and the Georgia Archives must implement an information security incident handling capability. This standard establishes the minimum incident response and reporting requirements.
Scope, Authority, Enforcement, and Exceptions -BoR Policy Manual, Section 11
-USG Information Security Program
-USG Appropriate Use Policy (AUP)
Standard
1. Each USG institution, the USO, the GPLS, and the Georgia Archives must implement an incidentmanagement capability including documented processes and procedures for monitoring, detection, datacollection, analysis, containment, recovery, response, reporting and escalation.
2. All incident response reporting and escalation procedures must be formally documented and approved by the USG CISO with review by the GBI as required by state law.
-Upon discovery of any incident that meets the defined criteria below:
-The incident must be reported following the USG Information Security Incident Notification andReporting Instructions found at the USG Information Security & ePrivacy web site: http://www.usg.edu/infosec. -The report must be submitted to USG Information Security & ePrivacy within five (5) days of the
participant organization becoming aware of an incident involving the theft of such information, including information stolen in conjunction with the theft of a computer or data storage device.
-Each participant organization must train its employees on how to recognize and report incidents in accordance with the reporting and escalation procedures.
3. Participant organizations must have a designated and recorded incident management point of contact.
4. USG institutions, the USO, the GPLS, and the Georgia Archives must report all security incidents or eventsof interest affecting systems or data categorized as moderate or high for any of the security objectives of confidentiality, integrity, or availability to USG Information Security & ePrivacy through the ITS Helpdesk ([email protected]) at 706-583-2001, or 1-888-875-3697 (Toll free within Georgia).
Incident Categories and Reporting Timeframes
The following table identifies all incident categories and their descriptions.
CATEGORY NAME DESCRIPTION
CAT 0 Exercise/Network
Defense Testing Used during state, federal, and USG exercises, and approved activity testing of internal/external network defenses or responses.
CATEGORY NAME DESCRIPTION
CAT 1 Unauthorized Access* A person gains logical or physical access without permission to a network, system, application, data, or other USG resource. CAT 2 Denial of Service* An attack that prevents or impairs the authorized use of net-
works, systems, or applications by exhausting USG resources. CAT 3 Malicious Code* A virus, worm, Trojan horse, or other code-based malicious
entity that infects a host.
CAT 4 Inappropriate Usage* A person violates appropriate computing/network use poli- cies.
CAT 5 Probes and Reconnais-
sance Scams This category includes any activity that seeks to access or identify a critical/high category system, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.
CAT 6 Investigation Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.
PII Personally Identifi- able Information (PII) Exposure
Any information about an individual including, but not lim- ited to, education, financial transactions, medical history, and criminal or employment history, and information that can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information that is linked or linkable to an individual.
PHI Protected Health In-
formation (PHI) Any individually identifiable health information. Identifiable refers not only to the data that is explicitly linked to a par- ticular individual (identified information), but also includes health information with data items that reasonably could be expected to allow individual identification.
Note: Categories marked with an * have as their source NIST Special Publication 800-61.
The following table identifies the applicable reporting timeframe for each incident category described above.
CATEGORY REPORTING TIMEFRAME
CAT 0 Not Applicable. This category is for USG Information Security & ePrivacy’s internal use during exercises. Do not report to USG Information Security & ePrivacy.
CAT 1 Within one (1) hour of discovery/detection. Report to USG Information Security & ePrivacy.
CAT 2 Within two (2) hours of discovery/detection if the successful attack is still ongoing and the USG participant organization is unable to successfully mitigate activity. Report to USG Information Security & ePrivacy.
CAT 3 Daily, within one (1) hour of discovery/detection if widespread across the USG partici- pating organization.
CATEGORY REPORTING TIMEFRAME
CAT 5 Monthly. If system is classified, report within one (1) hour of discovery.
CAT 6 Not Applicable. This category is for the USG participant organization’s use to categorize a potential incident that is currently being investigated. Do not report to USG Informa- tion Security & ePrivacy.
PII Within one (1) hour of discovery/detection. Report to USG USG Information Security & ePrivacy.
Related Enterprise Policies, Standards, and Guidelines -USG Computer Security Incident Management Standard References
-USG Office of Information Security & ePrivacy: http://www.usg.edu/infosec/incident_management/. -These documents can be found in PDF and zipped PDF formats at: http://csrc.nist.gov/publications/
nistpubs
-NIST SP 800-61, Computer Security Incident Handling Guide
-NIST SP 800-83, Guide to Malware Incident Prevention and Handling -NIST SP 800- 28 Guidelines on Active Content and Mobile Code -NIST SP 800-19 Mobile Agent Security