United States Department of Health and Human Services
Decorative bullet image: Home

HHS Home
Decorative bullet image: Questions?

Questions?
Decorative bullet image: Contact Us

Contact HHS
Decorative bullet image: Site Map

Site Map
HHS Logo Bottom
spacer image
    

HHS IRM HHS IRM Policy for Establishing an Incident Response Capability

January 8, 2001

HHS-IRM-2000-0006

TABLE OF CONTENTS

  1. 1. Purpose
  2. 2. Background
  3. 3. Scope
  4. 4. Policy
  5. 5. Roles and Responsibilities
  6. 6. Applicable Laws/Guidance
  7. 7. Information and Assistance
  8. 8. Effective Date/Implementation
  9. 9. Approved
  10. 10. Glossary

1. Purpose

The Department of Health and Human Services (HHS) security program complies with Federal laws, regulations, and directives and communicates uniform policies for the protection and control of Information Technology (IT) resources directly or indirectly relating to the activities of the Department. This document provides the policies for responding to adverse events such as computer viruses, malicious software, hoaxes, vandalism, automated attacks and intrusions. The purpose is to ensure that appropriate action is taken to minimize the consequences of a virus, malicious software, or an intrusion, and emergency response procedures and responsibilities are documented, understood, and properly executed when necessary.

2. Background

Government agencies shall augment their computer security efforts because of increased threats to critical cyber-based infrastructure systems. Incidents involving cyber threats, such as viruses, malicious user activity, and vulnerabilities associated with highly interconnected technology, require a skilled and rapid response before they can cause significant damage to computing resources, loss or destruction of data, loss of funds, loss of productivity, and damage to the agency’s reputation. These situations require that agencies have a coordinated computer security incident response capability as an extension to their contingency planning process.

3. Scope

The policy contained in this circular is applicable to all HHS information and infrastructure computing resources, at all levels of sensitivity, whether owned and operated by HHS or operated on behalf of HHS. This policy is mandatory for all organizational units, Operating Divisions (OPDIVs), employees, contractors, and others who process, store, transmit, or have access to IT resources in the Department. This policy applies to all existing automated systems and to any new systems technology acquired after the effective date of this policy and applies to computer security threats initiated by employees (e.g., misconduct) and external components.

4. Policy

    1. It is the policy of the HHS to assure that its systems and data are safe and secure from unauthorized access that might lead to the alteration, damage, or destruction of automated resources and data, unintended release of data, interrupted service, and denial of service.
    2. Each agency shall have an incident response capability to handle virtually any computer security problem that occurs and have the means for reporting incidents and disseminating incident-related information to management and users. In addition, the incident response capability must not only react to incidents, but also must have the resources to alert and educate users to pertinent risks and heighten awareness about security threats and incident-handling procedures.
    3. Each OPDIV shall establish an Incident Response Team (IRT) to determine the nature and level of severity of a computer security problem, participate in the investigation, and resolve the incident. Each OPDIV may have various types of computers and networked systems and each IRT shall have the specific technical skills to respond quickly to incidents in a particular environment and geographical location.
    4. Procedures for handling a variety of incidents and notifications shall be documented, including primary and secondary contacts for required Reporting Notifications, and should require answers to questions that would permit the IRT to respond in a business-like manner.
    5. Each OPDIV shall have a central point of contact for required reporting of incidents, coordinating an agency’s response to an incident, and acting as a clearinghouse for disseminating information concerning alerts and vulnerabilities.
    6. Each OPDIV IRT shall report incidents and their status to the OPDIV central point of contact.
    7. Through the use of enterprise infrastructure management tools, a report of computer incidents shall be submitted to the HHS Senior Information Systems Security Officer daily. Incidents involving substantial, systematic attacks, or significant loss of dollars or damage to HHS property or image shall be reported to: (1) the HHS Senior Information Systems Security Officer; (2) the Office of the Inspector General (OIG), Office of Investigations (OI), Computer Crimes Unit (CCU), Washington, D.C.; and (3) the General Services Administration Federal Computer Incident Response Capability (FedCIRC). Events impacting operations shall be reported immediately to the OPDIV Senior Information Systems Security Officer, the OPDIV CIO, and to the HHS Senior Information Systems Security Officer.
    8. The IRT shall keep the OPDIV Chief Information Officer (CIO) apprised of events as they unfold and ongoing investigations, and shall prepare a report of findings upon completion of the incident.
    9. The IRT shall establish contacts with the OIG/CCU and FedCIRC prior to an incident to establish a collaborative partnership, and share information. These contacts are established at the outset, because the handling of an incident does not leave time to establish the correct contacts.
    10. If during the course of an investigation, it appears possible that a violation of the law exists, the OPDIV IRT shall inform the OPDIV Chief Information Officer, OIG/CCU, and submit an incident report to FedCIRC with a copy to the HHS Senior Information Systems Security Officer.
    11. The IRT shall work with investigative agencies to determine whether to gather evidence, monitor an intrusion, or allow an intrusion to continue, and which agencies shall assume jurisdiction in an incident.
    12. If the OPDIV IRT reasonably believes that there was criminal intent involved in the incident, or that reckless or negligent damage was caused resulting in costs to the agency exceeding $5,000, the OPDIV IRT shall request that the OIG/CCU become involved. The OIG/CCU shall assume primary responsibility for investigating the alleged violation. The OPDIV IRT shall only be responsible for addressing the technical aspects of the case.
    13. If the OPDIV IRT finds employee, contractor, or other misconduct caused the incident, then the OPDIV IRT shall request assistance from the OIG/CCU, and the appropriate human resources office or contractor representative. The OIG/CCU shall determine what actions need to be taken, and they shall be responsible for completing the investigation of the employees case in conjunction with other appropriate Departmental offices. The OPDIV IRT shall only be responsible for addressing the technical aspects of the case.
    14. After the incident has been resolved, a lessons learned session shall be conducted so that the IRT can learn from the experience and, if necessary, update its procedures. As a result of the post-incident analysis, the IRT may need to issue alerts or warnings to its constituency about certain actions to take to reduce vulnerabilities that were exploited during the incident. The IRT shall use the post-incident analysis to ascertain its impact on the agency as a result of handling and resolving the incident.

5. Roles and Responsibilities

Information systems security responsibilities and accountability shall be explicit. The responsibilities and accountability of owners, providers, and users of computer systems and other parties concerned with the security of information systems shall be documented

    5.1 The HHS Chief Information Officer (CIO)

    The HHS Chief Information Officer is responsible for establishing and implementing the information security policies for responding to the detection of adverse events and assuring that appropriate action is taken to minimize the consequences of each such event.

    5.2 The Deputy Assistant Secretary for Information Resource Management

    The DASIRM is responsible for monitoring and updating the Department’s security policies, procedures, standards, and architecture to enable better detection and response capability. The DASIRM is responsible for notifying OPDIV CIOs and coordinating responses regarding incidents that span more than one OPDIV.

    5.3 The OPDIV CIOs

OPDIV CIOs are responsible for the following:
      1. Establishing and implementing policy, procedures, and practices that are consistent with Departmental requirements to assure that OPDIV systems, programs, and data are secure and protected from unauthorized access that might lead to the alteration, damage, or destruction of automated resources, unintended release of data, and denial of service;
      2. Ensuring that all OPDIV employees and contractors comply with this policy;
      3. Ensuring that IT security requirements, procedures, and practices are provided in computer security training materials; and
      4. Ensuring the establishment of IRT(s) to participate in the investigation and resolution of incidents in their respective OPDIV.

    5.4 The HHS Senior Information Systems Security Officer

The HHS Senior Information Systems Security Officer is responsible for the following:
      1. Developing and disseminating information concerning the potential dangers of computer security incidents, guidelines for its control, and reporting of incidents;
      2. Notifying the HHS CIO of computer security incidents;
      3. Developing and issuing instructions for detection and removal of malicious software; and
      4. Providing guidance for determining what constitutes criminal intent and employee misconduct; and
      5. Collecting and reviewing daily incident reports.

    5.5 The OPDIV Senior Information Systems Security Officer


    The OPDIV Senior Information Systems Security Officer is responsible for the following:

      1. Promptly notifying the HHS Senior Information Systems Security Officer of computer security incidents that are substantial, systematic attacks, involve loss of dollars or damage to HHS property or image;
      2. Ensuring that appropriate procedures are implemented and instructions issued for the detection and removal of malicious software;
      3. Ensuring that all OPDIV personnel are aware of this policy and incorporating it into computer security briefings and training programs;
      4. Serving as an OPDIV focal point for incident reporting and subsequent resolution; and
      5. Through the use of the enterprise infrastructure management tools, ensuring that automated daily incident reports are sent to the HHS Senior Information Systems Security Officer for all computer-related incidents.

    5.6 Supervisors and Managers

    Supervisors and managers shall ensure that their staffs (Federal and contractor) have an awareness of their security responsibilities for reporting any computer incidents and conveying initial incident reports.

    5.7 Employees

    Employees shall report any suspected or actual computer incidents immediately to their help desk support, OPDIV Senior Information Systems Security Officer, or other designated personnel.

    5.8 Incident Response Teams

      An IRT shall participate in the investigation and resolution of incidents which include (but are not limited to): unauthorized access or attempts; compromise of proprietary data using electronic means; computer misuse or abuse; vulnerability of hardware or software; and loss of data or computer availability sufficient to cause mission or programmatic impact. In addition the IRT shall:

        1. Consist of a designated core group with as needed ad hoc expertise;
        2. Identify computer security incidents, characterize the nature and severity of the incident, and provide immediate diagnostic and corrective actions, when appropriate. Priorities must be considered in evaluating and responding with each incident because an incident may have many possible effects, ranging from the risk to human life and safety to protecting sensitive, proprietary and scientific data, and minimizing disruption of computing resources;
        3. Receive incident reports from its intrusion detection system, pro-active scans, system administrators, law enforcement officials and other sources;
        4. Log all reports. The IRT members shall share knowledge. If suspicion is confirmed or indeterminate, the IRT shall start an event log by noting date and time of all action, immediately take a snapshot of the pertinent files of the incident investigation, and inform the OPDIV Senior Information Systems Security Officer, who shall notify their CIO;
        5. Report all incidents to the appropriate individuals and organizations as described in the Policy section; and
        6. Prepare a report of findings and perform a post-incident review.

    5.9 The Office of the Inspector General

    The Office of the Inspector General, Computer Crime Unit is responsible for the following:

      1. Promptly responding to all incidents where assistance has been requested or when it becomes aware that criminal acts have been perpetrated against HHS systems, and investigating these incidents when appropriate;
      2. Preserving all materials (e.g. system logs) in conjunction with the System Administrators, that are of evidentiary value for Federal, State and local criminal prosecutions and civil action; and
      3. Providing assistance to IT Security Officers, CIOs and other individuals in resolving questions of suspected criminal activity and other investigative policy questions and shall serve as the official liaison with the Department of Justice and other investigative agencies.

    6. Applicable Laws/Guidance

    The following public laws and Federal authorities are applicable to this policy circular:

    • Government Information Security Act of 1999;
    • Computer Fraud and Abuse Act of 1986 (P.L. 99-474);
    • Computer Security Act of 1987 (P.L. 100-235);
    • Privacy Act of 1974 (P.L. 93-579);
    • Clinger-Cohen Act (Information Technology Management Reform Act of 1996 - Division E of P.L. 104-106);
    • Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources;
    • Presidential Decision Directive 63 (PDD-63), Critical Infrastructure Protection, May 22, 1998;
    • Inspector General Act , 5 U.S.C. Appendix 3, section 4;
    • HHS General Administrative Manual, Chapter 5-10, transmittal 90.05 dated 08/15/90, General Policy - Responsibility and Procedures for Reporting Misconduct and Criminal Offenses, Chapter 5-10-40 Procedures for Reporting and Investigating Allegations of Criminal Offenses; and
    • National Institute of Standards and Technology Special Publication 800-3, Establishing a Computer Security Incident Response Capability, November 1991.

      7. Information and Assistance

      Direct questions, comments, suggestions, or requests for further information to the Deputy Assistant Secretary for Information Resources Management at (202) 690-6162.

      8. Effective Date/Implementation

      The effective date of this policy is the date the policy is approved.

      OPDIVs have six months from the date of implementation of the EIM tools to fully comply with this policy. OPDIVs shall begin implementation of EIM by June 2001.

      The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations." It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

      9. Approved

    ____________/s/______________________ _January 8, 2001

    John J. Callahan
    Assistant Secretary for Management and Budget

    Glossary

    Computer Security Incident - an event that may result in, or has resulted in, the unauthorized access to, or disclosure of, sensitive or classified information; unauthorized modification or destruction of systems data; reduced, interrupted, or terminated processing capability; malicious logic or virus activity; or the loss, theft, damage, or destruction of any IT resource. Examples of incidents include: unauthorized use of another user account, unauthorized scans or probes, successful and unsuccessful intrusions, unauthorized use of system privileges, and execution of malicious code (e.g., viruses, Trojan horses, or back doors). Events such as natural disasters and power-related disruptions are not generally within the scope of IRTs and should be addressed in an agency business continuity and contingency plan.

    Enterprise Infrastructure Management (EIM) - an operational information technology (IT) management framework that will protect the Department’s national IT operating infrastructure by restructuring management practices, procedures, and functional boundaries. EIM will provide automated tools to reduce user and system administrator workload and increase system management capability.

    Event - any observable occurrence in a system and/or network. Examples of events include the system boot sequence, a system crash, and packet flooding within a network.

Last revised: August 29, 2001

HHS Home | Questions? | Contact HHS | Site Map | Accessibility | Privacy Policy | Freedom of Information Act | Disclaimers

The White House | FirstGov

U.S. Department of Health & Human Services · 200 Independence Avenue, S.W. · Washington, D.C. 20201