Security Internet Procedure

Written By Paul Richens
pexels-pixabay-270700.jpg

C4F will manage any security incidents. This procedure details the actions and roles required when a security incident occurs. It is provided as guidance to staff. All security incidents are recorded. Security incidents are issues that potentially impact on the confidentiality, integrity or availability of the centre's systems or services. 

 

Procedure 

 

Security incidents will be reported to insert who will be responsible eg. Manager or Co- ordinators On receipt of the security incident report insert who will be responsible eg. Manager or Co-ordinators will take the following actions: 

Receive notification that an incident has occurred from a member of staff, volunteer 

or service user e.g. stolen laptop, or complaint. 

Confirm the type of incident and gather any additional information required by the 

ICO. 

Log the incident including a brief description, time and date of the incident, who 

notified the incident and assign a priority High, Medium or Low Investigate the incident. 

Diagnose the incident and identify any actions required to resolve the incident see 

Incident Types and Responses. Where necessary escalate to ICO as soon as possible and within 72hrs. Notify any affected individuals. 

Incident Resolved -update incident record with details of actions taken and results 

of any investigation regarding the cause whether this was human error or a systemic issue. 

Record any details of how recurrence can be prevented – whether this is through better processes, further training or other corrective steps. 

Close incident 

 

 

 

 

 

 

Responses 

The standard responses are: 

  • Personal Data Leakage Response 

  • If the incident results in the loss of personal data as defined in the DPS (2018) / GDPR then it must be reported to the ICO. 

Examples of a data breach personal data breaches can include: 

 

• access by an unauthorised third party; 

• deliberate or accidental action (or inaction) by a controller or processor; 

• sending personal data to an incorrect recipient; 

• computing devices containing personal data being lost or stolen; 

• alteration of personal data without permission; and 

• loss of availability of personal data. 

Under the GDPR there is a requirement for organisations to report a personal data breach 

that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it. Organisations should be aware that the ICO will have the ability to issue fines for failing to notify and failing to notify in time. 

Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR. 

Serious breaches should be reported to the ICO using our DPA security breach helpline on 

0303 123 1113 (open Monday to Friday, 9am to 5pm). Select option 3 to speak to staff who 

will record the breach and give you advice about what to do next. 

Further information can be found at; 

https://ico.org.uk/media/for-organisations/documents/1536/breach_reporting.pdf 

Criminal Attack Response 

If the incident is a potential attack incident, the incident will be reviewed and if an attack is 

confirmed it should be reported as such to the customer who will report it to the relevant 

law enforcement body. C4F will zip and sign the relevant evidence, 

collected from logs etc. earlier. This evidence will be made available to the customer as 

required, subject to confidentiality undertakings (it will contain non-customer specific 

sensitive information). The complete pack will be preserved for subsequent law 

enforcement action. 

Denial of Service (DoS) Response 

This has become an increasing threat recently, often manifested as a distributed denial of 

service (DDoS) attack, which is more difficult to combat. Access to bot-nets is becoming 

increasingly widespread so that individuals with grievances have access to facilities 

hitherto only available to criminal organisations. The attack could be directed at C4F 

or C4F could be subject to collateral damage due to attacks on adjacent services. DoS and particularly DDoS attacks can result in: 

 

• The C4F web site being unable to respond to legitimate 

transactions as they are swamped by a flood attack. This would be a direct attack 

from a low capacity resource. 

• The hosting site being forced to suspend the service to enable other services on 

their site to continue. If this is a direct attack, C4F would be suspended, if C4F was suffering collateral damage this would re- open C4F. 

 

• The ISP switched off access to the C4F in order to prevent their service from being overwhelmed. Again, if this is a direct attack, C4F would be suspended, if C4F was suffering collateral damage this would re-open C4F. 

For a DoS attack or low capacity1 DDoS, action from the hosting provider to block traffic from specific incoming IP addresses should be taken. Arrangements for this action will be made with each hosting site. 

For DDoS, the customer should be contacted and, subject to their agreement Emergency 

DDoS protection should be put in place. As this is chargeable, the customer's agreement 

and order must be obtained before invoking the service. 

The c4F will maintain a list of suitable service providers, contact details and costs. 

Malware Discovery- Where malware is discovered by routine application of anti-malware measures, this should be logged. 

Web Exploit - In most cases, this will be a new exploit. We need to cover, routinely, the OWASP exploits (see http://www.ibm.com/developerworks/library/se-owasptop10/index.html) , although 

some variants may need modified responses. On discovery of a web exploit we will devise and put into place an emergency fix / procedure to block the exploit. We will check against the OWASP list if the exploit is known. If it is not, we will inform OWASP of the exploit, providing details as required. If it is a deliberate act, we will invoke our Criminal Attack Response, including the session logs in our evidence pack. 

 

Definitions 

Incidents will be classified according to their impact on the C4F systems or services. 

 

Screenshot 2021-05-04 at 14.39.36.png


 

Where the number of attacking IP addresses are such that all the attacking addresses could be 

filtered. 

 

ICO data required 

A description of the nature of the personal data breach including, where possible: 

◦ the categories and approximate number of individuals concerned; and 

◦ the categories and approximate number of personal data records concerned; 

• the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained; 

• a description of the likely consequences of the personal data breach; and 

• a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects. 

Paul Richens http://tricca.uk
Previous

Confidentiality Policy
Next

Health & Safety Policy