Transcription of Cybersecurity Incident Response Plan
1 Configuration Management Plan Version 5/26/2011 Pa 1 Cybersecurity Incident Response Plan Department of Housing and Urban Development July 2020 Cybersecurity Incident Response Plan HUD Cybersecurity Incident Response Plan Version July 2020 2 Solution Information Information Solution Name Cybersecurity Incident Response Plan Solution Acronym IR Plan Project Cost Accounting System (PCAS) Identifier <PCAS Identifier> Document Owner SOC / CIRT Primary Segment Sponsor Office of Information Technology Services Version/Release Number Document History Release No.
2 Date Author Revision Description 14-May-2020 OITS Plan establishment 20-May-2020 OITS Updated Contact List 15-Jul-2020 OITS Updated IR Flowcharts Tools/Technology Appendix IOO updates Cybersecurity Incident Response Plan HUD Cybersecurity Incident Response Plan Version July 2020 3 Table of Contents Solution Information .. 2 Document History .. 2 1. Purpose and Scope .. 4 2. Organization and Structure .. 4 Roles and Responsibilities .. 5 Coordination and Information Sharing.
3 5 3. Incident Taxonomy and Data Flow .. 7 Incident Definition .. 7 Incident Data Flow .. 7 Incident Data Elements to Record .. 7 Sensitive Data ..13 4. Incident Response Framework ..14 Prepare ..16 Detect ..18 Analyze ..19 Respond ..21 Recover ..23 Review ..24 5. Incident Reporting Requirements and Metrics Maintenance ..26 CISA ..27 Congress ..28 6. Plan Testing and Maintenance ..28 Appendix A. Security Operations Roles and Responsibilities ..30 Appendix B. Contact List ..35 Appendix C. Incident Response Framework Data Elements ..36 Appendix D. Log Artifact Checklist.
4 39 Appendix E. SOC Tools & Technologies Listing ..41 Appendix F. Post- Incident Analysis Report Template ..43 Appendix G. Lessons Learned Template ..45 Appendix H. Authorities and References ..46 Appendix I. Glossary / Appendix J. Acronyms ..50 Cybersecurity Incident Response Plan HUD Cybersecurity Incident Response Plan Version July 2020 4 1. Purpose and Scope This Cybersecurity Incident Response (IR) Plan supports and complements the Department of Housing and Urban Development (HUD / Department) Information Technology (IT) Security Policy Handbook Revision and HUD Security Operations Center Concept of Operations.
5 This IR Plan complies with Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Modernization Act (FISMA) of 2014. It defines processes, communications, roles, and responsibilities for effectively managing Cybersecurity incidents and provides guidance on the proper handling and reporting of those incidents. The HUD Chief Information Security Officer (CISO) is responsible for Cybersecurity Incident management (IM), planning, Response , and plan evaluation. A computer Incident within the Federal Government as defined by the National Institute of Standards and Technology (NIST) Special Publication 800-61 Revision 2 is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.
6 The purpose of this IR Plan is to enable the HUD Security Operation Center (SOC) to prepare, detect, analyze, respond, recover, and review Cybersecurity incidents on HUD information systems. This IR Plan is applicable to HUD employees, contractors, and information systems except for the HUD Office of the inspector General (OIG). This IR plan is intended to be a living document. It will be amended annually to improve and refine IR processes so that the SOC can continue to effectively respond to Cybersecurity incidents and proactively adapt to an evolving threat landscape. 2. Organization and Structure The SOC aligns under the Office of Information Technology Services (OITS), Office of the Chief Information Officer (CIO).
7 The SOC is comprised of four cross-functional capabilities: Incident Management (IM), Threat Management (TM), Threat Intelligence (TI), and Attack Surface Reduction (ASR), and is supported by a Security Engineering function that oversees the SOC s underlying technical architecture. IM governs IR activities through the Cyber Incident Response Team (CIRT). The CIRT analyzes, validates, and responds to suspected Cybersecurity incidents, and disseminates Incident information to key HUD stakeholders. The orchestration and collaboration of the SOC IM, TM, TI, and ASR functions work hand in hand to rapidly detect, analyze, respond, and recover from Cybersecurity incidents.
8 See Figure 1 for an organizational view of the HUD SOC. Cybersecurity Incident Response Plan HUD Cybersecurity Incident Response Plan Version July 2020 5 Figure 1: HUD SOC Structure Roles and Responsibilities The implementation and effectiveness of the IR Plan ties into stakeholder adherence to assigned roles and responsibilities. Appendix A details the full listing of roles and responsibilities of all stakeholders involved in the implementation of the SOC IR Plan: Secretary of HUD Chief Privacy Officer (CPO) CIO and Principal Deputy CIO CISO Office of General Counsel (OGC) OITS Office of Privacy Infrastructure and Operation Center (IOO) OIG Senior Agency Official for Privacy (SAOP) SOC Director Incident Commander IM Lead IM Team TM Team TI Team ASR Team CIRT HUD Breach Notification Response Team (HBNRT) Supervisors System Administrators Information System Security Officers (ISSO)
9 Service Providers Help Desk Users Coordination and Information Sharing HUD IM through HUD CIRT shares information and coordinates IR and recovery activities. HUD CIRT receives Cybersecurity Incident reports from HUD s IT system owners and providers, network users, and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). HUD CIRT communicates and coordinates with HUD s IT Cybersecurity Incident Response Plan HUD Cybersecurity Incident Response Plan Version July 2020 6 system owners who directly maintain and operate HUD infrastructure for the collection of logs and other data required for Incident analysis.
10 End user interviews should be conducted by HUD CIRT when necessary after incidents have been reported. Further communication occurs with HUD s IT system owners once containment and eradication actions are necessary. HUD CIRT will provide guidance to the system owner(s) on how to contain, eradicate, and recover from the Incident . Figure 2 illustrates the communications flow from event detection to Incident recovery. It also depicts major stakeholders who will be notified of a HUD Cybersecurity Incident depending on Incident impact and severity. More detailed IM workflows can be found in Section 4 of this document.