IS7060 - IT Incident Management

Purpose

The purpose of this procedure is to ensure timely and effective response to IT incidents by restoring service operations to agreed level as quickly as possible.

Any event, which is not part of standard IT operation of a service, which causes, or may cause, an interruption to, or reduction in the quality of that service, is termed as an ‘incident’. The term ‘incident’ in this document can be defined as any irregular or adverse event, which occurs on any part of DMACC’s IT systems.

Scope

This procedure applies to:

• All IT services managed, operated, and provided by DMACC IT Department to DMACC business.
• All staff (permanent and on contractual basis) and non-employees (students, contractors, consultants, suppliers, vendors etc.) who require access to DMACC’s information and associated assets.
• Relevant third-party personnel responsible for administering and maintaining DMACC’s IT infrastructure.

The governing entity of this procedure is the IT Department.

Procedure Statements

‘Incident’ is a term related to exceptional situations or a situation that warrants intervention of specialist help or senior management. An incident is detected in day-to-day operations and management of the IT function. This may be result of unusual circumstances as well as the violations of existing policies and procedures of DMACC.

Some of the actions that can be classified as IT incidents include, but are not limited to:

• Attempts to gain unauthorized access to a system or its data, masquerading, or spoofing as authorized users
• Unwanted disruption or denial of service
• Failure / Crash of IT Equipment
• Hardware resources and components lost/stolen
• Major virus incidents resulting in Business loss or downtime
• The unauthorized use of a system for the processing or storage of data by authorized users
• Changes to the system hardware, firmware or software and data without the owner’s knowledge, instruction, or consent
• Existence of stray user accounts
• Theft of / Damage to computer hardware equipment or communication network
• Information system failure and loss of service
• IT service disruption
• Degradation in the quality of any IT system

All users and IT administrators shall be responsible for identifying incidents. Some examples are:

• Abnormal system resource usage: If the CPU or memory utilization on a system is higher than normal usage, the system may have been compromised. Compromised systems exploited by attackers spread viruses or infect other machines leading to high resource utilization. System administrators need to track resource utilization and analyse reasons for any abnormal usage.
• Abnormal, slow response of the application: Users could experience extremely slow response times if the application servers or the network is compromised and is being used for malicious purposes. Virus or worm outbreaks could lead to network congestion, which would in turn cause application responses to be slow and unstable. Incidents shall be reported in instances where the response is extremely slow as compared to the past usage.
• Data Corruption: If the user finds that data or files stored on the desktop/laptop has been either deleted or modified without their knowledge, this could be an indication of a compromised system.
• Change in desktops/laptops: If your desktop/laptop configuration looks different in terms of the applications installed, screen savers or icons on the screen, or the system is misbehaving in terms of opening new screens without their commands, it could be an indication of their system being compromised.
• Changes in password and user-id: Users shall report if they find their passwords have been changed or their account has been locked without their knowledge. Any changes in user passwords could be indications of system compromise. Users shall report if they have suspicion of someone else using their account like emails sent from their mail id or applications accessed from their account or data posted from their account without their knowledge.
• Virus infection: Users shall report any virus or worm that infected one or more hosts. However, viruses or worms that are detected and cleaned by antivirus software need not be reported; only those which are not getting cleaned and infecting the system needs to be reported.
• Changes in applications: If the applications accessed by user look different from its normal appearances or user level of access in the application appears to have been modified (either increased access or decreased access), the application may have been compromised.
• Security Weakness: If a user using the applications detects that they have unauthorized elevated access that can lead to any kind of compromise, report such access privilege to prevent any loss to DMACC data or system uptime.
• Violation by others: If a user comes across any instance of security violations committed by others like running of malicious tools, trying to break into system or committing IT frauds or thefts, copyright or license agreement violations, the user shall report such instances.
• Access to data or a system without authorization -
  • Such attempts may include:
    • Unauthorized use of an account (privileged or otherwise)
    • Unauthorized access to directories, files, or media
    • Placement of ‘sniffing’ hardware or software on network segment to capture data travelling across it
• Modification of data without authorization -
  • Such attempts may include:
    • Unauthorized movement of files
    • Trojan horse or virus code
    • Deletion of data
    • Modification of data
    • Change of file permissions
    • Web page defacement
    • Alteration of file content
• Denial of service or disruption to system activity -
  • Such incidents include:
    • Distributed denial of service attack (DDoS) causing loss of external network connections through packet flooding
    • Exploitation of vulnerabilities causing network outages
    • Causing system to crash
    • Causing system to lose connectivity
    • Causing system to fail partially or completely
    • Physical loss or damage to systems
• Changes to system software/firmware, hardware, or environment without approval -
  • Such incidents include:
    • Installation of back door code without authorization
    • Modification of system code without authorization
    • Modification to cabling (patching, rack connections etc.)
    • Addition of software/hardware with malicious intent (e.g. keystroke logging or backdoor)
    • Unauthorized removal, addition, or replacement of equipment
• Probe/ Scans: Attempts to gain information that may be used to perpetrate an attack -
  • Such incidents include:
    • Port scans
    • Targeted scans across whole, or large part of IP range
    • Social engineering attacks
    • Unexpected inquiries into network capabilities/vulnerabilities
    • Unauthorized password resets
• Loss or physical damage to the systems
• Unauthorized activation of suspended / deleted user accounts
• Existence of unknown user accounts: Unknown accounts, especially those with administrative privileges, could indicate that system has been attacked

The importance of incident detection and analysis shall be educated throughout DMACC and users shall be aware of the importance of the same and their responsibilities towards reporting of incidents and security weaknesses or any software malfunction.

Incident Reporting and Recording

All employees of DMACC shall be aware of their responsibility to promptly report any IT incidents.

All IT related incidents shall be reported to the DMACC Technical Support via ticket, phone, or email.

DMACC Technical Support shall be responsible to act as the first point of contact for all the concerned users until incident closure.

All incidents detected by different monitoring systems shall also be documented in the ticketing system by DMACC Technical Support.

The following details shall be recorded initially:

• Details of the user(s) who reported the incident including contact details
• Detailed description of the incident including time of incident
• Asset / service affected (or thought to have affected)
• Details on how the incident was discovered / detected
• Details of any similar occurrence in the past
• Supporting evidence
• Remedial steps taken if any
• Incident classification

All incidents shall be categorized in an appropriate manner to prioritize the resource allocation during incident response.

DMACC Technical Support personnel shall be trained on procedure for incident identification, recording and escalation.

Problem tickets shall be created for all critical, recurring incidents. Problem tickets shall be handled through a formal problem management procedure.

Incident Prioritization

All Incidents shall be prioritised based on the severity of the Incident. The following is the Incident Management Priority matrix:

Incident Management Matrix

Severity Level

Severity 1 (Major Impact)

• Direct threat or damage to image, reputation, or credibility of DMACC. Multiple business functional units getting severely impacted. Location of business critically affected.
  
  Business continuity measures would have to be invoked.

Severity 2 (High Impact)

• Severe outage affecting single business functional units, key services, or location.

Severity 3 (Moderate Impact)

• Moderate degradation to business functional units, locations, IT assets.
  
  Moderate to high impact to non-critical business units within DMACC.

Severity 4 (Minimal Impact)

• Small issue with localized scope. Affecting few resources. Issue can be tolerated for a period

Incident Response

The incident ticket shall be assigned to the correct technician or a resolver group in the IT Department based on the nature of the incident and the resources required.

The technician assigned shall endeavour to restore the service at the earliest.

Vendors shall be involved as needed to resolve incidents.

Information security personnel shall be involved if the incidents warrant any investigation related to information security.

Any changes required to resolve an incident, shall be performed in accordance with the IT Change Management Process.

The incident, if not resolved and corrected within the pre-defined timeframes, shall be escalated in accordance with the IT Incident Management Process.

Actions to recover from incidents shall be carefully and formally controlled, as set out in the incident management procedures.

The audit trails and any similar evidence shall be collected and secured for post-incident analysis and for forensic evidence if found necessary.

Incidents shall be monitored from its identification till closure. Based upon the progress, the incident records shall be updated on a continuous basis.

Users, customers, stakeholders, and management shall be kept informed about the progress of incidents, as may be necessary.

Incident Closure

All incidents shall be closed by the DMACC Technical Support personnel.

All information gained during troubleshooting shall be recorded in the ticketing system for future references. Workarounds and measures adopted to mitigate the incident shall be updated in the knowledge base.

Requestors shall be informed about the closure of all incidents.

Requestors shall be provided with the option of reporting their satisfaction with the resolution of the incident.

Root cause analysis for all reported incidents shall be initiated in coordination with Information Security once the incident ticket is closed.

Learning from Incidents

All incidents shall be logged, monitored and cause of all incidents shall be identified and analysed by the DMACC Technical Support Team.

There shall be mechanisms in place to enable the types, volumes, and costs of information security incidents to be quantified and monitored. The information gained from the evaluation of information security incidents should be used to identify recurring or high impact incidents.

The lessons learnt from incidents shall be documented by the DMACC Technical Support Team and reviewed by the Information Security.