Developing an Agency Incident Response Process

1.0 Identification Data
1.1BSP Number
00015
1.2 BSP Title/Name
Developing an Agency Incident Response Process
1.3Version Number
1.0
1.4Adoption Date
02/20/2001
1.5Approving Authority
CIO Council Security Practices Subcommittee
1.6Responsible Organization
Social Security Administration, OFAM, Office of Financial Policy and Operations (OFPO), Office of Information Systems Security (OISS)
1.7Level of BSP
Candidate
1.8 Security Processes or other Framework(s) Supported
BSP Security Process Framework, Section 7, Incident Response (C&A).

NIST SP 800-14, Section 3.7, Computer Security Incident Handling

SSE-CMM, Security Base Practice PA08, Monitor Security Posture

1.9Reserved
1.10Points of Contact
Government BSP Owner:
  • Jack Garnish
    ISSO, Social Security Administration
    6401 Security Blvd
    Baltimore, MD 21235
    Telephone: 410-965-2765
    Fax: 410-966-0527
    E-mail: jack.garnish@ssa.gov
    Staff contact: Laurie Peiser (laurie.peiser@ssa.gov), 410-965-0278
2.0 What This BSP Does
2.1BSP's Purpose
This process has made it possible for the SSA to respond quickly and effectively to attempts to compromise our systems resources.
2.2Requirements for this BSP
Office of the President
  • Presidential Decision Directive 63 - "Critical Infrastructure Protection" "take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems and have a system for responding to a significant infrastructure attack, while it is underway, with the goal of isolating and minimizing damage."
Office of Management and Budget
  • POMB Circular No. A-130,"Management of Federal Information Resources", Appendix III, "Security of Federal Automated Information Systems" A. 3. a. 2) d) Incident Response Capability. Ensure that there is a capability to provide help to users when a security incident occurs in the system and to share information concerning common vulnerabilities and threats. This capability shall share information with other organizations, consistent with NIST coordination, and should assist the agency in pursuing appropriate legal action, consistent with Department of Justice guidance.
Office of Management and Budget
  • Memorandum M-0108, Guidance On Implementing the Government Information Security Reform Act "As found in existing policy, all agency programs will include procedures for detecting, reporting, and responding to security incidents, including notifying and consulting with law enforcement officials, other offices and authorities, and the General Services Administration's Federal Computer Incident Response Capability (FedCIRC). The intent of the incident handling provision is to ensure that each agency has both the technical and procedural means in place to detect and appropriately report security incidents and share information on common vulnerabilities. Policies and procedures should be documented and remove unnecessary internal obstacles to the timely reporting to the appropriate authorities within the agency (for example, security officials and Inspectors General) and with external organizations (for example, FedCIRC, law enforcement e.g., the National Infrastructure Protection Center, and national security)."
2.3Success Stories
The Social Security Administration has successfully used our Incident Response Process to deal with multiple security incidents. Additional information can be provided to Federal Agency Information Systems Security Officers through the process outlined in Section 3.1, below.
3.0 What This BSP Is
3.1Description of BSP
Providing a BSP for incident response is a challenge, since for obvious reasons, we cannot post our incident response procedures to an open web site, but the openness of the BSP process is the feature that makes it most useful to individuals searching for effective security practices. As a result, we have come up with the following compromise that we hope will prove effective:
3.1.1

Inputs

  • We believe that our incident response procedures can be readily adapted for use by other Federal Agencies. The main issue is scaling the process to meet the needs of your Agency, not that the type of process would need to change. Since we cannot post sensitive Agency information with the BSP, SSA is willing to provide the following assistance to other Federal Agencies working on establishing an incident response process:
    • We will provide access to our procedures in a way that ensures that we can maintain the confidentiality of those procedures
    • We will provide access to both policy and technical staff to help you to adapt these procedures to meet the needs of your Agency
    • We will provide continuing access to staff during your implementation to help you to get your team operational as quickly and smoothly as possible, as long as providing this support does not interfere with the duties of those staff members.
    Federal Agencies that would like the above assistance should have their Information Systems Security Officer (ISSO) e-mail us at ssasso@ssa.gov. Please use a subject line of INCIDENT RESPONSE ASSISTANCE and provide your name, agency, business address, and telephone number in your message. ONLY REQUESTS FROM FEDERAL AGENCY ISSOS WILL BE ACCEPTED. We will try to respond to your message within 5 business days.
3.2 Relationship to Other BSPs
BSP 00007, Incident Handling at BMDO, offers the procedures of a small office.
4.0 How To Use This BSP
4.1Implementation Guidance
  • Implementation guidance will be provided using the process outlined in Section 3.1, above.
Appendices
AExecutive Overview and Briefing
None applicable
BReference List
National Institute of Standards and Technology, Information Technology Laboratory (ITL) Bulletin, "Computer Attacks, What They Are and How to Defend Against Them", May 1999
FEDCIRC Security Document Index Understanding Incident Response
CProcurement Information
None Applicable
DEvaluation Information
None Applicable
ERecommended Changes
None Applicable