Vous êtes sur la page 1sur 4

ITSS_03 IT Security Standard – Security Incident

Management
Version Approved by Approval date Effective date Next review date
1.0 Vice-President, Finance and Operations 7 June 2016 7 June 2016 7 June 2017

Standard Statement
Appropriate information security controls reduce the likelihood and impact of
security incidents. The purpose of this standard is to set out the rules for timely
and effective handling of information security incidents.

An information security incident is a suspected or confirmed violation of the


Purpose
integrity, availability or confidentiality of UNSW IT assets. The outcome of an
information security incident could be financial, availability or reputational loss
to UNSW. Security incidents can originate from intentional (deliberate actions
against information) or unintentional actions. In general, an information
security incident is any violation of the UNSW’s IT Security Policy.
This standard applies to all users of Information and Communication
Technology resources – including (but not limited to) staff (including casuals),
Scope students, consultants and contractors, third parties, agency staff, alumni,
associates and honoraries, conjoint appointments and visitors to the
University.

Are Local Documents on ☐ Yes ☐ Yes, subject to any areas specifically ☐ No


this subject permitted? restricted within this Document

Standard

1. Controls..................................................................................................................................... 1
1.1 Preparation & Protection against Security Incidents .................................................... 1
1.2 Security Incident Detection & Reporting ....................................................................... 2
1.3 Security Incident Analysis & Escalation ........................................................................ 2
1.4 Security Incident Handling ............................................................................................ 3
1.5 Post Security Incident Review ...................................................................................... 3
2. Control Exceptions .................................................................................................................... 3
3. ISMS Mapping with Industry Standards ................................................................................... 4
4. Document Review, Approval and History ................................................................................. 4
4.1 Quality Assurance ......................................................................................................... 4
4.2 Sign Off ......................................................................................................................... 4

1. Controls

1.1 Preparation & Protection against Security Incidents


UNSW has developed an Information Security Management System (ISMS) comprised of Policies,
Standards and Guidelines. The framework is implemented to protect UNSW against current and emerging
security threats that could cause an information security incident.

As part of the ISMS implementation, UNSW operates specific security controls in order to reduce the
likelihood and impact of information security incidents. Specifically:

• Information security risk assessment - periodic risk assessments must be performed to identify
information risks and determine their likelihood and impact on UNSW operations, and to design
appropriate controls for risk mitigation (ITSS_17 Information Security Risk & Compliance
Management Standard).
• Information systems protection - all UNSW servers and end user computing hardware must be
hardened appropriately through security updates/patches and the installation of anti-virus software
(ITSS_04 Vulnerability Management Standard).
• Network architecture design and reviews - The network must be securely designed and configured.
The network architecture must be reviewed on a periodic basis to ensure its appropriateness
(ITSS_15 Network Security Standard).

Security Incident Management Standard – ITSS_03 Page 1 of 4


Version 1.0 Effective 7 June 2016
• IT system configuration health check reviews – IT systems and network component configurations
must be reviewed to ensure that configuration remains in line with the systems Baseline
Configuration and approved Request for Changes (RFCs) (ITSS_04 Vulnerability Management
Standard).
• Vulnerability assessments - vulnerability assessments must be executed in line with UNSW’s
Vulnerability Management Standard, to identify and remediate security flaws with information
systems and protect against malicious software (ITSS_04 Vulnerability Management Standard).
• Security awareness training - Security awareness training must be provided to all UNSW employees
and students as part of induction and as part of an annual security training program (ITSS_18
Human Resources Security Standard). Additional training must be provided to staff who are:
o Involved directly in security incident handling such as IT and security staff, to ensure that
their roles and responsibilities are clear and understood.
o Assigned with privileged access rights to information systems or maintain access to UNSW’s
information classified as “Highly Sensitive”, “Sensitive”, “Private” or “Public” as per UNSW’s
Data Classification Standard.

1.2 Security Incident Detection & Reporting


1.2.1 All UNSW staff must understand what constitutes a potential information security incident,
how to report an incident, and what actions they must and must not take themselves.
1.2.2 All UNSW staff must contribute to the management of security incidents. All incidents must
be managed as per the local (Faculty, Divisions) and enterprise (UNSW IT) security
incident management plans / processes.

Example Security Incidents


• A computer virus (major outbreak).
• Disclosure of sensitive information (i.e., staff and students Personal Identifiable
Information (PII) to unauthorised persons).
• Identification devices and / or removable media are lost or stolen.
• Passwords are stolen or disclosed.
• Unauthorised access to UNSW information system or physical premise.
• Unauthorised personal in a controlled area of UNSW such as a Faculty laboratory or
a UNSW IT computer room / Data Centre.
1.2.3 Where technically possible the detection and reporting of potential information security
incidents must be automated. Examples of automated detection and reporting include
alerts generated by:
• Anti-virus.
• Firewalls, IDS/IPS.
• SIEM.
• Protective and detective security services.
1.2.4 A threat management process must exist to triage and treat potential incidents that are
detected, and ensure that appropriate action is taken quickly and effectively without
adverse impact to UNSW business services.
1.2.5 UNSW must ensure that business partners and third parties maintaining direct or indirect
access to UNSW data, information and systems are contractually obliged to notify UNSW
in cases of security incidents affecting UNSW.

1.3 Security Incident Analysis & Escalation

1.3.1 Security incidents must be recorded, assessed, remediated and escalated as per local
(Faculty, Divisions) and enterprise (UNSW IT) security incident plans / processes. Process
must accommodate the need to handle Incidents of a highly sensitive nature that may
require limited documentation.
1.3.2 All actual or suspected information security incidents must be classified on receipt
according to:
a) Defined incident types, identification of the potentially affected parties (internal and
external such as UNSW employees and business partners/third parties).
b) The potential impact to UNSW and the associated IT and network infrastructure.
1.3.3 Local (Faculty, Divisions) and Enterprise (UNSW IT) teams must coordinate with the
Customer Technology Services and Security Operations Teams to assess the nature and

Security Incident Management Standard – ITSS_03 Page 2 of 4


Version 1.0 Effective 7 June 2016
criticality of the incident as per the Security Incident Handling Plan / Process, see Control
1.4.1), or close the incident with justification.
1.3.4 The Security Incident Management Team may include personnel from UNSW IT, Faculties,
Divisions, other UNSW specialist functions such as HR, Legal, Media and external incident
management Subject Matter Experts (SMEs).
1.3.5 During the assessment phase the incident may be escalated to a “disaster”, triggering the
ITSS_16 IT Recovery Standard and the respective IT Recovery Plan.
1.3.6 A documented escalation and communication process must be in place to ensure
appropriate stakeholders (e.g. senior management, ISSG, Information Security Task Force,
HR, Legal and Media) are alerted during a security incident. The incident may need to be
disclosed to:
a) UNSW Students and/or academic staff if the information security incident involves
material subject to Privacy laws and regulations, such as Personally Identifiable
Information (PII) and credit/debit card details.
b) Relevant state and commonwealth law enforcement agencies if the incident involves a
breach of regulatory obligations.
1.3.7 Legal advice must be sought from the UNSW Legal team before informing regulatory and
or law enforcement agencies. UNSW Student Services must be engaged if the incident
involves a student or the broader student community.

1.4 Security Incident Handling


1.4.1 A documented Security Incident Response Process/Plan (according to the incident’s type
and nature) must be implemented which provides an analytical set of operational
instructions in order to assist UNSW’s Security Incident Management team to:
• Respond in a correct manner to detected security incidents including their
containment and eradication.
• Perform quick and efficient recovery from security incidents returning to either a
prior state, or a more secure state.
• Preserve the integrity of the relevant data and evidence for potential litigation (if
applicable).
• Interact with the media, including social media, to manage external visibility and
discussion around the incident.

1.5 Post Security Incident Review

1.5.1 A post security incident review is required for severity one information security incidents to
identify the root cause of the issue, and what improvements must be made to prevent re-
occurrence. After investigation, incidents must be re-classified (where appropriate)
according to the actual impact. Incidents that are judged to be ‘false alarms’ or ‘no impact’
must be recorded as such. This review must be completed within two weeks of the security
incident resolution.
1.5.2 A record of all suspected and actual information security incidents must be maintained,
including all actions taken in investigating, assessing and responding to information
security incidents.
1.5.3 The record of suspected and actual information security incidents must be regularly
reviewed as part of the information security management lifecycle to identify changes in the
threat environment that call for adjustments to the Information Security Risk Assessment
Process (Information Security Risk & Compliance Management), IT Security Policy, and/or
Security Standards and Procedures.

2. Control Exceptions
All exemption requests must be reviewed assessed, and approved by the relevant business stakeholder.
Please refer to the ISMS Base Document for more detail.

Security Incident Management Standard – ITSS_03 Page 3 of 4


Version 1.0 Effective 7 June 2016
3. ISMS Mapping with Industry Standards
The table below maps the ITSS_03 Security Incident Management Standard with the security domains of
ISO27001:2013 Security Standard and the Principles of Australian Government Information Security Manual.

ISO27001:2013 Information Security Manual


16 Information Security Incident Management Cyber Security Incidents

4. Document Review, Approval and History


This section details the initial review, approval and ongoing revision history of the standard. Post initial
review the standard will be presented to the ISSG recommending the formal UNSW policy consultation and
approval process commence.

A review of this standard will be managed by the Chief Digital Officer on an annual basis.

4.1 Quality Assurance


This document was design and created by external and internal consultants in consultation with internal key
technical subject matter experts, business and academic stakeholders.

4.2 Sign Off


Endorsement Date
th
ISSG - Information Security Steering Group 30 July 2015
th
ITC - Information Technology Committee 27 August 2015
th
CDO – Chief Digital Officer 7 June 2016

Accountabilities

Responsible Officer Chief Digital Officer

Contact Officer ITpolicy@unsw.edu.au

Supporting Information
Parent Document (Policy) IT Security Policy
Supporting Documents Nil
Data Classification Standard
Data Handling Guidelines
ISMS Base Document
ITSS_04 Vulnerability Management Standard
Related Documents
ITSS_15 Network Security Standard
ITSS_16 IT Recovery Standard
ITSS_17 Information Security Risk & Compliance Management Standard
ITSS_18 Human Resources Security Standard
Superseded Documents Nil
UNSW Statute and / or
Nil
Regulation
Relevant State / Federal
Nil
Legislation
File Number 2016/16925 [ITSS_03]
Definitions and Acronyms
No terms have been defined

Revision History
Version Approved by Approval date Effective date Sections modified

Vice-President, Finance and


1.0 7 June 2016 7 June 2016 This is a new document
Operations

Security Incident Management Standard – ITSS_03 Page 4 of 4


Version 1.0 Effective 7 June 2016