Académique Documents
Professionnel Documents
Culture Documents
*
Deloitte is the brand under which tens of thousands of dedicated professionals in independent firms throughout the world collaborate to
provide audit, consulting, financial advisory, risk management, and tax services to selected clients. These firms are members of Deloitte
Touche Tohmatsu Limited (DTTL), a UK private company limited by guarantee. Each member firm provides services in a particular geographic
area and is subject to the laws and professional regulations of the particular country or countries in which it operates. DTTL does not itself
provide services to clients. DTTL and DTTL member firm are separate and distinct legal entities, which cannot obligate the other entities. DTTL
and each DTTL member firm are only liable for their own acts or omissions, and not those of each other. Each of the member firms operates
under the names "Deloitte", "Deloitte & Touche", "Deloitte Touche Tohmatsu", or other related names. Each DTTL member firm is structured
differently in accordance with national laws, regulations, customary practice, and other factors, and may secure the provision of professional
services in their territories through subsidiaries, affiliates, and/or other entities.
Deloitte Central Europe is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the
member firm in Central Europe of Deloitte Touche Tohmatsu Limited. Services are provided by the subsidiaries and affiliates of Deloitte
Central Europe Holdings Limited, which are separate and independent legal entities.
1
REVISION HISTORY
Approved
Rev. Description of Change Author Date
Name Effective Date
1. .
2.
3.
RELATED ARTIFACTS
ISO/IEC 27002:2005
ISO/IEC 27005:2008
2
1. Introduction
1.1 Purpose
The purpose of this document is to provide instructions to respond to computer security-related incidents.
1.2 Scope
The CE Incident Management Plan applies to all Firms personnel including contractors, visitors and other
relevant identified third parties.
The owner and the approver of this document is the CSO.
The CSO is responsible for its maintenance and publication, the CE Incident Reporting Desk for its regular
review/update.
1.3 Definitions
Information Security A single or a series of unwanted or unexpected information security events that have ISO18
Incident a significant probability of compromising business operations and threatening
information security.
Information Security Is a condition or circumstance that poses a reasonably apparent risk of unauthorized
Weakness access to confidential information, unauthorized access to computers or networks,
damage to or interference with computers or networks, or loss of information.
Information Security External act that bypasses or contravenes security policies, practices, or procedures.
Breach A similar internal act is called security violation.
2. Issue Statement
Deloitte must be able to respond to computer security-related incidents in a manner that protects its own
information and helps to protect the information of others that might be affected by the incident.
Despite even the most effective safeguards, it is inevitable that incidents will occur which highlight or
involve security problems. All incidents of this kind should be reacted to as quickly and effectively as
possible. Furthermore, lessons should be learned from these incidents so that similar problems can be
avoided in the future. It is possible to learn from these incidents by identifying weaknesses and increasing
safeguards where necessary. The policy governs procedures of how to react to security relevant incidents
and how these should be reported in order to limit reaction time and damage.
3. Management Summary
All security measures can be divided into three tenets: prevention, detection and response.
The objective is to provide strong and clear processes, based on existing resources, to achieve the
following:
Security incident identification
Security emergency situation verification
Organizational framework to develop and implement immediate countermeasures, as well as a solution
for the security incident
The following processes have been identified and developed within this concept:
Security incident identification and reporting
Resolving security emergency situation (steps to take to initiate immediate countermeasures)
3
4. General Information
Attacks could be driven from external as well as from internal resources. Also a hacker could be an
employee, maybe a disgruntled one, as well as an external attacker.
A security emergency situation is given, if the source of misbehavior is a security incident and if at least
one of the following statements is true:
The availability of Deloittes infrastructure (e.g. network) is restricted or in danger.
The number of reported security incidents increases within a short time.
The same / similar security incident is reported from different Deloitte offices in a short time.
Business critical information or systems are under attack.
4.2 Assumptions
Another important assumption is that most security incidents happening at Deloitte will be reported by end
users, who will claim to be a victim. In most cases (more than 50 %) the reason of the misbehavior will not
be a security incident. In these cases, the resulting action is solving the support issue.
5. Processes
The following processes describe the detailed steps to take:
4
Security incident identification and reporting
Resolving security incidents and malfunctions. The emergency situation (steps to take to initiate
immediate countermeasures)
All suspected Information Security incidents must be reported promptly to the CE Incident Reporting Desk.
An Information Security incident can be defined as any occurrence which in itself does not necessarily
compromise Information Security, but which could result in it being compromised.
An example is that due to virus infection, the users computer started to run more applications
simultaneously, the system slowed down and the user is not able to stop the computer without restart.
Information Security incidents must be reported to outside authorities whenever this is required to comply
with legal requirements or regulations. Only the CSO has the right to contact the authorities.
Deloitte may be obliged to report certain Information Security incidents to external authorities, such as:
third party associates (for example ISP or customer) and law enforcement agencies.
Any Information Security breaches must be reported without any delay to the CE Incident Reporting Desk
to speed the identification of any damage caused, any restoration and repair and to facilitate the gathering
of any associated evidence.
Note: Delays in commencing investigations by the CE Incident Reporting Desk can greatly increase the
potential losses associated with the reported breach.
All identified or suspected Information Security weaknesses are to be notified immediately to the CE
Incident Reporting Desk.
Information Security weaknesses can manifest themselves in the area of software and physical access to
restricted areas.
Employees are expected to remain vigilant for possible fraudulent activities. Employees must comply with
the Firms Security Policy and the other related policies.
Information Security incidents must be properly investigated by suitably trained and qualified personnel.
The investigation of an Information Security incident must identify its cause and appraise its impact on Firm
systems or data. This will help in planning how to prevent a reoccurrence.
Evidence relating to an Information Security breach must be properly collected and forwarded to the CE
Incident Reporting Desk and the CSO.
5
Evidence of an Information Security breach must be collected to comply with statutory, regulatory or
contractual obligations and avoid breaches of criminal or civil law. Advice on specific legal requirements
should be sought from the organizations legal advisors.
Evidence relating to a suspected Information Security breach must be formerly recorded and processed.
The practice of recording all aspects of Information Security breaches helps Deloitte develop preventative
measures which minimize the likelihood of a reoccurrence. Such reports must contain a full account of
actions undertaken by staff (and any third parties) who contained the breach.
CE Incident Reporting Desk must respond rapidly but calmly to all Information Security incidents, liaising
and coordinating with colleagues to both gather information and offer advice.
All Information Security incidents have to be evaluated according to their particular circumstances, and this
may, or may not, require various departments to be involved: Technical, Human Resources, Legal and the
owners of information (local department heads). If it appears that disciplinary action against a member of
staff is required, this must be handled with tact.
Breaches of confidentiality must be reported to the CE Incident Reporting Desk as soon as possible.
A breach of confidentiality is usually a disclosure of information. It must be considered as an Information
Security incident and treated accordingly. This policy considers breaches of confidentiality arising from a
breach of an employee's Terms and Conditions and from non compliance with a Non Disclosure
Agreement.
Example 1: A third party contractor leaks Deloitte confidential information about the organizations product
to a rival, causing Deloitte a financial loss.
Example 2: An employee discloses confidential information to a fellow employee, who then makes the
information public, to the detriment of the organization.
As soon as the CE Incident Reporting Desk receives such report, the following actions take place:
Notification issued to the information owner, the Legal department and the employees (or contractors)
manager who disclosed the information
Account and access credentials of the employee (contractor) are disabled till the end of incident
investigation
Investigation team process investigation immediately
Deloitte authority is notified about the incident details
Deloitte authority notifies third parties (if involved)
Corrective actions taken to minimize the damage of the disclosure and prevent reoccurrence in the
future.
During the investigation of Information Security incidents, dual control and the segregation of duties are to
be included in procedures to strengthen the integrity of information and data.
Dual control and/or segregation of duties can be used to divide the responsibility of the completion of a
process into separate, accountable actions, or to safeguard integrity (for example, of an Information
Security investigation). Information Security issues to be considered when implementing your policy
include the following:
6
An investigation of an Information Security incident may be compromised if a member of staff has access
to an audit trail that recorded their actions during the incident. Maintaining the required levels of
confidentiality concerning potential incidents, at the appropriate time, the investigator should share his/her
suspicions and findings with other responsible persons in the affected departments to ensure that proper
action can be taken.
Information relating to Information Security incidents may only be released by authorized persons.
Maintaining confidentiality of Information Security incidents whilst they are being investigated is important
for the reputation of Deloitte.
7
7.2 Security Incident Identification and Reporting
8
(a) Process Description
Start: The first contact for any end user is the CE Incident Reporting Desk.
Contact the CE Incident Reporting Desk:
If an end user claims to be victim of a security incident, he/she calls the CE Incident Reporting Desk.
Pre-qualify possible security incident:
The CE Incident Reporting Desk staff checks if the request is really based on a security incident.
Is this a security incident?
9
If a security incident can be identified, the seriousness of this incident needs to be determined. If it is 100%
sure that it is not a security incident, the CE Incident Reporting Desk creates an IT Support issue and
resolves it.
Is solution well known?
Examining available documents (internal and external) the CE Incident Reporting Desk can determine if
there is already a well-known solution to the problem.
Resolve security incident individually:
If a solution is already available, then Deloitte is in general prepared to defend against the attack.
Therefore, most likely it is not a major attack. In this case, the security incident must be solved individually
by the CE Incident Reporting Desk support according to the recommendation of the solution, e.g. external
solutions (e.g. from a vendor), IS internal solution.
Report Security Incident to the management:
To understand the current threats at Deloitte, a central incident reporting is needed and it is necessary to
develop statistics as well.
10
Get Overview of Situation:
All information that has been collected through the process so far must be quickly reviewed to make an
assessment of the situation.
Develop and agree on immediate countermeasures:
The main task is to identify the security incident, that is, to know what exactly the problem is. Next step is
to agree on immediate countermeasures and collect them in an action plan. In some cases, the immediate
countermeasures are the solution. In other cases, the immediate countermeasures lead only to a problem
isolation, e.g. to avoid the further spread of a virus. In any case, a final solution must be provided and
developed through the task force lifetime.
Incident handling process:
During the incident handling process, the developed solution must be implemented to get rid of the security
incident or vulnerability.
8. Reporting
The incidents shall be reported periodically to the management for review. The management review report
should be stored in Meridio in an encrypted folder.
9. Verification
The integrity of the business system and controls must be confirmed after an information security incident
took place. It must be verified without delay that the system did not suffer any loss of integrity or it is
backed up without loss.
If a user suspects virus infection, the local IT Team must act according to the following checklist:
Turn the PC off.
Get the HDD from the possibly infected PC and insert it into an IT reserve PC as slave HDD.
Perform offline backup of necessary data, if needed.
Run the Virus Scan tool (it is assumed that the latest signatures from the antivirus vendor are in place)
If infection found:
o Find the virus description at the antivirus vendor site http://www.mcafee.com/us/mcafee-
labs/threat-intelligence.aspx
11
o Notify the CE Incident Reporting Desk.
o According to the virus description, check all other possible infected PCs and files
o Issue Virus alert if users can help to remove virus
o In case the local IT Team cannot remove the virus, then the CE Incident Reporting Desk must
contact Deloitte IT Security Team for further support.
If no virus was found, return the HDD back to the original PC, disconnect the PC from the network and
investigate the problem together with the user. when it has been verified that the PC is not infected, it
can be connected to the network again
13. Miscellaneous
Applicability
In any situation where there is a conflict between the Policy and the applicable local law, the local law and
local policy/Country Unique Terms shall prevail.
Amendments
This Policy might be amended from time to time in accordance with the Applicable Laws.
Sanctions
Please note that every Employee and partner within Deloitte CE is individually responsible for understanding and
complying with this Policy. Violations to this Policy and the above mentioned rules and prohibitions could subject
Employees and partners, after prior assessment of the situation, to disciplinary procedures according to
applicable local law see Deloitte CE Policies No. 1202.13 and 1202.14 . (In specific cases and in accordance
with applicable local law such action could lead in the termination of the Employees relationship with the
respective Affiliate of Deloitte CE.)
Violation of this Policy can also, if the case maybe, lead to civil and criminal liability in accordance with
the Applicable Law of the respective Deloitte CE Affiliate. Deloitte CE will cooperate with any legitimate law
enforcement activity.
12