Create an Incident Response Policy Learning Objectives and Outcomes Create an incident response policy for a health care organization. § Explore policy creation for incident response for a healt

Create an Incident Response Policy

Learning Objectives and Outcomes

 Create an incident response policy for a health care organization.

 Explore policy creation for incident response for a health care organization.

Scenario

You work for a large, private health care organization that has server, mainframe, and RSA user access. Sean, your manager, has been asked to provide the latest version of the organization's incident response policy. To his knowledge, no policy exists. He has asked you to research and create an incident response policy over the weekend.

Assignment Requirements

Look for at least two (2) incident response policies from other organizations of a similar type to your organization. In addition, download NIST "Computer Security Incident Handling Guide, rev 2" SP800-61 located at http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf. 

·        Based on your research, create a detailed draft incident response policy for your organization.

·        Consider HIPAA and other health care-related compliance requirements.

·        Create a summary report that justifies the content you included in the draft policy.

·        Reference your research so that Sean may add or refine this report before submission to senior management.

·        Describe clear compliance requirements from HIPAA and two (2) other related compliance sources. Sources are used to justify compliance requirements in policy.

·        Include and cite at least three (3) examples of similar incident response policies from other health care organizations. Also cite use of NIST SP 800-61 as well.

The purpose of this notice is to  fulfilled for implementing the Incidence reply policy at ABC Healthcare

and establish security policy.

1. Purpose- The purpose of this notice is to fulfilled for implementing the Incidence reply policy at ABC Healthcare

and establish security policy.

2. Scope-The facilities of this policy connect to all ABC healthcare employees, contractors, and others, who exercise, store, transmit, or have access to any ABC healthcare information. This policy put in to all ABC healthcare information system resources, at the all levels of sensitivity, whether owned and operated by ABC healthcare or operated on behalf of the ABC healthcare. Nullity in this policy shall be construed to restrain independence of Office of the Inspector General in performance of its duties as prescribed by the Inspector General Act of 1978, as amended.

3. Authority- This policy issued pursuant to US-CERT Federal Incident Reporting Guidelines, NIST Special Publication 800-61, and OMB Memorandum M-07-16, Safeguarding Against and Responding to Breach of Personally Identifiable Information.

4. Definitions-Information Systems. Any telecommunications and computer-related equipment or interconnected system or subsystems of equipment used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of voice and/or data (digital or analog); includes software, firmware, and hardware. Computer Information Security Incident. A circumstance in which there is a deviation from the requirements of the governing security regulations. Compromise, inadvertent disclosure, need-to-know violation, and administrative deviation are examples of security incidents, including any unauthorized activity that threatens the confidentiality, integrity or availability of ABC healthcare information system resources. Breach. The forgetting of control, compromise, unoffical disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users, and for an other than authorized purpose, have access or potential access to personally identifiable information, whether physical or electronic. Personally identifiable information (PII). Any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. For example, PII could be an individual's Social Security number, address in coexistence with one or more of following-date of birth,Social Security number, driver's license number or state identification; foreign country equivalent to Social Security number, tax identification number or equivalent; financial account number; and credit or debit card number. Agency Response Team (ART). At a minimum, an ad hoc ART assembled to address a breach incident consists of the Program Manager of the program experiencing the breach, the Chief Information Officer, the Senior Agency Security Officer, the Senior Agency Official for Privacy, the Privacy Act Officer, and the General Counsel.

5. Policy for Computer Security Incidents. a. Initial Reporting. i. Internal. All computer security incidents, including doubtful events, shall be reported immediately to the IT Security Officer and/or IT Director, by the employee who has witnessed/identified a breach or by the relevant Program Manager, followed by submission of Form ABC healthcare 93, Initial Security Incident Report. ii. External. All computer security incidents, specifically PII, shall be reported to US-CERT, whether potential or confirmed breach, within one hour of detection.

b. Escalation-The IT Security Officer and IT Director should be notified immediately when a doubtful event or security incident is reported. The IT Security Officer shall determine if a security incident is indeed underway. If more knowledge is required to determine if the circumstances represents a security incident, the IT Security Officer contact the person who supplied the initial report for additional details.

c. Containment and Mitigation -Any network, system , or security administrator who observes an intruder on an ABC healthcare network or system shall take action to terminate the intruder's access directly. Alert systems, such as those infected with malicious code or systems accessed by an intruder, shall be isolated from the network until the extent of the damage can be assessed. System and security administrators shall repidly eliminate the method of access used by the intruder and any related vulnerabilities. Every effort shall be made to save log files and system files that could be used as evidence of a security incident. This includes re-create the affected environment; thoroughly documenting all activities performed on the affected platform or environment to contain, mitigate, and restore the environment; storing any potential evidence, such as drives, diskettes, or tapes, in a locked container and documenting and controlling the movement and handling of potential evidence in order to maintain a chain of custody. The IT Security Officer or his/her designee serve as the focal point for collection of evidence.

e. Eradication and Restoration. The extent of harm must be determined. If the damage is serious and the integrity of the data is questionable, a system shutdown and reloading of operating systems or data may be required. Management information is required if mission critical systems must be taken off line for an lengthen period of time to perform the restoration.