Trinity
Operating Procedures - TOPs
TOP-CYBER: Cyber-security Incident Response
Rev:
04/05/2018
Scope:
This
policy describes the process for responding to a
cyber-security
incident.
Procedure:
Cyber-security
incident definition
A
cyber-security incident is an incident in which someone
illegally
accesses computers in our network by connecting to them
without
permission or by installing a virus or malware on one or more
computers
in the network.
Incident
Identification
Cyber-security
incident notification can originate from IT personnel, end
users,
vendors, or customers. The IT
Manager should be immediately notified of a
cyber-security
incident via telephone or in person. In the event the IT Manager cannot be
contacted, notify the people in the contact list below via
telephone or
in person.
DO NOT use email to
provide initial notification of a cyber-security incident!
Contact
List:
Gerry Spearman IT
Manager
John Fairbanks
General Manager
Todd Omer
Controller
Containing Damage
Specific to virus or
malware infection;
- The
first person to suspect a virus or malware
infection on a computer should immediately disconnect that
computer
from the network by disconnecting the network
cable
from the computer.
-
In
the event
the
computer is a
laptop, also turn off the wireless capability for the
laptop.
-
Do
not connect
a
potentially infected computer to the network unless directed
to do so
by the IT
Manager.
-
Do not turn the
computer off until that computer is evaluated by the IT
Manager.
The IT
Manager will:
-
Obtain samples of any files effected
by the cyber-security incident, as necessary.
-
Obtain, and
retain for 30 days, a backup image of any computers
effected by the
cyber-security incident.
-
Assure security
patches are up to date on all computers in the
network.
- Update
anti-virus signatures on all the computers in the
network.
-
Close firewall
ports, if applicable, related to the
cyber-incident.
-
Disable
compromised accounts.
- Scan
the
network using vulnerability analyzers to search for
vulnerable
computers.
-
Change
passwords, where appropriate.
Eradicate Damage
The IT department should follow these steps to eradicate the
damage
caused by a cyber-security incident:
- Boot
CDs should be used to access data
on compromised computers
- In
computers where the operating system is suspected of
compromise, the
computer hard drive should be wiped and the computer rebuilt
from
removable media (CD, DVD).
- Test
any backups prior to using them to restore data and monitor
for new
incident.
-
Document everything done related to this cyber-security
incident.
Recovery
- Involve
multiple users to retest the system.
-
Consider consequences of timing of return to production.
- Weigh
thoroughness vs. a rapid return to production.
-
Discuss customer notification and potential customer concerns
with
management.
-
Discuss media handling issues with users.
- No
portable media should be connected to any network computer
without
first being scanned for viruses.
-
Continue to monitor for cyber-security incidents.
Review
A report should be written detailing
the cyber-security incident, the
response to that incident, and recommendations for minimizing the
chance of recurrence.
* The Department of Defense
must be notified within 72 hours
of the discovery of a cyber-security incident.*
|
Release
Date
|
Description
of Change
|
Owner
|
Approver
|
|
04/05/2018
|
Created to comply
with the DoD cyber-security incident policy.
|
Tim
Ellis
|
Todd
Sheppard
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Documents
are controlled
only
when viewed
on-line at
trinityforge.com
in the
original
English --
printed copies
or
translations
are not
controlled
documents.
?
Trinity
Forge &
Machine