an Agency Incident Response Process
an Agency Incident Response Process|
Council Security Practices Subcommittee|
Security Administration, OFAM, Office of Financial Policy and Operations
(OFPO), Office of Information Systems Security (OISS)
Processes or other Framework(s) Supported|
Security Process Framework, Section 7, Incident Response (C&A).
Section 3.7, Computer Security Incident Handling
Security Base Practice PA08, Monitor Security Posture
- Jack Garnish
ISSO, Social Security Administration
6401 Security Blvd
Staff contact: Laurie Peiser (email@example.com),
This BSP Does |
process has made it possible for the SSA to respond quickly and effectively to
attempts to compromise our systems resources.|
for this BSP|
Office of the President |
Office of Management
Decision Directive 63 - "Critical Infrastructure Protection" "take
all necessary measures to swiftly eliminate any significant vulnerability
to both physical and cyber attacks on our critical infrastructures,
including especially our cyber systems and . have a system for responding
to a significant infrastructure attack, while it is underway, with the
goal of isolating and minimizing damage."
Office of Management
- POMB Circular No. A-130,"Management
of Federal Information Resources", Appendix
III, "Security of Federal Automated Information Systems" A. 3. a.
2) d) Incident Response Capability. Ensure that there is a capability
to provide help to users when a security incident occurs in the system
and to share information concerning common vulnerabilities and threats.
This capability shall share information with other organizations, consistent
with NIST coordination, and should assist the agency in pursuing appropriate
legal action, consistent with Department of Justice guidance.
M-0108, Guidance On Implementing the Government Information Security
Reform Act "As found in existing policy, all agency programs will
include procedures for detecting, reporting, and responding to security
incidents, including notifying and consulting with law enforcement
officials, other offices and authorities, and the General Services Administration's
Federal Computer Incident Response Capability (FedCIRC). The intent
of the incident handling provision is to ensure that each agency has
both the technical and procedural means in place to detect and appropriately
report security incidents and share information on common vulnerabilities.
Policies and procedures should be documented and remove unnecessary
internal obstacles to the timely reporting to the appropriate authorities
within the agency (for example, security officials and Inspectors General)
and with external organizations (for example, FedCIRC, law enforcement
e.g., the National Infrastructure Protection Center, and national security)."
Social Security Administration has successfully used our Incident Response Process
to deal with multiple security incidents. Additional information can be provided
to Federal Agency Information Systems Security Officers through the process
outlined in Section 3.1, below.|
This BSP Is |
of BSP |
a BSP for incident response is a challenge, since for obvious reasons, we cannot
post our incident response procedures to an open web site, but the openness of
the BSP process is the feature that makes it most useful to individuals searching
for effective security practices. As a result, we have come up with the following
compromise that we hope will prove effective:|
Materials related to our policies, employee
awareness activities, and procedures for reporting an incident are included with
this BSP. These documents are:
Information Systems Security Handbook (SSH) chapter 16, Security
Incident Identification, Reporting and Resolution. This chapter
includes both policy and procedures.
- FEDCIRC Incident
Reporting Criteria and Rationale. This document details the type
of information that should be reported and the rationale behind such
security awareness materials related to incident response. These materials are
distributed as Systems Security Bulletins desk to desk to all SSA employees. The
bulletins included here are:
believe that our incident response procedures can be readily adapted for use by
other Federal Agencies. The main issue is scaling the process to meet the needs
of your Agency, not that the type of process would need to change. Since we cannot
post sensitive Agency information with the BSP, SSA is willing to provide the
following assistance to other Federal Agencies working on establishing an incident
Federal Agencies that would like the above assistance should have their Information
Systems Security Officer (ISSO) e-mail us at firstname.lastname@example.org.
Please use a subject line of INCIDENT RESPONSE ASSISTANCE and provide your name,
agency, business address, and telephone number in your message. ONLY REQUESTS
FROM FEDERAL AGENCY ISSOS WILL BE ACCEPTED. We will try to respond to your
message within 5 business days.
will provide access to our procedures in a way that ensures that we can maintain
the confidentiality of those procedures
will provide access to both policy and technical staff to help you to adapt these
procedures to meet the needs of your Agency
will provide continuing access to staff during your implementation to help you
to get your team operational as quickly and smoothly as possible, as long as providing
this support does not interfere with the duties of those staff members.