Policy Example
SunSpot Credit Union
Computer Incident Response Team—Access & Authorization Policy
1.0 Policy Statement
This policy applies to SunSpot Credit Union employees, temporary workers, contractors, and consultants who use or access SunSpot Credit Union information systems and computers.
2.0 Purpose/Objectives
Definitions for this policy are as follows:
- SunSpot Credit Union: (SCU).
- Incident Response Team: (IRT). Personnel designated to respond to security incidents.
- Incident Response Policy: (IRP). Establishes Incident Response (IR) procedures for dealing with incidents related to technology and information risk.
- Graham-Leach-Bliley Act: (GLBA).
- Chief Information Office: (CIO).
- Information Security Officer: (ISO).
This document establishes IRT membership, roles, responsibilities, and authority. IRT members and their authority are as follows:
- Information Security Officer (ISO): IRT team leader with authority over all SCU information systems in the event of a security incident. The ISO has the authority to perform any legal action necessary to protect SCU resources and private information, and customer personal and financial information.
- Senior System Administrator: overall responsible for monitoring internal systems and configurations. Designated by the ISO authority to change configurations and take actions as required to protect SCU information resources and customer private and financial information in the event of a security incident. Has the authority to represent and communicate with law enforcement.
- Network Administrator. Works closely with the Senior Systems Administrator. Granted the authority to take networks and systems offline if required to protect SCU information systems, and customer private and financial information.
- Human Resources Director: Granted the authority manage staff regulation and law related matters that may result from a security incident.
- Public Relations Director: Granted the authority to communicate with news and other public entities, stockholders, and other non-legal entities as dictated by the ISO.
- Law Firm: The authority to conduct legal matters related to security incidents per direction of the ISO. Has the authority to represent and communicate with law enforcement.
3.0 Scope
This policy applies to all SCU security domain areas to include computers and devices, SCU system users, security detection systems, firewalls, remote access VPN software and hardware, and applications, that are controlled and operated by SCU staff or its designated IT Infrastructure Implementation Agents, contractors, and vendors, throughout at all branches of SCU, SCU Enterprise Cloud, Web, and Data Center providers, and other offsite facilities.
4.0 Standards
Require compliance with section 501(b) of the Gramm-Leach-Bliley Act (GLB Act).4 and section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act).5 The Security Guidelines establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information. Specific standards are as follows:
- Develop and maintain an effective information security program.
- Ensure the security of customer information at all times.
- Procedures for notifying customers of confirmed or suspected private information exposure.
5.0 Procedures
Responsible IRT members must consider GLBA standards when responding to incidents. The ISO is responsible for overseeing the development, implementation, and maintenance of this policy. The CIO is responsible for enforcing this policy. The SCU incident response model is as follows:
- Incident detection. The Senior System Administrator and Network Administrator are responsible for monitoring Intrusion Detection and Prevention Systems (IDS/IDPS), system logs, and maintain communications with the help desk in order to detect possible security incidents. If a possible incident is detected, they will notify the ISO who will determine if the IRT needs to be activated.
- The ISO will direct team members to implement additional control configurations to stop an attack, secure systems, and begin collecting evidence. Per SCU IRP, the ISO will issue evidence bags, make available electronic collection media, and chain of custody forms. All evidence will be collected and chain of custody maintained per the SCU IRP standards. The ISO and CSU law firm will monitor evidence collection procedures.
- After evidence collection is complete or to a point where normal operations will not interfere with collection, the ISO will direct team member to recover systems per SCU IRP, Business Continuity Plans (BIA)’s, and other applicable SCU technical and administrative publications and policies.
- Conduct analysis and debrief. At the ISO direction, the IRT will meet to discuss, evaluate, and make recommendations to prevent future incidents.
- The ISO will be responsible for constructing and disseminating an incident report based on the IRT analysis of the incident. The report is to be used by HR, the Public Relations Director, and retained law firm for communicating details of the incident and make decisions on possible disciplinary or legal action.
- Process improvement. Policy updates and additional training as required are to be implemented per the SCU IRP and training policy.
6.0 Guidelines
In the course of business it is inevitable that situations will arise that policy does not specifically address. Guidelines for these issues are as follows:
- Unforeseen security events or conflicts in procedures are to be referred to the ISO for guidance. In the event that the ISO is unavailable, the Senior System Administrator or CIO, dependent on the most senior present, will fulfill the ISO duties.
7.0 Policy Enforcement and Violations
Violations of this policy will be addressed in accordance relevant SCU information security and human resource policies. The appropriate level of disciplinary action will be determined on an individual case basis by the appropriate executive or designee, with sanctions up to or including termination depending upon the severity of the offense. The ISO is responsible for official interpretation of this policy. Questions regarding the application of this policy should be directed to the SCU Information Technology department.
Good policy template. Will be implementing some of it in my organization’s IRP.