1 of 11

County DHS Incident Response Planning

Health Care Policy and Financing, Colorado Department of Human Services and Governor’s Office of Information Technology in partnership with the National Cybersecurity Center

2 of 11

Responding to an Incident

Prepare

Identify

Contain

Eradicate

Recover

Follow Up/Lessons Learned

These are the base criteria for an Incident Response Plan –

Prepare—create and/or review organizational security policy, perform a risk assessment, identify sensitive assets, define which are critical security incidents the team should focus on, and build a Computer Security Incident Response Team.

Identification—monitor IT systems and detect changes from normal operations and see if they represent actual security incidents. When an incident is discovered, collect additional evidence, establish its type and severity, and document everything.

Containment—perform short-term containment, for example by isolating the network segment that is under attack. Then focus on long-term containment, which involves temporary fixes to allow systems to be used in production, while rebuilding clean systems

Eradication—remove malware from all affected systems, identify the root cause of the attack, and take action to prevent similar attacks in the future.

Recovery—bring affected production systems back online carefully, to prevent additional attacks. Test, verify and monitor affected systems to ensure they are back to normal activity.

Lessons learned—no later than two weeks from the end of the incident, perform a retrospective of the incident. Prepare complete documentation of the incident, investigate the incident further, understand what was done to contain it and whether anything in the incident response process could be improved.

For county DHS working towards incentive, each of these steps should be included and clearly identified in your submitted IRP. This is what we will look for to determine whether your plan is accepted or not.

3 of 11

Cyber Incident Response Team

Purpose

Protect Our Information assets
Provide a central organization to handle incidents
Comply with requirements and regulations
Prevent the use of our systems in attacks against other systems (which could cause us to incur legal liability)
Minimize the potential for negative exposure.

Objectives

Limit immediate incident impact to customers and partners
Recover from the incident
Determine how the incident occurred
Find out how to avoid further exploitation of the same vulnerability
Avoid escalation and further incidents
Assess the impact and damage in terms of financial impact, loss of image etc.
Update policies and procedures as needed
Determine who initiated the incident
Document all information, events, and efforts to provide to law enforcement

4 of 11

Organizing for Incident Response

5 of 11

Our Cyber Incident Response Team

Role	Responsibilities	Primary/Alternate(s)
Cyber Incident Response Management	Will have overall responsibility for directing activities in regard to the incident at Severity Level 2 and above. Will serve in advisory capacity for incidents at Severity Level 1. Coordinates external assistance as required.
Cyber Incident Response Coordinator	Provides oversight to incident response. Requests resources as required to effectively contain and manage an incident response. Documents incident for purposes of law enforcement, lessons learned, and insurance.
Cyber Operations Team / Technical Operations Team	Provide technical aspects of incident response.
Communications / Media Team	Responsible for internal, external and media communications
Extended Technical Team	Provides additional technical skill and capability to the Technical Operations team as required (ie. outside vendor or agency)
Admin Support	Provides requested administrative support.
Extended Team	Provide additional visibility and support to incident response as required. Provide specific HR, legal, finance, etc. skills as required.

6 of 11

Additional Team Members

DATA OWNERS

DEPARTMENT LEADERSHIP

SUBJECT MATTER EXPERTS

7 of 11

Incident Categories

Severity Level	Description
0 (Low)	Incident where the impact is minimal. Examples are e-mail SPAM, isolated Virus infections, etc.
1 (Medium)	Incident where the impact is significant. Examples are a delayed ability to provide services, meet our mission, delayed delivery of critical electronic mail or data transfers, etc.
2 (High)	Incident where the impact is severe. Examples are a disruption to the services, and/or performance of our mission functions. Our proprietary of confidential information has been compromised, a virus or worm has become widespread, and is affecting over 1% of employees, Public Safety systems are unavailable, or our Executive management has been notified.
3 (Extreme)	Incident where the impact is catastrophic. Examples are a shutdown of all our network services. Our proprietary or confidential information has been compromised and published on a public site. Public safety systems are unavailable. Executive management must make a public statement.

8 of 11

Incident Escalation and Team Activation

Escalation Level	Affected Team(s)	Description
0	Technical Operations Team Cyber Operations Team	Normal Operations. Engineering and cyber groups monitoring for alerts from various sources.
1	Technical Operations Team Cyber Operations Team Cyber Incident Response Coordinator Cyber Incident Response Management	Our organization has become aware of a potential or actual threat. Determine defensive action to take. Message employees of required actions if necessary.
2	Cyber Incident Response Management Cyber Incident Response Coordinator Technical Operations Team Cyber Operations Team Extended Technical Team Communications / Media Team	A threat has manifested itself. Determine course of action for containment and eradication. Message employees of required actions if necessary.
3	Cyber Incident Response Management Cyber Incident Response Coordinator Extended Team Technical Operations Team Cyber Operations Team Extended Technical Team Communications / Media Team Administrative Support Team	Threat is widespread or impact is significant. Determine course of action for containment, mitigation and eradication. Message employees. Prepare to take legal action. Prepare to make public statement.

9 of 11

Special Circumstances

How will you communicate if email and/or phones systems are offline or compromised?

Develop alternative and offline communication methods now.

Identify reporting requirements for reporting breach of confidential information.

For instance HIPAA, CJIS, FERPA, and others have strict reporting requirements.

Are there templates you can use?

10 of 11

Post Incident

Cyber Incident Coordinator and Response Management

Estimate of damage/impact,
Action taken during the incident (not technical detail),
Follow on efforts needed to eliminate or mitigate the vulnerability,
Policies or procedures that require updating,
Efforts taken to minimize liabilities or negative exposure.
Provide the chronological log and any system audit logs requested by the Extended Team,
Document lessons learned and modify the Cyber Incident Response Plan accordingly.

Extended Team

Legal and Finance work with the local authorities as appropriate in the case that the incident was from an external source.
HR and IT work with *Our Organization* management to determine disciplinary action in the case that the incident was from an internal source.
Law Enforcement, Homeland Security leveraged to support as necessary.

11 of 11

Continuous Improvement

Conduct table-top exercises.
Conduct live or semi-live incident scenarios.
Refine the plan to make it your own.
Ask for help from your peers.
Share back with the National Cybersecurity Center community.
Volunteer to be part of the group that will help refine this process for Colorado local governments.