IRAP Guidelines
Overview:
Municipalities face a wide range of cyber threats. Such threats can evade, and defeat established security best practices and tools. Over time, the type of threat will continue to evolve, and it is essential that Municipalities create and maintain a likewise iterative, responsive, and well-coordinated approach to respond to cyber incidents that impact information systems and networks.
Disruptions caused by cyber-attacks may result in disruptions in operations both internally and externally. Interruptions and incidents may impact the city’s ability to provide services to its residents, employees, etc.
This incident response plan offers a guideline for Municipalities to use in case of a cyber incident. This is intended to be a general guideline and should be adapted to the organization using it.
Purpose:
For the purpose of this deliverable the outline relates to the NIST Cybersecurity Framework Implementation Case Study as put forth by SGIP. This incident response plan serves to define the process to be followed in the case of a security incident.
Definition of security incident as defined by TechTarget: is an event that may indicate that an organization's systems or data have been compromised or that measures put in place to protect them have failed.
Goals and Objectives:
Identify and contain possible incidents.
Minimize disruption to services.
Communicate with appropriate parties and Stakeholders.
Conduct and provide postmortem account of incident as well as future approach.
Prevent future incidents (if and where possible)
Scope:
This guide can be applied to systems – both primary and secondary, that are operated by or impacted by the energy provider.
Incident Response (IR) Phases
Pre- Incident Preparation
Vulnerability assessment: identify areas that are vulnerable to breaches and classify threat level (see sample RACI table for reference)
Conduct training to mitigate threats (i.e., social engineering trainings as well as regular tabletop exercises and Stakeholder meetings to discuss mitigation strategies and updates).
Identification of Teams, Executives, and External Comms protocols in case of incident.
Phase 1: Detect, Identify, Scope and Contain (see Table 1.1 for broad overview)
Detection of incident – helpdesk, service disruption, suspicious activity to use parameters to designate whether incident or breach has occurred
Scope of impact is it urgent (assign as Priority 1 (P1) / Priority 2 (P2) / Priority 3 (P3) – escalate as appropriate and triage with appropriate teams
Determine whether incident is contained. If so move onto next Phase.
Phase 2: Response, Investigation, Remediate
Based on classification and containment assign teams to
Draft and present brief to executive team (Incident officer)
Draft communications for internal staff broadcast (Incident Officer and Internal Communications liaison)
Once approved share information relating to incident to both internal and external parties where applicable
Post Incident Activity
Assemble incident response teams as well as risk analysts to assess incident and prepare
Postmortem: outlining the how, what, when, why
Tabletops to run through with remediated solution
Incident Priority Levels & RACI Table
Priority 1 (P1):
Impact on critical systems that might result in threat in safety, data or business continuity.
This may result in a long- term effect and requires highest level of escalation
Current attack impacting many critical Citywide systems
Priority 2 (P2):
Medium to high-risk impact on systems. May or may not result in long term impact
Requires triage team to assess between P1 or P2
Impacts a few Citywide systems
Priority 3 (P3):
Medium risk, requiring triage from incident response team
Likely threat is in future so example would be a social engineering risk
Impacts some Citywide systems
Priority 4 (P4):
Low to no risk
Resolution does not require triage but is straightforward fix
Priority levels serve to determine the steps taken within the IR. They range from 1 – 4. Priority 1 are the highest priority.
RACI DEFINITIONS
RESPONSIBLE
The person(s) who does the work. At least one person should be responsible for each work package.
ACCOUNTABLE
The person ultimately answerable for the successful completion of the work package. There should be only one person accountable for each task.
CONSULTED
Subject-matter experts whose advice is required.
INFORMATION
People who are informed of progress. For example, project admin, or PMO.
Table
Description automatically generated
TABLE 1: RACI Chart (Responsible Accountable Consulted & Informed)
TABLE 2: Overview and flow of Incident Response Flow
Diagram
Description automatically generated
Roles // Responsibilities
Helpdesk: first point of escalation for all staff. Can be reached via multiple pathways (phone/computer/in person). Not SMES but are able to trigger P1.
Incident Response Manager and Chief Information Security Officer
Responsible for management and successful coordination of IR Team
Point of contact and oversight for all process related to IRP
Liaise with and provide ongoing briefing with Stakeholders, Executives, Legal and External entities etc.
Work in partnership with Public Information Officer (Pio) to coordinate and manage all communications (both internal and external)
Incident Response Team
Consists of on call members of Security Operations and all other teams within the IT Department. (These change frequently so please refer to the PagerDuty Application to validate data).
Chief Privacy Officer (CPO)
Work with CISO to identify any breaches related to PII (Personally identifiable information) and remediate
Support, participate and review in all work related to incidents related to privacy breaches
Work with legal and compliance to retain all records, follow all policies and report any findings as appropriate
Maintain compliance with all PII records and work closely with PIO to endure correct communication to internal and external groups
Public Information Officer (PIO)
Responsible for managing all internal and external communications
Work with internal but also external firms where appropriate
Create and maintain drafts with high level of sensitivity and confidentiality
Prepare talking points and craft FAQS related to breach (with support of CISO and CPO)
Legal Counsel
Conduct investigation of reports related to breaches etc.
Review all communications with PIO and Stakeholders
Work with external counsel to support any additional investigations related to breach
External Entities
Federal Bureau of Investigation
Department of Homeland Security (DHS)
Secret Service (USSS)
Media (local and any others who may contact)
Recommended Plans to support IRAP Process:
Communications: PIO and communications should work in conjunction with stakeholders and experts to communicate incident to a variety of audiences:
Executive leadership – these should be as FYI and prepared in the case of external interest from parties such as concerned citizens as well as the press. Should be neutral and clear with minimum sensitive data.
Staff updates and next steps: comms should work with above team to prepare concise summary of incident, next steps and any fixes or tasks for staff to undertake as remediation.
Comms should work with leg to determine if any reports are due to stakeholders that might present concern for public safety in general. If so, similar to executive summary, should be prepared as well as remediation and after-action report.
After action report should be prepared with the support of comms but written by SMES who worked directly on the issue, diagnosis, and remediation. Should be supported by outline of current state and future state of system. Sensitive information should be added as appropriate under the consideration of public records access.
Incident Response Resources
a. National Cyber Awareness System
b. United States Computer Emergency Response Team
c. NIST Framework
d. TechTarget
EXAMPLE OF SECURITY INCIDENT AND FLOW:
➢ 1. Issue flagged (site down, employee uses contact method: whether phone, portal, instant message to contact first point in chain.)
➢ 2. Issue escalated to Helpdesk
➢ 3. Helpdesk use internal guide to determine impact of issue and triage accordingly
➢ 4. Based on severity of issue identified (in this case P1: impacting most users) Helpdesk contacts relevant teams
➢ 5. Relevant Team uses diagnostic tool to determine type of event within system impacted.
➢ 6. If issue is clearly identified and contained internally then Relevant team works with internal communications team to issue an internal message to staff with high level information relating to issue including systems impacted, next steps – including any necessary system updates.
➢ 7. If issue is identified but not resolved and continues to impact growing number of users, response team may need to escalate and request assistance from further teams.
➢ 8.If issue is classed as impacting either external users or fulfills any legal concerns then legal must be contacted and brought into triage both to advise and to prepare and draft communications with PiO and main stakeholders involved.
➢ 9. If issue continues and is not contained next governmental entity must be contacted and appropriate measures taken in relation to external and internal system safety, legal regulation relating to incident and communications must be issued in a timely way.
➢ 10. Once issue is contained teams identify any data or systems impacted and any appropriate remediation with issue completed.
➢ Recovery and Remediation
➢ 11. Forensic analysis of issue and after-action report and next steps generated.
➢ 12. Review conducted and submitted to authorities as point of record.
