Deloitte CE *

DCE Incident Management Plan

Issue Date: April 1, 2011

Effective Date: April 1, 2011

*
Deloitte is the brand under which tens of thousands of dedicated professionals in independent firms throughout the world collaborate to
provide audit, consulting, financial advisory, risk management, and tax services to selected clients. These firms are members of Deloitte
Touche Tohmatsu Limited (DTTL), a UK private company limited by guarantee. Each member firm provides services in a particular geographic
area and is subject to the laws and professional regulations of the particular country or countries in which it operates. DTTL does not itself
provide services to clients. DTTL and DTTL member firm are separate and distinct legal entities, which cannot obligate the other entities. DTTL
and each DTTL member firm are only liable for their own acts or omissions, and not those of each other. Each of the member firms operates
under the names "Deloitte", "Deloitte & Touche", "Deloitte Touche Tohmatsu", or other related names. Each DTTL member firm is structured
differently in accordance with national laws, regulations, customary practice, and other factors, and may secure the provision of professional
services in their territories through subsidiaries, affiliates, and/or other entities.

Deloitte Central Europe is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the
member firm in Central Europe of Deloitte Touche Tohmatsu Limited. Services are provided by the subsidiaries and affiliates of Deloitte
Central Europe Holdings Limited, which are separate and independent legal entities.

1
 REVISION HISTORY

Approved
Rev. Description of Change Author Date
Name Effective Date

1. .

2.

3.

RELATED ARTIFACTS

Ref. Related Documents

SP 1620.01 Security Policy

ISO27 ISO/IEC 27000:2009

ISO/IEC 27001:2005

ISO/IEC 27002:2005
ISO/IEC 27005:2008

Acronyms & Abbreviations

CSO Chief Security Officer

CIO Chief Information Officer

2
1. Introduction

1.1 Purpose

The purpose of this document is to provide instructions to respond to computer security-related incidents.

1.2 Scope

The CE Incident Management Plan applies to all Firms personnel including contractors, visitors and other
relevant identified third parties.
The owner and the approver of this document is the CSO.
The CSO is responsible for its maintenance and publication, the CE Incident Reporting Desk for its regular
review/update.

1.3 Definitions

Term Definition Source

Information Security A single or a series of unwanted or unexpected information security events that have ISO18
Incident a significant probability of compromising business operations and threatening
information security.

Information Security Is a condition or circumstance that poses a reasonably apparent risk of unauthorized
Weakness access to confidential information, unauthorized access to computers or networks,
damage to or interference with computers or networks, or loss of information.

Information Security External act that bypasses or contravenes security policies, practices, or procedures.
Breach A similar internal act is called security violation.

2. Issue Statement
Deloitte must be able to respond to computer security-related incidents in a manner that protects its own
information and helps to protect the information of others that might be affected by the incident.
Despite even the most effective safeguards, it is inevitable that incidents will occur which highlight or
involve security problems. All incidents of this kind should be reacted to as quickly and effectively as
possible. Furthermore, lessons should be learned from these incidents so that similar problems can be
avoided in the future. It is possible to learn from these incidents by identifying weaknesses and increasing
safeguards where necessary. The policy governs procedures of how to react to security relevant incidents
and how these should be reported in order to limit reaction time and damage.

3. Management Summary
All security measures can be divided into three tenets: prevention, detection and response.
The objective is to provide strong and clear processes, based on existing resources, to achieve the
following:
Security incident identification
Security emergency situation verification
Organizational framework to develop and implement immediate countermeasures, as well as a solution
for the security incident
The following processes have been identified and developed within this concept:
Security incident identification and reporting
Resolving security emergency situation (steps to take to initiate immediate countermeasures)

3
4. General Information

4.1 Categories of Security Incidents

Security incidents could be categorized as:

Description Malicious code: virus, worm or Trojan horse
Category 1 Target Destroy, delete, modify or steal information and/or programs
Method Automated tools, often self-replicating, often with self-hiding methods (stealth)
Description Vulnerability or Trapdoor exploited by a person (hacking)
Target Destroy, delete, modify or steal information and/or programs; use a hijacked system
Category 2 as the next step for more important targets; use a hijacked system as part of a
distributed denial of service attack
Method Manual process driven by a hacker, often supported by hacker tools
Description Denial of Service attack
Category 3 Target Make an important service permanently or partly unavailable
Method Manual, often automated process driven by a hacker or special tools
Description Misuse of information systems
Category 4 Target Destroy, delete, modify or steal information and/or programs
Method Manual process driven by an employee, sometimes supported by automated tools
Description Errors resulting from incomplete or inaccurate business data
Category 5 Target Modify or delete information
Method N/A
Description Information system failures, loss of service
Category 6 Target Any information system or service
Method N/A

Attacks could be driven from external as well as from internal resources. Also a hacker could be an
employee, maybe a disgruntled one, as well as an external attacker.
A security emergency situation is given, if the source of misbehavior is a security incident and if at least
one of the following statements is true:
The availability of Deloittes infrastructure (e.g. network) is restricted or in danger.
The number of reported security incidents increases within a short time.
The same / similar security incident is reported from different Deloitte offices in a short time.
Business critical information or systems are under attack.

4.2 Assumptions

One assumption is, that every security alert

Will be reported to the CE Incident Reporting Desk or
Can be identified by the CE Incident Reporting Desk via active monitoring

Another important assumption is that most security incidents happening at Deloitte will be reported by end
users, who will claim to be a victim. In most cases (more than 50 %) the reason of the misbehavior will not
be a security incident. In these cases, the resulting action is solving the support issue.
5. Processes
The following processes describe the detailed steps to take:

4
 Security incident identification and reporting
Resolving security incidents and malfunctions. The emergency situation (steps to take to initiate
immediate countermeasures)

5.1 Reporting Security Incidents

(a) Reporting Information Security Incidents

All suspected Information Security incidents must be reported promptly to the CE Incident Reporting Desk.
An Information Security incident can be defined as any occurrence which in itself does not necessarily
compromise Information Security, but which could result in it being compromised.
An example is that due to virus infection, the users computer started to run more applications
simultaneously, the system slowed down and the user is not able to stop the computer without restart.

(b) Reporting IS Incidents to Outside Authorities

Information Security incidents must be reported to outside authorities whenever this is required to comply
with legal requirements or regulations. Only the CSO has the right to contact the authorities.
Deloitte may be obliged to report certain Information Security incidents to external authorities, such as:
third party associates (for example ISP or customer) and law enforcement agencies.

(c) Reporting Information Security Breaches

Any Information Security breaches must be reported without any delay to the CE Incident Reporting Desk
to speed the identification of any damage caused, any restoration and repair and to facilitate the gathering
of any associated evidence.
Note: Delays in commencing investigations by the CE Incident Reporting Desk can greatly increase the
potential losses associated with the reported breach.

(d) Notifying Information Security Weaknesses

All identified or suspected Information Security weaknesses are to be notified immediately to the CE
Incident Reporting Desk.
Information Security weaknesses can manifest themselves in the area of software and physical access to
restricted areas.

(e) Being Alert for Fraudulent Activities

Employees are expected to remain vigilant for possible fraudulent activities. Employees must comply with
the Firms Security Policy and the other related policies.

(f) Investigating the Cause and Impact of IS Incidents

Information Security incidents must be properly investigated by suitably trained and qualified personnel.
The investigation of an Information Security incident must identify its cause and appraise its impact on Firm
systems or data. This will help in planning how to prevent a reoccurrence.

5.2 Resolving Security Incidents and Malfunctions

(a) Collecting Evidence of an Information Security Breach

Evidence relating to an Information Security breach must be properly collected and forwarded to the CE
Incident Reporting Desk and the CSO.

5
Evidence of an Information Security breach must be collected to comply with statutory, regulatory or
contractual obligations and avoid breaches of criminal or civil law. Advice on specific legal requirements
should be sought from the organizations legal advisors.

(b) Recording Information Security Breaches

Evidence relating to a suspected Information Security breach must be formerly recorded and processed.
The practice of recording all aspects of Information Security breaches helps Deloitte develop preventative
measures which minimize the likelihood of a reoccurrence. Such reports must contain a full account of
actions undertaken by staff (and any third parties) who contained the breach.

(c) Responding to Information Security Incidents

CE Incident Reporting Desk must respond rapidly but calmly to all Information Security incidents, liaising
and coordinating with colleagues to both gather information and offer advice.
All Information Security incidents have to be evaluated according to their particular circumstances, and this
may, or may not, require various departments to be involved: Technical, Human Resources, Legal and the
owners of information (local department heads). If it appears that disciplinary action against a member of
staff is required, this must be handled with tact.

(d) Breaching Confidentiality

Breaches of confidentiality must be reported to the CE Incident Reporting Desk as soon as possible.
A breach of confidentiality is usually a disclosure of information. It must be considered as an Information
Security incident and treated accordingly. This policy considers breaches of confidentiality arising from a
breach of an employee's Terms and Conditions and from non compliance with a Non Disclosure
Agreement.
Example 1: A third party contractor leaks Deloitte confidential information about the organizations product
to a rival, causing Deloitte a financial loss.
Example 2: An employee discloses confidential information to a fellow employee, who then makes the
information public, to the detriment of the organization.

(e) CE Incident Reporting Desk Action Plan

As soon as the CE Incident Reporting Desk receives such report, the following actions take place:
Notification issued to the information owner, the Legal department and the employees (or contractors)
manager who disclosed the information
Account and access credentials of the employee (contractor) are disabled till the end of incident
investigation
Investigation team process investigation immediately
Deloitte authority is notified about the incident details
Deloitte authority notifies third parties (if involved)
Corrective actions taken to minimize the damage of the disclosure and prevent reoccurrence in the
future.

(f) Establishing Dual Control / Segregation of Duties

During the investigation of Information Security incidents, dual control and the segregation of duties are to
be included in procedures to strengthen the integrity of information and data.
Dual control and/or segregation of duties can be used to divide the responsibility of the completion of a
process into separate, accountable actions, or to safeguard integrity (for example, of an Information
Security investigation). Information Security issues to be considered when implementing your policy
include the following:

6
An investigation of an Information Security incident may be compromised if a member of staff has access
to an audit trail that recorded their actions during the incident. Maintaining the required levels of
confidentiality concerning potential incidents, at the appropriate time, the investigator should share his/her
suspicions and findings with other responsible persons in the affected departments to ensure that proper
action can be taken.

6. Incident management procedures

Where a risk assessment has identified an abnormally high risk of electronic eavesdropping and / or
espionage activities, all employees will be alerted and reminded of the specific threats and the specific
safeguards to be employed.

6.1 Monitoring Confidentiality of Information Security Incidents

Information relating to Information Security incidents may only be released by authorized persons.
Maintaining confidentiality of Information Security incidents whilst they are being investigated is important
for the reputation of Deloitte.

7. Deloitte Incident Response Processes

The following processes describe the detailed steps to take:
Security incident identification and reporting
Resolving security emergency situation (steps to take to initiate immediate countermeasures)

7.1 Process Overview

7
7.2 Security Incident Identification and Reporting

8
(a) Process Description

Start: The first contact for any end user is the CE Incident Reporting Desk.
Contact the CE Incident Reporting Desk:
If an end user claims to be victim of a security incident, he/she calls the CE Incident Reporting Desk.
Pre-qualify possible security incident:
The CE Incident Reporting Desk staff checks if the request is really based on a security incident.
Is this a security incident?

9
If a security incident can be identified, the seriousness of this incident needs to be determined. If it is 100%
sure that it is not a security incident, the CE Incident Reporting Desk creates an IT Support issue and
resolves it.
Is solution well known?
Examining available documents (internal and external) the CE Incident Reporting Desk can determine if
there is already a well-known solution to the problem.
Resolve security incident individually:
If a solution is already available, then Deloitte is in general prepared to defend against the attack.
Therefore, most likely it is not a major attack. In this case, the security incident must be solved individually
by the CE Incident Reporting Desk support according to the recommendation of the solution, e.g. external
solutions (e.g. from a vendor), IS internal solution.
Report Security Incident to the management:
To understand the current threats at Deloitte, a central incident reporting is needed and it is necessary to
develop statistics as well.

7.3 Resolving Security Emergency Situation

(a) Process Description

Start: Security emergency alert by the CE Incident Reporting Desk.

10
Get Overview of Situation:
All information that has been collected through the process so far must be quickly reviewed to make an
assessment of the situation.
Develop and agree on immediate countermeasures:
The main task is to identify the security incident, that is, to know what exactly the problem is. Next step is
to agree on immediate countermeasures and collect them in an action plan. In some cases, the immediate
countermeasures are the solution. In other cases, the immediate countermeasures lead only to a problem
isolation, e.g. to avoid the further spread of a virus. In any case, a final solution must be provided and
developed through the task force lifetime.
Incident handling process:
During the incident handling process, the developed solution must be implemented to get rid of the security
incident or vulnerability.

8. Reporting
The incidents shall be reported periodically to the management for review. The management review report
should be stored in Meridio in an encrypted folder.

9. Verification
The integrity of the business system and controls must be confirmed after an information security incident
took place. It must be verified without delay that the system did not suffer any loss of integrity or it is
backed up without loss.

10. Learning from Incidents

The use of information systems must be monitored regularly with all unexpected events recorded and
investigated. Such systems must also be periodically audited with the combined results and history to
strengthen the integrity of any subsequent investigations.
Information systems are monitored and audited regularly. Owing to this, the integrity and reliability of
Security Incident investigations is greatly enhanced.
System failures may be the result of malicious activity, but differentiating these failures from hardware or
known software bug failures requires experience and expertise. Therefore, the CE Incident Reporting Desk
staff is regularly trained to increase its preparedness to defend against security incidents.
Incomplete analysis of a system failure may not reveal that the failure was due to malicious activity, thus
leaving a back door opportunity for future disruption of services. To avoid this, each security incident report
in Deloitte is reviewed by the CIO.

11. Deloitte Information Security Incident Solving Example

11.1 Virus Removal

If a user suspects virus infection, the local IT Team must act according to the following checklist:
Turn the PC off.
Get the HDD from the possibly infected PC and insert it into an IT reserve PC as slave HDD.
Perform offline backup of necessary data, if needed.
Run the Virus Scan tool (it is assumed that the latest signatures from the antivirus vendor are in place)
If infection found:
o Find the virus description at the antivirus vendor site http://www.mcafee.com/us/mcafee-
labs/threat-intelligence.aspx

11
 o Notify the CE Incident Reporting Desk.
o According to the virus description, check all other possible infected PCs and files
o Issue Virus alert if users can help to remove virus
o In case the local IT Team cannot remove the virus, then the CE Incident Reporting Desk must
contact Deloitte IT Security Team for further support.
If no virus was found, return the HDD back to the original PC, disconnect the PC from the network and
investigate the problem together with the user. when it has been verified that the PC is not infected, it
can be connected to the network again

12. Services Overview of the Deloitte IT Security Team

The IT Security Team implements and delivers enterprise level security service including, but not limited to,
systems, applications and network security. The IT Security Team is responsible for the following:
Performing 24/7 network security monitoring and examining server logs for problems
Identifying, analyzing, measuring and recording security incidents
Giving recommendations for system improvements/upgrades
Virus removal from the users computers
Performing security checks of servers, workstations and laptops
Performing security audits of all existing platforms of servers and workstations
Performing vulnerability assessment of the Web applications and network security
Cooperating with the Global IT teams for resolving information security incidents
Evaluating, configuring and installing security-oriented software and applications
Participating in planning, installation and testing of security patches and changes
Developing IT security plans for individual projects
Participating in risk assessment of information resources
Taking part in external security audits
Coordinating security issues with 3rd party vendors for resolving new threats and security issues

The IT Security Team also takes part in the following processes:

Designing, integrating and administering company-wide security policies and guidelines
Taking a lead role in the information security incident response process

13. Miscellaneous

Applicability

In any situation where there is a conflict between the Policy and the applicable local law, the local law and
local policy/Country Unique Terms shall prevail.

Amendments

This Policy might be amended from time to time in accordance with the Applicable Laws.

Sanctions

Please note that every Employee and partner within Deloitte CE is individually responsible for understanding and
complying with this Policy. Violations to this Policy and the above mentioned rules and prohibitions could subject
Employees and partners, after prior assessment of the situation, to disciplinary procedures according to
applicable local law see Deloitte CE Policies No. 1202.13 and 1202.14 . (In specific cases and in accordance
with applicable local law such action could lead in the termination of the Employees relationship with the
respective Affiliate of Deloitte CE.)

Violation of this Policy can also, if the case maybe, lead to civil and criminal liability in accordance with
the Applicable Law of the respective Deloitte CE Affiliate. Deloitte CE will cooperate with any legitimate law
enforcement activity.

12