Incident response

Table of Contents

On this page

 

The controls and activities in the Incident response (IR) family support the establishment of an operational incident handling capability for organizational systems, that includes adequate preparation, monitoring, detection, analysis, containment, recovery, and response. Incidents are monitored, documented, and reported to appropriate organizational officials and authorities.

IR-01 Incident response policy and procedures

Activity

  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]
    1. [Selection (1 or more): Organization-level; Mission/business process-level; System-level] incident response policy that
      1. addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
      2. is consistent with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines
    2. procedures to facilitate the implementation of the incident response policy and the associated incident response controls
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures
  3. Review and update the current incident response
    1. policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
    2. procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]

Discussion

Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. Incident response must include privacy-specific measures when personal information is involved. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures.

In general, security and privacy program policies and procedures at the organization level are preferable and may remove the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations.

Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. It is recommended that an organization’s incident response policy and procedures incorporate heightened levels of readiness during emergency and heightened cyber threat situations.

GC discussion

GC departments’ and agencies’ incident response policy and procedures shall incorporate heightened levels of readiness during emergency and heightened cyber threat situations in accordance with the TBS Directive on Security Management, Appendix G: Mandatory Procedures for Security Event Management Control and Appendix B: Mandatory Procedures for Information Technology Security Control.

Related controls and activities

PM-09, PS-08, SI-02, SI-12.

Enhancements

None.

References

Top of page 
 

IR-02 Incident response training

Control

  1. Provide incident response training to system users consistent with assigned roles and responsibilities
    1. within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access
    2. when required by system changes
    3. [Assignment: organization-defined frequency] thereafter
  2. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]

Discussion

Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration.

Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-02 or AT-03. Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, jurisprudence, Orders in Council, directives, regulations, policies, standards, and guidelines.

GC discussion

Executives should engage their institution's Access to Information and Privacy (ATIP) Office or Chief Privacy Officer (CPO) to determine what training opportunities related to assessing and mitigating privacy breaches may be provided to suit their particular needs or to identify what services may be offered to support their program area.

Related controls and activities

AT-02, AT-03, AT-04, CP-03, IR-03, IR-04, IR-08, IR-09.

Enhancements

  • (01) Incident response training: Simulated events
    • Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.
    • Discussion: Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations.
    • Related controls and activities: None.
  • (02) Incident response training: Automated training environments
    • Provide an incident response training environment using [Assignment: organization-defined automated mechanisms].
    • Discussion: Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability.
    • Related controls and activities: None.
  • (03) Incident response training: Privacy breach
    • Provide incident response training on how to identify and respond to a privacy breach, including the organization’s process for reporting a privacy breach.
    • Discussion: The incident response training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Incident response training includes tabletop exercises that simulate a breach. See IR-02(01).
    • GC discussion: For federal departments and agencies, an incident that involves personal information is considered a privacy breach. A privacy breach results in the loss of control, compromise, unauthorized disclosure, unpermitted use, unlawful collection, improper retention or disposal, or a similar occurrence where a person other than an authorized user accesses or potentially accesses or an authorized user accesses or potentially accesses such information for other than authorized purposes.
      The incident response training includes the organization’s process for reporting a privacy breach to the OPC or TBS.
    • Related controls and activities: None.

References

Top of page 
 

IR-03 Incident response testing

Control

Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].

Discussion

Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.

Related controls and activities

CP-03, CP-04, IR-02, IR-04, IR-08, PM-14.

Enhancements

  • (01) Incident response testing: Automated testing
    • Test the incident response capability using [Assignment: organization-defined automated mechanisms].
    • Discussion: Organizations use automated mechanisms to test incident response capabilities more thoroughly and effectively. This can be accomplished by providing more complete coverage of incident response issues, selecting realistic test scenarios and environments, and stressing the response capability.
    • Related controls and activities: None.
  • (02) Incident response testing: Coordination with related plans
    • Coordinate incident response testing with organizational elements responsible for related plans.
    • Discussion: Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans.
    • Related controls and activities: None.
  • (03) Incident response testing: Continuous improvement
    • Use qualitative and quantitative data from testing to:
      1. determine the effectiveness of incident response processes
      2. continuously improve incident response processes
      3. provide incident response measures and metrics that are accurate, consistent, and in a reproducible format
      4. identify trends to facilitate the identification of underlying patterns with respect to information-handling practices to prevent further breaches
    • Discussion: To help incident response activities function as intended, organizations may use metrics and evaluation criteria to assess incident response programs as part of an effort to continually improve response performance. These efforts facilitate improvement in incident response efficacy and lessen the impact of incidents.
    • Related controls and activities: None.

References

Top of page 
 

IR-04 Incident handling

Control

  1. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery
  2. Coordinate incident handling activities with contingency planning activities
  3. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly
  4. Ensure the rigour, intensity, scope, and results of incident handling activities are comparable and predictable across the organization

Discussion

Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations should consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; complaints from the public or oversight bodies; and reported supply chain events.

An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, or procurement offices).

Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components.

GC discussion

For federal departments and agencies, an incident that involves personal information is considered a privacy breach. A privacy breach results in the loss of control, compromise, unauthorized disclosure, unpermitted use, unlawful collection, improper retention or disposal, or a similar occurrence where a person other than an authorized user accesses or potentially accesses or an authorized user accesses or potentially accesses such information for other than authorized purposes.

If the incident involves the breach of personal information, the response steps include preliminary assessment and containment; full assessment; notification of affected individuals; mitigation and prevention; notification to the OPC or TBS; and lessons learned.

Breaches of personal information can be considered material breaches if they involve sensitive personal information, could reasonably be expected to cause serious injury or harm to the individual, or involve a large number of affected individuals. Notification procedures may be different for material breaches.

Related controls and activities

AC-19, AU-06, AU-07, CM-06, CP-02, CP-03, CP-04, IR-02, IR-03, IR-05, IR-06, IR-08, PE-06, PL-02, PM-12, SA-08, SA-15, SC-05, SC-07, SI-02, SI-03, SI-04, SI-07.

Enhancements

  • (01) Incident handling: Automated incident handling processes
    • Support the incident handling process using [Assignment: organization-defined automated mechanisms].
    • Discussion: Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis.
    • Related controls and activities: None.
  • (02) Incident handling: Dynamic reconfiguration
    • Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration].
    • Discussion: Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters, and filter rules for guards or firewalls. Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect attackers, and isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations should include specific time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats.
    • Related controls and activities: AC-02, AC-04, CM-02.
  • (03) Incident handling: Continuity of operations
    • Identify [Assignment: organization-defined classes of incidents] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [Assignment: organization-defined actions to take in response to classes of incidents].
    • Discussion: Classes of incidents include malfunctions due to design or implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Incident response actions include orderly system degradation, system shutdown, fall-back to manual mode or activation of alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved for when systems are under attack.
      Organizations should consider whether continuity of operations requirements during an incident conflict with the capability to automatically disable the system as specified as part of IR-04(05).
    • Related controls and activities: None.
  • (04) Incident handling: Information correlation
    • Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
    • Discussion: Sometimes, a threat event, such as a hostile cyber attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations.
    • Related controls and activities: None.
  • (05) Incident handling: Automatic disabling of system
    • Implement a configurable capability to automatically disable the system if [Assignment: organization-defined security violations] are detected.
    • Discussion: Organizations should consider whether the capability to automatically disable the system conflicts with continuity of operations requirements specified as part of CP-02 or IR-04(03). Security violations include cyber attacks that have compromised the integrity of the system or exfiltrated organizational information and serious errors in software programs that could adversely impact organizational missions or functions or jeopardize the safety of individuals. Automatic disabling of a system may be used as a technique to contain the privacy breach, in the event that the incident involves the compromise of personal information held within a system.
    • Related controls and activities: None.
  • (06) Incident handling: Insider threats
    • Implement an incident handling capability for incidents involving insider threats.
    • Discussion: Explicit focus on handling incidents involving insider threats highlights the seriousness of this type of threat and the need for specific incident handling capabilities to respond appropriately and in a timely manner.
    • Related controls and activities: None.
  • (07) Incident Handling: Insider threats — intra-organization coordination
    • Coordinate an incident handling capability for insider threats that includes the following organizational entities [Assignment: organization-defined entities].
    • Discussion: Incident handling (e.g., preparation, detection and analysis, containment, eradication, and recovery) for insider threat incidents requires coordination among many organizational entities, including mission or business owners, system owners, human resources offices, procurement offices, personnel offices, physical security offices, senior agency information security officer, operations personnel, risk executive (function), appropriate privacy senior official or executive, and legal counsel. In addition, organizations may require external support from federal, provincial, territorial, municipal, and First Nations law enforcement agencies. There are specific requirements related to the disclosure of personal information to law enforcement; for details, contact the organization’s privacy delegate.
    • Related controls and activities: None.
  • (08) Incident handling: Correlation with external organizations
    • Coordinate with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organizational perspective on incident awareness and more effective incident responses.
    • Discussion: The coordination of incident information with external organizations — including mission or business partners, military or coalition partners, customers, and developers — can provide significant benefits. Cross-organizational coordination can serve as an important risk management capability. This capability allows organizations to leverage information from a variety of sources to effectively respond to incidents and privacy breaches that could potentially affect the organization’s operations, assets, and individuals. Care should be taken when collaboration requires the disclosure of personal information. Contact the organization’s privacy delegate for details.
    • Related controls and activities: AU-16, PM-16.
  • (09) Incident handling: Dynamic response capability
    • Employ [Assignment: organization-defined dynamic response capabilities] to respond to incidents.
    • Discussion: The dynamic response capability addresses the timely deployment of new or replacement organizational capabilities in response to incidents. This includes capabilities implemented at the mission and business process level and at the system level.
    • Related controls and activities: None.
  • (10) Incident handling: Supply chain coordination
    • Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.
    • Discussion: Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents can occur anywhere through or to the supply chain and include compromises or privacy breaches that involve primary or sub-tier providers, IT products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations should include in their supply chain information exchange agreements processes for protecting and sharing incident information, and should consider their obligations for reporting incidents to government oversight bodies.
    • GC discussion: Federal departments and agencies should include in their supply chain information exchange agreements processes for protecting and sharing incident information, and should consider their obligations for reporting incidents to government oversight bodies (e.g., TBS, OPC).
    • Related controls and activities: CA-03, MA-02, SA-09, SR-08.
  • (11) Incident handling: Integrated incident response team
    • Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period].
    • Discussion: An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security architects or engineers and privacy practitioners, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations, the incident response team can be a cross-organizational entity.
      An integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators) to leverage team knowledge of the threat and implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, the development of appropriate mitigations, and the deployment of effective defensive measures.
      For example, when an intrusion is detected, the integrated team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing cyber intelligence development.
      Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or specific mission and business functions and to define responsive actions in a way that does not disrupt those mission and business functions. Incident response teams can be distributed within organizations to make the capability resilient.
    • Related controls and activities: AT-03.
  • (12) Incident handling: Malicious code and forensic analysis
    • Analyze malicious code and/or other residual artifacts remaining in the system after the incident.
    • Discussion: When conducted carefully in an isolated environment, analyzing malicious code and other residual artifacts of a security incident or breach can give the organization insight into adversary tactics, techniques, and procedures. It can also indicate the identity or some defining characteristics of the adversary. In addition, malicious code analysis can help the organization develop responses to future incidents.
    • Related controls and activities: None.
  • (13) Incident handling: Behaviour analysis
    • Analyze anomalous or suspected adversarial behaviour in or related to [Assignment: organization-defined environments or resources].
    • Discussion: If the organization maintains a deception environment, an analysis of behaviours in that environment, including resources targeted by the adversary and timing of the incident or event, can provide insight into adversarial tactics, techniques, and procedures. External to a deception environment, the analysis of anomalous adversarial behaviour (e.g., changes in system performance or usage patterns) or suspected behaviour (e.g., changes in searches for the location of specific resources) can give the organization such insight. At times, an analysis of behavioural information may reveal information about an identifiable individual, and lawful authority and safeguards related to personal information should be considered.
    • Related controls and activities: None.
  • (14) Incident handling: Security operations centre
    • Establish and maintain a security operations centre.
    • Discussion: A security operations centre (SOC) is the focal point for security operations and computer network defence for an organization. The purpose of the SOC is to defend and monitor an organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC is also responsible for detecting, analyzing, and responding to cyber security incidents in a timely manner.
      The organization staffs the SOC with skilled technical and operational personnel (e.g., security analysts, incident response personnel, systems security engineers) and implements a combination of technical, management, and operational controls (including monitoring, scanning, and forensics tools) to monitor, fuse, correlate, analyze, and respond to threat and security-relevant event data from multiple sources. These sources include perimeter defences, network devices (e.g., routers, switches), and endpoint agent data feeds.
      The SOC provides a holistic situational awareness capability to help organizations determine the security posture of the system and organization. A SOC capability can be obtained in a variety of ways. Larger organizations may implement a dedicated SOC while smaller organizations may employ third-party organizations to provide such a capability.
      In the event that a security incident involves the compromise of personal information, SOC personnel should engage organizational privacy professionals. For organizations with significant holdings of personal information, consideration should be given to having regular privacy expertise represented in their SOC as part of their skilled technical and operational personnel.
    • Related controls and activities: None.
  • (15) Incident handling: Public relations, reputation repair, and notification
      1. Manage public relations associated with an incident
      2. Employ measures to repair the reputation of the organization
      3. If applicable, notify individuals whose personal information has been compromised
    • Discussion: It is important for an organization to have a strategy in place for addressing incidents that have been brought to the attention of the general public, have cast the organization in a negative light, have affected the organization’s constituents (e.g., partners, customers), or have affected individuals whose personal information has been compromised. Such publicity can be extremely harmful to the organization and affect its ability to carry out its mission and business functions. Taking proactive steps to repair the organization’s reputation is an essential aspect of re-establishing the trust and confidence of its constituents. Notifying these individuals enables them to take protective measures to prevent further harm from the compromised information.
    • Related controls and activities: None.

References

Top of page 
 

IR-05 Incident monitoring

Control

Track and document incidents.

Discussion

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-04 provides information on the types of incidents that are appropriate for monitoring.

Related controls and activities

AU-06, AU-07, IR-04, IR-06, IR-08, PE-06, PM-05, SC-05, SC-07, SI-03, SI-04, SI-07.

Enhancements

  • (01) Incident monitoring: Automated tracking, data collection, and analysis
    • Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms].
    • Discussion: Automated mechanisms for tracking incidents and collecting and analyzing incident information include computer incident response centres or other electronic databases of incidents and network monitoring devices. If the data collection requires the collection or creation of personal information, the organization should ensure it has the lawful authority for the collection and should limit the personal information to only the information required to effectively monitor.
    • Related controls and activities: None.

References

Top of page 
 

IR-06 Incident reporting

Control

  1. Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]
  2. Report incident information to [Assignment: organization-defined authorities]

Discussion

The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, jurisprudence, Orders in Council, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products. The sharing or disclosure of personal information should be limited unless it is required for effective reporting.

Related controls and activities

CM-06, CP-02, IR-04, IR-05, IR-08, IR-09, SI-02.

Enhancements

  • (01) Incident reporting: Automated reporting
    • Report incidents using [Assignment: organization-defined automated mechanisms].
    • Discussion: The recipients of incident reports are specified in IR-06B. Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs.
    • Related controls and activities: IR-07.
  • (02) Incident reporting: Vulnerabilities related to incidents
    • Report system vulnerabilities associated with reported incidents to [Assignment: organization-defined personnel or roles].
    • Discussion: Reported incidents that uncover system vulnerabilities are analyzed by organizational personnel including system owners, mission and business owners, senior officials in the department’s security governance, appropriate privacy senior officials or executives, authorizing officials, and the risk executive (function). The analysis can serve to prioritize and initiate mitigation actions to address the discovered system vulnerability.
    • Related controls and activities: None.
  • (03) Incident reporting: Supply chain coordination
    • Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.
    • Discussion: Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include Public Services and Procurement Canada (PSPC). Supply chain incidents include compromises or breaches that involve IT products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations should determine the appropriate information to share and should consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident.
    • Related controls and activities: SR-08.

References

Top of page 
 

IR-07 Incident response assistance

Control

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

Discussion

Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.

Related controls and activities

AT-02, AT-03, IR-04, IR-06, IR-08, PM-22, PM-26, SA-09, SI-18.

Enhancements

  • (01) Incident response assistance: Automation support for availability of information and support
    • Increase the availability of incident response information and support using [Assignment: organization-defined automated mechanisms].
    • Discussion: Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.
    • Related controls and activities: None.
  • (02) Incident response assistance: Coordination with external providers
      1. Establish a direct, cooperative relationship between the organization’s incident response capability and external providers of a system protection capability
      2. Identify organizational incident response team members to the external providers
    • Discussion: External providers of a system protection capability include tools and services provided by the Cyber Centre. External providers may help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks. It may be beneficial to have agreements in place with external providers to clarify the roles and responsibilities of each party before an incident occurs.
    • GC discussion: It is recommended to have information sharing agreements, information sharing arrangements, or contracting documents in place with external providers to clarify the roles and responsibilities of each party before an incident occurs.
    • Related controls and activities: None.

References

Top of page 
 

IR-08 Incident response plan

Activity

  1. Develop an incident response plan that
    1. provides the organization with a roadmap for implementing its incident response capability
    2. describes the structure and organization of the incident response capability
    3. provides a high-level approach for how the incident response capability fits into the overall organization
    4. meets the unique requirements of the organization which relate to mission, size, structure, and functions
    5. defines reportable incidents
    6. provides metrics for measuring the incident response capability within the organization
    7. defines the resources and management support needed to effectively maintain and mature an incident response capability
    8. addresses the sharing of incident information
    9. is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]
    10. explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]
  2. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]
  3. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing
  4. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]
  5. Protect the incident response plan from unauthorized disclosure and modification

Discussion

It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personal information (i.e., privacy breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

Related controls and activities

AC-02, CP-02, CP-04, IR-04, IR-07, IR-09, PE-06, PL-02, SA-15, SI-02, SI-12, SR-08.

Enhancements

  • (01) Incident response plan: Privacy breaches
    • For privacy breaches involving personal information, include the following in the incident response plan:
      1. a process to determine if notice to individuals or other organizations, including oversight organizations, is needed
      2. an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms
      3. identification of applicable privacy requirements
    • Discussion: Organizations may be required by law, regulation, or policy to follow specific procedures relating to breaches, which include: notifying individuals, affected organizations, and oversight bodies; standards of harm; and mitigation or other specific requirements. Organizations subject to the PIPEDA are required to report breaches involving personal information posing a real risk of significant harm to the OPC. They also need to notify the individuals about the breaches and to keep records of the breaches.
    • GC discussion: In the event of a privacy breach under the Privacy Act, GC departments and agencies are responsible for meeting the requirements set out in Appendix B: Mandatory Procedures for Privacy Breaches of the TBS Directive on Privacy Practices. GC departments and agencies need to notify the individuals about the breaches and to keep records of the breaches.
    • Related controls and activities: PT-01, PT-02, PT-03, PT-04, PT-05, PT-07.

References

Top of page 
 

IR-09 Information spillage response

Control

Respond to information spills by:

  1. assigning [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills
  2. identifying the specific information involved in the system contamination
  3. alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill
  4. isolating the contaminated system or system component
  5. eradicating the information from the contaminated system or component
  6. identifying other systems or system components that may have been subsequently contaminated
  7. performing the following additional actions: [Assignment: organization-defined actions]

Discussion

Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required.

The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system.

The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill so as to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. In the event that information spillage involves personal information, officials should review the situation to assess whether a privacy breach has occurred, and the organization’s privacy breach protocol should be followed, as specified in IR-08.

Related controls and activities

CP-02, IR-06, IR-08, PM-26, PM-27, PT-02, PT-03, PT-07, RA-07.

Enhancements

  • (01) Information spillage response: Responsible personnel
    • Withdrawn: Incorporated into IR-09.
  • (02) Information spillage response: Training
    • Provide information spillage response training [Assignment: organization-defined frequency].
    • Discussion: Organizations establish requirements for responding to information spillage incidents in incident response plans. Incident response training on a regular basis helps to ensure that organizational personnel understand their individual responsibilities and what specific actions to take when spillage incidents occur.
    • Related controls and activities: AT-02, AT-03, CP-03, IR-02.
  • (03) Information spillage response: Post-spill operations
    • Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: [Assignment: organization-defined procedures].
    • Discussion: Corrective actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may affect their ability to conduct organizational business.
    • Related controls and activities: None.
  • (04) Information spillage response: Exposure to unauthorized personnel
    • Employ the following controls for personnel exposed to information not within assigned access authorizations: [Assignment: organization-defined controls].
    • Discussion: Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, Orders in Council, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information.
    • Related controls and activities: None.

References

Top of page 
 

IR-10 Integrated information security analysis team

Withdrawn: Moved to IR-04(11).

 
Table of Contents
Date modified: