Cyber Security Incident Response Plan

Cyber Security Incident Response Plan


 

Cyber Security Incident Response Plan (for Incidents Internal to GGIT


This document describes the steps to be taken during a cyber security incident response. 


For purposes of this plan, our Security Team consists of Roberta and Matthew.


You can reach the security team by phone, Slack or via email at securityteam@nygeekgirls.com. If there is a breach involving Slack or Microsoft, you will want to think twice before using those platforms for communication. 

1. The person who discovers the incident will contact a member of the Security Team who is currently working. During non-business hours, Roberta should be contacted unless you’ve been alerted otherwise. Possible sources who may discover the incident. 

  1. helpdesk (MC)
  2. Internal personnel
  3. External subcontractor
  4. A business partner: customer, vendor, etc.   
  5. An outside source 

  1. The known sources know how to contact the company and leave a voice mail or how to submit a critical ticket. This info can also be provided to any possible sources: 

If the person discovering the incident is a member of the Security Team or affected department, they will proceed to step 5 of the Cyber Security Incident Response Plan.

3. If the person discovering the incident is not a member of the Security Team or affected department, they will contact a member of the Security Team (Roberta or Matthew depending on hours). 

4. Depending on the scale of the incident, Roberta will report the incident to the Cyber Security Insurance company via either our agent at Rue Insurance or via USLI Insurance. We can not incur any Privacy Breach Expense without first reporting the Privacy Breach, suspected Privacy Breach or Security Event to the insurance provider and using a service provider of the Company’s choice.

5. The Security Team will notify the rest of the internal employees. The Security Team will log: 
  1. The name of the caller reporting the incident. 
  2. Time of the call. 
  3. Contact information about the caller. 
  4. The nature of the incident. 
  5. What equipment or persons were involved? 
  6. Location of equipment or persons involved. 
  7. How the incident was detected. 
  8. When the event was first noticed that supported the idea that the incident occurred.
  9. Is the equipment affected business critical? 
  10. What is the severity of the potential impact? 
  11. Name of system being targeted, along with operating system, IP address, and location. 
  12. IP address and any information about the origin of the attack. 


  1. Security Team will meet or discuss the situation over the telephone and determine a response strategy. 
  1. Is the incident real or perceived? 
  2. Is the incident still in progress? 
  3. What data or property is threatened and how critical is it? 
  4. What is the impact on the business should the attack succeed? Minimal, serious, or critical? 
  5. What system or systems are targeted, where are they located physically and on the network? 
  6. Is the incident inside the trusted network? 
  7. Is the response urgent? 
  8. Can the incident be quickly contained? 
  9. Will the response alert the attacker and do we care? 
  10. What type of incident is this? Example: virus, worm, intrusion, abuse, damage. 
  11. Is this a ransomware attack? If there is a chance a ransom will have to be paid, we must not incur any ransom expense without first reporting the Threat to our insurance provider and obtaining the insurance provider 's written consent for payment of the ransom. 
  1. An incident ticket will be created in AutoTask using the ticket category “Internal" and the issue type "Security Incident.” The incident will be categorized into the highest applicable level of one of the following sub-issue: 
  1. Category one - A threat to public safety or life. 
  2. Category two - A threat to sensitive data 
  3. Category three - A threat to computer systems 
  4. Category four - A disruption of services 

  1. Team members will establish and follow one of the following procedures basing their response on the incident assessment. (“AT KB” refers to Autotask Knowledge Base): 
  1. Worm or Virus response procedure: AT KB Article ID 82
  2.  Active intrusion response procedure - Is critical data at risk?
  3. Inactive Intrusion response procedure 
  1. Immediately change relevant passwords

d. System abuse procedure 
  1. Immediately change relevant passwords


f. Property theft response procedure 
  1. Remote wipe device if possible
  2. Change any passwords for any logins accessible from device (email, cloud drives, etc. 
  3. Report theft to local police

g. Website denial of service response procedure
I. Report attack to webhost DAthorn (contact info in IT Glue) 
II. Disable web site until malware can be cleaned up by member of security team 

h. Database or file denial of service response procedure
  1. If cloud-based: 
  1. Report to service host
  1. Proceed with instructions from cloud services host
  1. If local: 
  1. physically disconnect from network
  1. Proceed with instructions from senior technician


  1. Clean up malware: AT KB Article ID 82
  2. Spyware response procedure: 
  1. AT KB Article ID 82
  2. Change potentially hacked or stolen passwords
  3. Force users to change potentially hacked or stolen passwords


8. The Team may create additional procedures which are not foreseen in this document. If there is no applicable procedure in place, the team must document what was done and later establish a procedure for the incident. 
9. Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation.
10. Team members will recommend changes to prevent the occurrence from happening again or infecting other systems. 

11.  Upon management approval, the changes will be implemented. 
 12. Team members will restore the affected system(s) to the uninfected state. They may do any or more of the following: 
  1. Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this. 
  2. Force users to change passwords if passwords may have been sniffed. 
  3. Confirm the system has been hardened by turning off or uninstalling unused services. 
  4. Confirm the system is fully patched. 
  5. Confirm real-time virus protection and intrusion detection is running. 
  6. Be sure the system is logging the correct events and to the proper level. 
  1.  Documentation—the following shall be documented in the ticket: 
  1. How the incident was discovered. 
  2. The category of the incident. 
  3. How the incident occurred, whether through email, firewall, etc. 
  4. Where the attack came from, such as IP addresses and other related information about the attacker. 
  5. What the response plan was. 
  6. What was done in response? 
  7. Whether the response was effective. 
 14. Evidence Preservation—make copies of logs, email, and other communication. Keep lists of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in case of an appeal. 
15.  Notify proper external agencies—notify the police and other appropriate agencies if prosecution of the intruder is possible. List the agencies contacted in the ticket. 
16. Assess damage and cost—assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts. 
17.  Review response and update policies—plan and take preventative steps so the intrusion can't happen again. 
18. Consider whether an additional policy could have prevented the intrusion. 
  1. Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future. 
  2. Was the incident response appropriate? How could it be improved? 
  3. Was every appropriate party informed in a timely manner? 
  4. Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved? 
  5. Have changes been made to prevent a re-infection? Have all systems been patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.? 
  6. Have changes been made to prevent a new and similar infection? 
  7. Should any security policies be updated? 
  8. What lessons have been learned from this experience?