Part 1, Part 2, Part 3
In the previous blog on security awareness training, we broadly discussed the various aspects that the agencies need to follow and awareness training that needs to be given to people who have access to Criminal Justice Information (CJI). In this blog, we will try to understand an agency’s response to various incidents that may occur. In the view of the increase in malicious attacks on agencies’ as well as government IT infrastructure, agencies require securing information systems by establishing an incident handling capability that includes sufficient preparation, analysis, detection, recovery, user response and containment activities. The agencies should also ensure that there should be a mechanism to track, document and reports all the incidents to appropriate authorities or agency officials.
Reporting Information Security Events
It is of primary importance that the agency reports all the information pertaining to the incidents to competent authorities. Weaknesses and information security related issues need to be shared with authorities to allow the preventive and corrective action to be taken. Furthermore, wherever feasible, the agencies should allow automated assistance in reporting security-related incidents. Additionally, all the employees, third-party users, and contractors need to be made aware of the procedures that need to be followed in case of an incident and should be able to understand the importance of such event and the impact it may have on the overall information system. They should be able to reports any such events as quickly as possible to the concerned authorities.
Reporting Structure and Responsibilities
Responsibilities of FBI CJIS Division
The responsibilities of FBI CJIS division include
- Tracking of all reported trends and incidents
- Monitoring all the resolutions of the reported incidents
- Acting as a chief clearinghouse for all the security alerts, intrusion incidents and all other material related to security.
- Managing and maintaining that Computer Security Incident Response Capability (CSIRC) of the CJIS division information system.
- Disseminating useful and timely bulletins on operating system vulnerabilities and system threats through the security resource center on FBI.gov
- FBI CJIS should also ensure that additional resources are allotted to a system that reports an incident.
Responsibilities of CSA ISO
The responsibilities of a CJIS System Agency Information Security Officer (CSA ISO) include
- Identifying the individuals who are responsible for reporting the specific incidents that occur within their area of responsibility
- Assigning individuals to each federal, international and state law enforcement organization that would serve as primary point of contact. This point of contact would be interfacing with the FBI CJIS division responsible for handling the incidents and responding to them.
- Collecting information related to the incidents from individuals or agencies for the purpose of coordinating and sharing them with other organizations that may be or may not be affected
- Developing, maintaining and implementing incident response mechanisms and coordinating the procedures with other organizations irrespective of whether they are affected are not.
- CSA ISO would also act as a single point of contact for their jurisdictional area to request assistance regarding incident response.
- CSA ISO also would collect and share all the information related to an incident that he would receive from the FBI CJIS Division, Department of Justice (DoJ) and other entities that fall under his jurisdiction.
Apart from these functions, an effective approach shall be applied to properly manage information security incidents.
Management of Information Security Incidents
As discussed earlier the agency should have in place a robust mechanism to prepare, track and report incidents as soon as they occur. Incident related information needs to be gathered as much as possible to help the concerned authorities in better understanding and easily resolve the issue being faced.
Collection of Evidence
Whenever there is a follow-up legal action is necessitated on an agency or an individual (criminal or civil), sufficient evidence needs to be collected, retained and also presented to conform to the rules and regulation that are laid down in the relevant jurisdictions.
The agency also should include a general awareness training pertaining to incident response and its handling
The agency should also track, monitor and document incidents occurring on the information security systems as an when they happen. CSA ISO’s should also maintain completed reporting forms related to information security incidents until legal action is taken (if warranted) or FBI triennial audit happens, whichever is longer.
In the next blog, we will understand the next policy area – Auditing and Accountability.
DoubleHorn is a leading Cloud Solutions Provider founded in January 2005 and based in Austin, Texas. Our offerings combine products from the leading Cloud providers and are carefully designed to meet the emerging technology requirements of Government agencies and Enterprises. As a Cloud Services Broker, we advise in selecting the right solution, implement, maintain and offer a single source for billing and support of multiple Cloud products. If you are new to the cloud and not sure how to get started, contact us for a complimentary initial assessment at firstname.lastname@example.org or (855) 618-6423.