HHS IRM HHS IRM Policy for Establishing an Incident Response Capability
January 8, 2001
HHS-IRM-2000-0006
TABLE OF CONTENTS
- 1. Purpose
- 2. Background
- 3. Scope
- 4. Policy
- 5. Roles and Responsibilities
- 6. Applicable Laws/Guidance
- 7. Information and Assistance
- 8. Effective Date/Implementation
- 9. Approved
- 10. Glossary
1. Purpose
The Department of Health and Human Services
(HHS) security program complies with Federal laws, regulations, and directives
and communicates uniform policies for the protection and control of Information
Technology (IT) resources directly or indirectly relating to the activities
of the Department. This document provides the policies for responding to
adverse events such as computer viruses, malicious software, hoaxes, vandalism,
automated attacks and intrusions. The purpose is to ensure that appropriate
action is taken to minimize the consequences of a virus, malicious software,
or an intrusion, and emergency response procedures and responsibilities
are documented, understood, and properly executed when necessary.
2. Background
Government agencies shall augment their computer
security efforts because of increased threats to critical cyber-based infrastructure
systems. Incidents involving cyber threats, such as viruses, malicious user
activity, and vulnerabilities associated with highly interconnected technology,
require a skilled and rapid response before they can cause significant damage
to computing resources, loss or destruction of data, loss of funds, loss
of productivity, and damage to the agency’s reputation. These situations
require that agencies have a coordinated computer security incident response
capability as an extension to their contingency planning process.
3. Scope
The policy contained in this circular is applicable to all HHS information
and infrastructure computing resources, at all levels of sensitivity, whether
owned and operated by HHS or operated on behalf of HHS. This policy is mandatory
for all organizational units, Operating Divisions (OPDIVs), employees, contractors,
and others who process, store, transmit, or have access to IT resources
in the Department. This policy applies to all existing automated systems
and to any new systems technology acquired after the effective date of this
policy and applies to computer security threats initiated by employees (e.g.,
misconduct) and external components.
4. Policy
- It is the policy of the HHS to assure that its systems and data are
safe and secure from unauthorized access that might lead to the alteration,
damage, or destruction of automated resources and data, unintended release
of data, interrupted service, and denial of service.
- Each agency shall have an incident response capability to handle virtually
any computer security problem that occurs and have the means for reporting
incidents and disseminating incident-related information to management
and users. In addition, the incident response capability must not only
react to incidents, but also must have the resources to alert and educate
users to pertinent risks and heighten awareness about security threats
and incident-handling procedures.
- Each OPDIV shall establish an Incident Response Team (IRT) to determine
the nature and level of severity of a computer security problem, participate
in the investigation, and resolve the incident. Each OPDIV may have
various types of computers and networked systems and each IRT shall
have the specific technical skills to respond quickly to incidents in
a particular environment and geographical location.
- Procedures for handling a variety of incidents and notifications shall
be documented, including primary and secondary contacts for required
Reporting Notifications, and should require answers to questions that
would permit the IRT to respond in a business-like manner.
- Each OPDIV shall have a central point of contact for required reporting
of incidents, coordinating an agency’s response to an incident, and
acting as a clearinghouse for disseminating information concerning alerts
and vulnerabilities.
- Each OPDIV IRT shall report incidents and their status to the OPDIV
central point of contact.
- Through the use of enterprise infrastructure management tools, a report
of computer incidents shall be submitted to the HHS Senior Information
Systems Security Officer daily. Incidents involving substantial, systematic
attacks, or significant loss of dollars or damage to HHS property or
image shall be reported to: (1) the HHS Senior Information Systems Security
Officer; (2) the Office of the Inspector General (OIG), Office of Investigations
(OI), Computer Crimes Unit (CCU), Washington, D.C.; and (3) the General
Services Administration
Federal Computer Incident Response Capability (FedCIRC). Events impacting
operations shall be reported immediately to the OPDIV Senior Information
Systems Security Officer, the OPDIV CIO, and to the HHS Senior Information
Systems Security Officer.
- The IRT shall keep the OPDIV Chief Information Officer (CIO) apprised
of events as they unfold and ongoing investigations, and shall prepare
a report of findings upon completion of the incident.
- The IRT shall establish contacts with the OIG/CCU and FedCIRC prior
to an incident to establish a collaborative partnership, and share information.
These contacts are established at the outset, because the handling of
an incident does not leave time to establish the correct contacts.
- If during the course of an investigation, it appears possible that
a violation of the law exists, the OPDIV IRT shall inform the OPDIV
Chief Information Officer, OIG/CCU, and submit an incident report to
FedCIRC with a copy to the HHS Senior Information Systems Security Officer.
- The IRT shall work with investigative agencies to determine whether
to gather evidence, monitor an intrusion, or allow an intrusion to continue,
and which agencies shall assume jurisdiction in an incident.
- If the OPDIV IRT reasonably believes that there was criminal intent
involved in the incident, or that reckless or negligent damage was caused
resulting in costs to the agency exceeding $5,000, the OPDIV IRT shall
request that the OIG/CCU become involved. The OIG/CCU shall assume primary
responsibility for investigating the alleged violation. The OPDIV IRT
shall only be responsible for addressing the technical aspects of the
case.
- If the OPDIV IRT finds employee, contractor, or other misconduct caused
the incident, then the OPDIV IRT shall request assistance from the OIG/CCU,
and the appropriate human resources office or contractor representative.
The OIG/CCU shall determine what actions need to be taken, and they
shall be responsible for completing the investigation of the employees
case in conjunction with other appropriate Departmental offices. The
OPDIV IRT shall only be responsible for addressing the technical aspects
of the case.
- After the incident has been resolved, a lessons learned session shall
be conducted so that the IRT can learn from the experience and, if necessary,
update its procedures. As a result of the post-incident analysis, the
IRT may need to issue alerts or warnings to its constituency about certain
actions to take to reduce vulnerabilities that were exploited during
the incident. The IRT shall use the post-incident analysis to ascertain
its impact on the agency as a result of handling and resolving the incident.
5. Roles and Responsibilities
Information systems security responsibilities and accountability shall
be explicit. The responsibilities and accountability of owners, providers,
and users of computer systems and other parties concerned with the security
of information systems shall be documented
5.1 The HHS Chief Information Officer (CIO)
The HHS Chief Information Officer is responsible for establishing and
implementing the information security policies for responding to the detection
of adverse events and assuring that appropriate action is taken to minimize
the consequences of each such event.
5.2 The Deputy Assistant Secretary for Information
Resource Management
The DASIRM is responsible for monitoring and updating the Department’s
security policies, procedures, standards, and architecture to enable better
detection and response capability. The DASIRM is responsible for notifying
OPDIV CIOs and coordinating responses regarding incidents that span more
than one OPDIV.
5.3 The OPDIV CIOs
OPDIV CIOs are responsible for the following:
- Establishing and implementing policy, procedures, and practices
that are consistent with Departmental requirements to assure that
OPDIV systems, programs, and data are secure and protected from unauthorized
access that might lead to the alteration, damage, or destruction of
automated resources, unintended release of data, and denial of service;
- Ensuring that all OPDIV employees and contractors comply with this
policy;
- Ensuring that IT security requirements, procedures, and practices
are provided in computer security training materials; and
- Ensuring the establishment of IRT(s) to participate in the investigation
and resolution of incidents in their respective OPDIV.
5.4 The HHS Senior Information Systems
Security Officer
The HHS Senior Information Systems Security Officer is responsible
for the following:
- Developing and disseminating information concerning the potential
dangers of computer security incidents, guidelines for its control,
and reporting of incidents;
- Notifying the HHS CIO of computer security incidents;
- Developing and issuing instructions for detection and removal of
malicious software; and
- Providing guidance for determining what constitutes criminal intent
and employee misconduct; and
- Collecting and reviewing daily incident reports.
5.5 The OPDIV Senior Information Systems
Security Officer
5.6 Supervisors and Managers
Supervisors and managers shall ensure that their staffs (Federal and
contractor) have an awareness of their security responsibilities for reporting
any computer incidents and conveying initial incident reports.
5.7 Employees
Employees shall report any suspected or actual computer incidents immediately
to their help desk support, OPDIV Senior Information Systems Security
Officer, or other designated personnel.
5.8 Incident Response Teams
- Consist of a designated core group with as needed ad hoc expertise;
- Identify computer security incidents, characterize the nature and
severity of the incident, and provide immediate diagnostic and corrective
actions, when appropriate. Priorities must be considered in evaluating
and responding with each incident because an incident may have many
possible effects, ranging from the risk to human life and safety to
protecting sensitive, proprietary and scientific data, and minimizing
disruption of computing resources;
- Receive incident reports from its intrusion detection system, pro-active
scans, system administrators, law enforcement officials and other
sources;
- Log all reports. The IRT members shall share knowledge. If suspicion
is confirmed or indeterminate, the IRT shall start an event log by
noting date and time of all action, immediately take a snapshot of
the pertinent files of the incident investigation, and inform the
OPDIV Senior Information Systems Security Officer, who shall notify
their CIO;
- Report all incidents to the appropriate individuals and organizations
as described in the Policy section; and
- Prepare a report of findings and perform a post-incident review.
5.9 The Office of the Inspector General
The Office of the Inspector General, Computer Crime Unit is responsible
for the following:
- Promptly responding to all incidents where assistance has been requested
or when it becomes aware that criminal acts have been perpetrated against
HHS systems, and investigating these incidents when appropriate;
- Preserving all materials (e.g. system logs) in conjunction with the
System Administrators, that are of evidentiary value for Federal, State
and local criminal prosecutions and civil action; and
- Providing assistance to IT Security Officers, CIOs and other individuals
in resolving questions of suspected criminal activity and other investigative
policy questions and shall serve as the official liaison with the Department
of Justice and other investigative agencies.
6. Applicable Laws/Guidance
The following public laws and Federal
authorities are applicable to this policy circular:
- Government Information Security Act of 1999;
- Computer Fraud and Abuse Act of 1986 (P.L. 99-474);
- Computer Security Act of 1987 (P.L. 100-235);
- Privacy Act of 1974 (P.L. 93-579);
- Clinger-Cohen Act (Information Technology Management Reform Act of 1996
- Division E of P.L. 104-106);
- Office of Management and Budget (OMB) Circular No. A-130, Management
of Federal Resources, Appendix III, Security of Federal Automated Information
Resources;
- Presidential Decision Directive 63 (PDD-63), Critical Infrastructure
Protection, May 22, 1998;
- Inspector General Act , 5 U.S.C. Appendix 3, section 4;
- HHS General Administrative Manual, Chapter 5-10, transmittal 90.05 dated
08/15/90, General Policy - Responsibility and Procedures for Reporting
Misconduct and Criminal Offenses, Chapter 5-10-40 Procedures for Reporting
and Investigating Allegations of Criminal Offenses; and
- National Institute of Standards and Technology Special Publication 800-3,
Establishing a Computer Security Incident Response Capability, November
1991.
7. Information and Assistance
Direct questions, comments, suggestions, or requests for further information
to the Deputy Assistant Secretary for Information Resources Management
at (202) 690-6162.
8. Effective Date/Implementation
The effective date of this policy is the date the policy is approved.
OPDIVs have six months from the date of implementation of the EIM tools
to fully comply with this policy. OPDIVs shall begin implementation of
EIM by June 2001.
The HHS policies contained in this issuance shall be exercised in accordance
with Public Law 93-638, the Indian Self-Determination and Education Assistance
Act, as amended, and the Secretary's policy statement dated August 7,
1997, as amended, titled "Department Policy on Consultation with American
Indian/Alaska Native Tribes and Indian Organizations." It is HHS' policy
to consult with Indian people to the greatest practicable extent and to
the extent permitted by law before taking actions that affect these governments
and people; to assess the impact of the Department's plans, projects,
programs and activities on tribal and other available resources; and to
remove any procedural impediments to working directly with tribal governments
or Indian people.
9. Approved
____________/s/______________________ _January 8, 2001
John J. Callahan
Assistant Secretary for Management and Budget
Glossary
Computer Security Incident - an event that may result in, or has
resulted in, the unauthorized access to, or disclosure of, sensitive or
classified information; unauthorized modification or destruction of systems
data; reduced, interrupted, or terminated processing capability; malicious
logic or virus activity; or the loss, theft, damage, or destruction of any
IT resource. Examples of incidents include: unauthorized use of another
user account, unauthorized scans
or probes, successful and unsuccessful intrusions, unauthorized use of system
privileges, and execution of malicious code (e.g., viruses, Trojan horses,
or back doors). Events such as natural disasters and power-related disruptions
are not generally within the scope of IRTs and should be addressed in an
agency business continuity and
contingency plan.
Enterprise Infrastructure Management (EIM) - an operational information
technology (IT) management framework that will protect the Department’s
national IT operating infrastructure by restructuring management practices,
procedures, and functional boundaries. EIM will provide automated tools
to reduce user and system administrator workload and increase system management
capability.
Event - any observable occurrence in a system and/or network. Examples
of events include the system boot sequence, a system crash, and packet flooding
within a network.
|