NIST SP 800-14, Section 3.7, Computer Security Incident Handling

SSE-CMM, Security Base Practice PA08, Monitor Security Posture

• Jack Garnish
  ISSO, Social Security Administration
  6401 Security Blvd
  Baltimore, MD 21235
  Telephone: 410-965-2765
  Fax: 410-966-0527
  E-mail: jack.garnish@ssa.gov
  Staff contact: Laurie Peiser (laurie.peiser@ssa.gov), 410-965-0278

• Presidential Decision Directive 63 - "Critical Infrastructure Protection" "take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems and … have a system for responding to a significant infrastructure attack, while it is underway, with the goal of isolating and minimizing damage."

• POMB Circular No. A-130,"Management of Federal Information Resources", Appendix III, "Security of Federal Automated Information Systems" A. 3. a. 2) d) Incident Response Capability. Ensure that there is a capability to provide help to users when a security incident occurs in the system and to share information concerning common vulnerabilities and threats. This capability shall share information with other organizations, consistent with NIST coordination, and should assist the agency in pursuing appropriate legal action, consistent with Department of Justice guidance.

• Memorandum M-0108, Guidance On Implementing the Government Information Security Reform Act "As found in existing policy, all agency programs will include procedures for detecting, reporting, and responding to security incidents, including notifying and consulting with law enforcement officials, other offices and authorities, and the General Services Administration's Federal Computer Incident Response Capability (FedCIRC). The intent of the incident handling provision is to ensure that each agency has both the technical and procedural means in place to detect and appropriately report security incidents and share information on common vulnerabilities. Policies and procedures should be documented and remove unnecessary internal obstacles to the timely reporting to the appropriate authorities within the agency (for example, security officials and Inspectors General) and with external organizations (for example, FedCIRC, law enforcement e.g., the National Infrastructure Protection Center, and national security)."

Inputs

• Materials related to our policies, employee awareness activities, and procedures for reporting an incident are included with this BSP. These documents are:
• SSA Information Systems Security Handbook (SSH) chapter 16, Security Incident Identification, Reporting and Resolution. This chapter includes both policy and procedures.
• FEDCIRC Incident Reporting Criteria and Rationale. This document details the type of information that should be reported and the rationale behind such reporting.
• SSA security awareness materials related to incident response. These materials are distributed as Systems Security Bulletins desk to desk to all SSA employees. The bulletins included here are:
• Announcing the SSA Security Response Team (SSASRT)
• Systems Security - Tips and Best Practices II


• Security Reminder - Social Engineering

• We believe that our incident response procedures can be readily adapted for use by other Federal Agencies. The main issue is scaling the process to meet the needs of your Agency, not that the type of process would need to change. Since we cannot post sensitive Agency information with the BSP, SSA is willing to provide the following assistance to other Federal Agencies working on establishing an incident response process:
• We will provide access to our procedures in a way that ensures that we can maintain the confidentiality of those procedures
• We will provide access to both policy and technical staff to help you to adapt these procedures to meet the needs of your Agency
• We will provide continuing access to staff during your implementation to help you to get your team operational as quickly and smoothly as possible, as long as providing this support does not interfere with the duties of those staff members.
Federal Agencies that would like the above assistance should have their Information Systems Security Officer (ISSO) e-mail us at ssasso@ssa.gov. Please use a subject line of INCIDENT RESPONSE ASSISTANCE and provide your name, agency, business address, and telephone number in your message. ONLY REQUESTS FROM FEDERAL AGENCY ISSOS WILL BE ACCEPTED. We will try to respond to your message within 5 business days.

• Implementation guidance will be provided using the process outlined in Section 3.1, above.