/policies/,/policies/administrative/,/policies/administrative/uwmf/,/policies/administrative/uwmf/uwmf-wide/,/policies/administrative/uwmf/uwmf-wide/information-services/,/policies/administrative/uwmf/uwmf-wide/information-services/is-procedures/,

/policies/administrative/uwmf/uwmf-wide/information-services/is-procedures/se-pro-002.policy

20150378

page

100

UWHC,UWMF,

Policies,Administrative,UWMF,UWMF-wide,Information Services,IS Procedures

Computer Security Incident Response Procedure (SE-PRO-002)

Computer Security Incident Response Procedure (SE-PRO-002) - Policies, Administrative, UWMF, UWMF-wide, Information Services, IS Procedures

SE-PRO-002

PROCEDURE




Information Services

Effective Date:
1/23/2014


Administrative Manual

x Other Information Services

Procedure ties
to Policy #:
SE – POL - 002


X Original


Total #
Pages: 6

Title: UW Health IS Computer Security
Incident Response Procedure


I. PURPOSE
The purpose of this document is to define procedures to be followed when a computer
security incident (CSI) is discovered to have occurred. These procedures are designed
to help mitigate any harmful effects of computer security incidents.


II. PROCEDURE
A. Incident Identification - Roles:

 Help Desk Staff – If an incident is reported by a user to the help desk, help desk
staff, will:
1. Capture the incident description in the call tracking software
2. Conduct standard, basic troubleshooting to determine cause
3. Progressively escalate the incident to appropriate on-call staff based on
function and hierarchy as documented in the call tracking system
4. At the direction of Lead Analyst.Technician, communicate status updates to
end-users on an on-going basis

 Analyst or Technician – If an incident is identified by an Analyst or Technician
through alerts, monitoring, or other means, the analyst or technician will:
1. Capture the incident description in the call tracking software, or report it to
the Help Desk to record the incident
2. Conduct standard, basic troubleshooting to determine cause
3. Progressively escalate the incident to appropriate on-call staff based on
function and hierarchy as documented in the call tracking system
4. Provide Help Desk staff with updates and content for distribution to end-
users

B. Incident Management – Roles

 Rotating On-Call Staff from each ‘System Owner’ IS Team
1. Monitor & manage all Heat tickets assigned to their respective group
2. Conduct an in depth assessment of the situation, to help determine cause
and contain/stop the incident as applicable.
3. Take responsibility of Lead for incidents escalated to them while on-call
4. Represent their team on the SIRT for any incident occurring during their
rotation that affects their area.




Page 2 of 6

 Lead - The System Owner Technician or Analyst On-Call at the time an event
is escalated to an incident will act as the initial Lead for that incident. The
Lead designation may transition to the System Owner SME or Management as
deemed appropriate. The Lead for each CSI may be reassigned by the group
based on whether the CSI requires a technical response or compliance
response (resulting from user behavior i.e. sharing passwords).
1. Notify UWH IS VP CIO and all other parties as appropriate
2. Direct all containment and recovery activities
3. Categorize and prioritize the incident and assign a category (see table 1.0)
and a priority (see Incident Response Prioritization) as outlined later in this
document, and coordinate resources required to resolve the incident if
needed. Based on priority may designate another SIRT member as
coordinator for the duration of the CSI
4. Collect any evidence related to the incident
5. Restore systems to a normal functioning state
6. Organize the collected data
7. Assess damages or costs associated to the incident
8. Engage a Situation Manager for the issue if warranted (e.g. if the scale of
the known incident is abnormal, or it is a CSI of unknown origin). If a
Situation Manager is not engaged, ensure incident is documented and
communicated to the Security Engineers Team for purposes of incident
tracking
9. Utilize UWH IS resources as reasonably necessary to resolve the CSI, with
approval of the Situation Manager.
10. Provide verbiage to Help Desk staff for end user-user communications

 System Owner Subject Matter Expert (SME) - Consulted and/or called in to assist
or take over containment, analysis, or management of a CSI

 Situation Manager will be the UWH IS Director On-Call at the time an event is
escalated to an incident
1. Ensure communication is being made within UW Health as defined in this
procedure
2. Ensure appropriate documentation is being made as CSI unfolds (complete
CSI response form, see Attachments section)
3. Authorizes resource utilization as needed.
4. Assess resolution strategy
5. May hand off duties to the Coordinator the next business day

 Coordinator Handoff from the Situation Manager may occur to a member of the
Security Engineers team during normal business hours.
1. Assist with ensuring communications are being made within UW Health as
defined in this procedure
2. Assist with ensuring appropriate documentation of the CSI is made in the
call tracking software (complete CSI response form, see Attachments
section)
3. For CSI events meeting the criteria defined in the Incident Review Policy,
or deemed necessary by UWH IS Management, within 15 days of incident
conduct lessons learned meeting with persons involved



Page 3 of 6

4. Coordinate all assigned follow-up tasks and activities
5. Forward final report to appropriate persons as defined under Notifications
below
6. Ensure that the incident information is documented, reported to appropriate
individuals, and stored in an encrypted file with limited need-to-know
access only, for 6 years.




Known CSIs
Category Scenario
Compliance
Violation
Overheard in the UWH IS Department “I just logged in as you”
Compliance
Violation
User calls and reports to the Helpdesk they are actually using
someone else’s user ID and are unable to log in or are having some
other problem.
Compliance
Violation
Shared Passwords – commonly done for convenience. First employee
signs into system and leaves wide open for everyone else on duty to
use so they don’t have to keep signing in/out.
Compliance
Violation
User is viewing PHI or other company data without a valid work-related
purpose.
Unauthorized
Access Attempt
Phishing - Has someone told you “I just responded to an email that
UWH IS sent asking for my password, did you send that?”
This is a security incident called “Phishing” that is a common
occurrence where users receive a phony email from “UWH IS” and the
user clicks a link and enters their user name and password.
If not addressed ASAP these could result in Unauthorized access.
Malicious Code Pop up messages on a server or workstation indicating that a virus has
been detected.
Malicious Code Log messages indicate abnormal traffic patterns or activities


Examples Symptoms that could indicate a CSI
Category Scenario
Denial of Service
Malicious Code
Unexplained system performance degradation
Attempted
Unauthorized
Access
User accounts repeatedly locking for unexplained reasons. Logs show
high number of failed login attempts
Unauthorized
Access
Computer equipment missing, moved or in disarray




Incident Category - Each incident will be assigned a category level based on the
descriptions in table 1.0.



Page 4 of 6


Table 1.0
Category Name Description
1 Unauthorized
Access
A person gains logical or physical access
without permission to a network, system,
application, data, or other technical resource.
2 Denial of
Service (DoS)
An attack that prevents or impairs the
authorized use of networks, systems or
applications by exhausting resources. This
activity includes being the victim or
participating in the DoS.
3 Malicious Code A virus, worm, Trojan Horse, or other code-
based malicious entity that successfully infects
a host.
4 Compliance
Violation

An employee or anyone with access to UW
Health systems that violates acceptable use of
any network or computer use policies.
5 Other Any other incident that does not fit within the
first four categories

Incident Response Prioritization - SIRT team will review each incident as reported
considering both impact and urgency, and prioritize response based on 1) current and
potential technical effect of the incident and 2) criticality of the affected resource.
CRITICAL - Severe effect on multiple systems or critical infrastructure
NON-CRITICAL – Moderate effect on a single system or negligible effect on
infrastructure


Notifications – CSIs that result in data loss or the potential for data loss must be reported
to the following:
a. UWH IS VP/CIO’s Office
b. Director of UWHC Compliance and Privacy Officer
c. UWMF Privacy Officer
d. UWH IS Security Officer
e. UWHC Director Risk Management
f. UWMF Manager Risk Management
g. UWHC Internal Audit
h. Appropriate Management Staff
i. Others as appropriate, for example:
1. Employee Labor Relations (ELR)/Human Resources (HR)
2. UWMF Compliance Officer
3. Director Security (Facilities)
4. Director of Clinical Engineering



Page 5 of 6

5. Director of Plant Engineering
6. UWHC Director HIM
7. UWMF Director HIM
Upon hand-off of reports, the appropriate Privacy Officer will take responsibility of
required regulatory reporting, and work with the office of UW Health Public Affairs on any
necessary media communications.
Also upon hand-off of reports, ELR/HR, Risk Management, Compliance, and Facilities
Security will take responsibility of required action within their areas regarding incident
repercussion follow up.

III. Forms

[Provide Forms as well as Form Numbers and/or Hyperlinks]


IV. SUPPORTING POLICY
UW Health IS Computer Security Incident Response Policy SE – POL - 002







Page 6 of 6

VI. COORDINATION

The details of Coordination of UWHC, UWMF and UWSMPH are shown below. Approval
and coordination of this policy by those entities occurs per their individual processes.

UWHC Sr. Management Sponsor: Leroy Baker, UW Health IS CTO
UWHC Author: Elaine Gerke, UW Health IS Security Officer
UWHC Author: UW Health IS Senior Security Engineers
UWHC Author: UW Health IS SIRT Team Members
UWHC Reviewers: UW Health IS VP/CIO & Directors
UWHC Reviewers: UWHC Internal Audit

UWMF Sr. Management Sponsor: Leroy Baker, UW Health IS CTO
UWMF Author: Elaine Gerke, UW Health IS Security Officer
UWMF Author: UW Health IS Senior Security Engineers
UWMF Author: UW Health IS SIRT Team Members
UWMF Reviewers: UW Health IS VP/CIO & Directors

UWSMPH Approval: UW Administrative Legal Services


VII. SIGNED BY


[Insert Signature Block(s) for Appropriate Signer] Date