11.5 - Security Incident Response

Policy

All members of the Weill Cornell Medical College (WCMC) community are responsible for protecting the confidentiality, integrity, and availability of data created, received, stored, transmitted, or otherwise used by the college, irrespective of the medium on which the data resides and regardless of format (e.g. electronic, paper, fax, CD, or other physical form).

Departments are responsible for implementing operational, physical, and technical controls for access, use, transmission, and disposal of WCMC data in compliance with all WCMC privacy and security policies, procedures, and guidelines.

WCMC expects community members, including but not limited to faculty, staff, and students, to use all WCMC information technology resources and data in a manner that is legal, ethical, and consistent with the mission of education, research, and patient care.

Entities Affected By This Policy

The Weill Cornell Medical College and Graduate School of Medical Sciences

  • Responsible Executives: WCMC Chief Information Officer
  • Responsible Department: Information Technologies and Services
  • Dates: Issued: Interim, October 1st, 2007. Final Issuance:January 31st, 2008
  • Contact: Information Technologies and Services

Reason for Policy

IInformation technology (IT) security incidents occur randomly and frequently. Resolving them in an organized, systematic way is a vital part of proper IT security. This policy provides a framework for identifying, assessing, communicating about, and documenting an incident and corresponding remediation plans.

Principles

Security Incidents must be identified, declared, responded to, and closed. Detailed requirements for each of these steps are below. The high-level process for security incident response is as follows:

flowchart

I. Identifying an Incident

IT Security incidents can be positive or false positive. A false positive can still be considered an incident until proven otherwise. Security-related (or possibly related issues) become incidents when one or more of the following is true:

  1. Unauthorized activity on a WCMC network or computer is suspected to be profiling, targeting, disabling, or otherwise thwarting that computer or network's security mechanisms (firewalls, intrusion detection, etc.)
  2. Hardware containing Confidential or Internal Use Only (see Data Classification policy) has been stolen, is missing, or is otherwise compromised.
  3. Unauthorized use of the WCMC network or a WCMC computer has occurred.
  4. An unauthorized user gained access to WCMC data or the WCMC network.
  5. A significant violation of a WCMC IT Security policy has occurred.

II. Declaring a Security Incident

Only specific individuals in ITS can declare a security incident. Any activity that appears to fall under one or more of the categories above should be brought to the attention of at least one of the following people:



  1. The WCMC Security Officer
  2. The WCMC Privacy Officer
  3. The WCMC Assistant Director of Security and Identity Management
  4. The ITS Senior Director
  5. The ITS Director
  6. The WCMC Chief Information Officer
  7. An ITS Senior Security Engineer
  8. A Senior Director in WCMC Human Resources
  9. WCMC Legal Counsel
  10. The Senior Director or WCMC Risk Management

These individuals will review the relevant data to determine the authenticity and severity of the potential incident. If the incident appears to be legitimate, or if the legitimacy is not possible to determine, a security incident will be declared.
Upon declaring the incident, the declarer must do four things:

Upon declaring the incident, the declarer must do four things:

  1. Assign at least one incident coordinator
  2. Assign at least one incident investigator
  3. Work with the incident coordinator to create the incident communications plan
  4. Approve the incident communications plan
  1. The Incident Coordinator:
    1. Has ownership and accountability for the incident response
    2. Main point of contact for the incident
    3. Runs the incident response team from start to end of incident
    5. Responsible for adhering to this policy, including all appropriate documentation
    6. Responsible for providing documentation related to the incident to the WCMC Security Officer
  2. The Incident Investigator
    1. Performs investigatory steps
    2. Makes recommendations to the Coordinator
    3. Key participant in creating containment and remediation plans
    4. May participate in remediation steps
  3. The Communication Plan
    1. Defines meeting places and times
    2. Identifies conference bridge(s)
    3. Defines where documents and data will be located (stored) during the incident response
    4. Defines what changes will trigger updates

III. Responding to an Incident

A. Initial Report

Once an incident is declared, an Initial Incident Report must be created (templates are provided as part of this policy). The report must contain the following sections:

  1. Incident Number
  2. Incident description
  3. Time declared
  4. Assets involved
  5. Data involved
  6. Personnel involved
  7. Extent of damage
  8. Time to Detect
  9. Time to contain
  10. Containment steps
  11. Time to remediate
  12. Remediation steps
  13. Response plan
  14. Action log
  15. Lessons learned

Initially, only sections 1-6 must be filled out. Subsequent sections should be filled as appropriate. All sections must be filled out before filling the final report.

B. Action Log

Create an Action Log using the Action Log Template immediately after the Initial Incident Report is completed. Action Logs must contain at least the following:

  1. Incident Number
  2. Time (per action)
  3. Actions Taken
  4. Communications Made
  5. Potential Threats Found
  6. Pertinent Discoveries
  7. People/Users/Groups/Roles/Accounts Potentially Involved
  8. Potential Data Involved

C. Containment Plan

Once the details of the incident have been identified, a containment plan can be created. Containment plans describe how the threats that are part of the incident will be stopped until a remediation plan can be created and enacted. Where applicable, containment plans must include the following:

  1. Incident Number
  2. Plan Description
  3. Plan Steps
  4. Action Items
  5. Assignments
  6. Proof of Concept

D. Remediation Plan

The remediation plan should eliminate, mitigate, or document acceptance of the threats discovered in the incident. Remediation plans must include at least:

  1. Incident Number
  2. Plan Description
  3. Plan Steps
  4. Action Items
  5. Assignments

IV. Theft and Notification

Under the New York State Information Security Breach and Notification Act (ISBANA), WCMC is required to notify state authorities and affected individuals if 'private information' is lost or stolen. The law defines 'private information' as:
"any personally identifying data (i.e., name, number, personal mark, or other identifier) in conjunction with one of the following data elements:

  • a social security number
  • a driver's license (or non-driver ID) number
  • an account number or credit/debit card number combined with the access code to that account or card.

where either the identifier or the data element is in unencrypted form". Medical data by itself is not considered private information.

If, during the investigation of a security incident, it is believed that personally identifying data along with one or more of the elements above was lost or stolen, it may be necessary to issue a notification. In this circumstance, the Incident Coordinator is responsible for the following:

  1. Incident Number
  2. Incident description
  3. Time declared
  4. Assets involved
  5. Data involved
  6. Personnel involved
  7. Potentially stolen/missing assets
  8. Potentially stolen/missing data
  9. ISBANA related data elements
  10. EPHI related data elements
  11. State of encryption of the ISBANA related data involved
  12. Is notification necessary?

B. Theft Report

The Theft Report will be used to present information to the Information Security and Privacy Advisory Committee (ISPAC) and other appropriate parties. It must include at least the following:

  1. Incident Number
  2. Incident description
  3. Time declared
  4. Assets involved
  5. Data involved
  6. Personnel involved
  7. Potentially stolen/missing assets
  8. Potentially stolen/missing data
  9. ISBANA related data elements
  10. EPHI related data elements
  11. State of encryption of the ISBANA related data involved
  12. Is notification necessary? If so, why?
  13. Notification steps (if necessary)
    1. Methods of notification used
    2. Copy of notification(s) sent to affected individuals
    3. Copy of notification sent to New York State

V. Closing An Incident

Closing an incident indicates that the incident has been completely contained and remediated. Additionally, an incident cannot be closed until the Final Incident Report is completed.

E. Final Incident Report

Incidents can only be closed by one of the following people:

  1. The WCMC Security Officer
  2. The WCMC Assistant Director of Security and Identity Management
  3. The ITS Senior Director
  4. The ITS Director
  5. The WCMC Chief Information Officer

The final Incident Report must include the following items:

  1. Incident Number
  2. Incident description
  3. Time declared
  4. Assets involved
  5. Data involved
  6. Personnel involved
  7. Extent of damage
  8. Time to Detect
  9. Time to contain
  10. Containment steps
  11. Time to remediate
  12. Remediation steps
  13. Response plan
  14. Action log
  15. Lessons learned
  16. Date Closed
  17. Time Closed
  18. Incident Closure Approved By

VI. Other Resources

Incident coordinators and investigators should use the Incident Response Workbook (associated with this document) to record all documentation related to the incident.

Download Official Policy (PDF)
Back to top