Incident Response and Reporting (SS-08-004)
SS-08-004 Incident Response and Reporting
Issue Date: 3/31/2008
Revision Effective Date: 12/1/2020
Review Date: 12/1/2020
In support of state policy Computer Security Incident Management, each state Agency must implement an information security incident handling capability. This standard establishes the minimum incident response and reporting requirements.
Each agency must implement an incident management capability including documented processes and procedures for monitoring, detection, data collection, analysis, containment, recovery, response, reporting and escalation.
All incident response, reporting, and escalation procedures must be formally documented and approved by the State Chief Information Security Officer with review by the GBI.
Each agency must train its employees on how to recognize and report incidents in accordance with the reporting and escalation procedures as provided by the State Executive Incident Response Plan.
Agencies must have a designated incident management point of contact.
RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES
NIST SP 800-61, Computer Security Incident Handling Guide
NIST SP 800-83, Guide to Malware Incident Prevention and Handling
NIST SP 800- 28 Guidelines on Active Content and Mobile Code
These documents can be found in PDF and zipped PDF formats at:
State Executive Incident Response Plan" and "OCGA 38-3-22 MILITARY, EMERGENCY MANAGEMENT, AND VETERANS AFFAIRS
TERMS and DEFINITIONS
Incident Management is the process of detecting, mitigating, and analyzing threats or violations of security policies and limiting their effect.
Computer Security Incident is a violation (breach) or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices which may include, but are not limited to: widespread infections from virus, worms, Trojan horse or other malicious code; unauthorized use of computer accounts and computer systems; unauthorized, intentional or inadvertent disclosure or modification of sensitive/critical data or infrastructure; intentional disruption of critical system functionality; intentional or inadvertent penetration of firewall; compromise of any server, including Web server defacement; exploitation of other weaknesses; child pornography; attempts to obtain information to commit fraud or otherwise prevent critical operations or cause danger to state or national security; and violations of the State security policies or standards that threaten or compromise the security objectives of the State’s data, technology or communications systems.
Events of Interest are questionable or suspicious activities that could threaten the security objectives for critical or sensitive data or infrastructure. They may or may not have criminal implications.
Note: SS-08-004 was revised on April 15, 2014 to remove operational information that was subject to change over time such as phone numbers to report incidents. This type of information is now included in routine instructions from the State Enterprise Information Security Office.