Security Incident Reporting and Response Overview

Having standard security procedures help us to formalize our response to any security issue we may face. The following procedures should be used when responding to an actual or suspected security threat. 

TO REPORT SECURITY INCIDENTS PLEASE CONTACT LEADING2LEAN SUPPORT: 
VIA EMAIL:  support@leading2lean.com
VIA PHONE: +1 877-225-5201

Current Security Officer (CSO):  Phil Richards (VP of SEcurity and IT)

Incident Reporting

All computer security incidents, including suspicious events, shall be reported immediately (orally or via e-mail) to Leading2Lean Support by the individual who witnessed/identified the breach. A ticket will be created to capture the following information:

1. Name and contact information of the person reporting the incident.
2. Time of the call.
3. Description of the incident.
4. What services, customers, and persons were involved?
5. Location of the event.
6. How was the incident discovered?
7. When the event was first noticed that supported the idea that the incident occurred.
8. Any associated costs.
9. Volume or Size of the incident.

Escalation

All appropriate staff and customer representatives will be alerted immediately based on the severity and scope of the incident. We should err on the side of alerting more people if there is a question. This group of individuals will become the Response Team for this incident.

The CSO or his/her designee needs to determine the severity of the incident. If the incident is something that will have a serious impact, the Leading2Lean company leadership will be notified and briefed on the incident, otherwise, an after-action report will be delivered to company leadership. 

Affected customers will be notified within 1 business day of any confirmed security incident. As appropriate customers' security teams will be involved in the response team. We will work in good faith with customer security teams to identify, contain, resolve, and mitigate security issues. For more specific information on customer notification timelines, please refer to the Customer Service Agreement (CSA).

Response, Mitigation, and Containment

The Response Team, or any system, network, or security administrator who observes an intruder on the Leading2Lean network or systems shall take immediate and appropriate action to terminate the intruder’s access. (Intruder can mean a hacker, botnet, malware, etc.)  Affected systems, such as those infected with malicious code or systems accessed by an intruder shall be isolated from the network until the extent of the damage can be assessed. Any discovered vulnerabilities in the network or system will be rectified by appropriate means as soon as possible. Leading2Lean staff will work in concert with customer representatives to coordinate any combined mitigation and containment efforts.

All actions must be logged and communicated via the appropriate internal change management communication channels so as to establish a corporate record or the action timeline.

Authorized employees from the Response Team will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing involved parties to determine how the incident was caused. Only authorized employees should be performing interviews or examining evidence, and the authorized employees may vary by the situation and will be determined by the Response Team.

Eradication and Restoration

The Response Team will determine the extent of damage and the course of action planned and communicated to the appropriate parties. If applicable, customer representatives will help develop the action plan for the restoration of data and/or services.

The action plan may include tasks such as:

1. Re-install the affected system(s) from scratch and restore data from backups if necessary. (Team must preserve evidence before doing this.)
2. Make users change passwords if passwords may have been compromised.
3. Be sure the systems have been hardened by turning off or uninstalling services. This includes limiting customer functionality which may be a source of the security risk.
4. Be sure the systems are fully patched.
5. Be sure real-time virus protection and intrusion detection are running.
6. Be sure the systems are logging the correct events to the proper level. 
7. Shut down external access to the service or change DNS entries pointing to the service to limit access.

Information Retention and Dissemination for Legal Purposes

All related documentation must be retained.  Authorized employees will make copies of logs, emails, and other communication. Keep lists of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in case of an appeal, if legal action is applicable.

Due to the potential for legal action against the perpetrator(s), any public release of information concerning a computer security incident shall be coordinated through the office of the CEO. The CEO and/or his/her designee shall manage the dissemination of incident information to other participants, such as law enforcement or other incident response agencies. 

Ongoing Reporting

After the initial oral or e-mail report is filed, and if the incident has been determined to be a significant event (such as multiple workstations affected, root compromise, data breach, etc.), subsequent reports shall be provided to the CEO and appropriate customers. 

The ongoing written incident reports shall be submitted within 2 business days of the incident. This report can be completed by sending the ticket information to the CEO and CSO. A general report to the CEO and CSO shall contain the following:

1. Point of contact
2. Affected systems and locations
3. System description, including hardware, operating system, and application software
4. Incident description
5. Incident resolution status
6. Damage assessment, including any data loss or corruption
7. Organizations contacted 
8. Corrective actions taken 
9. Lessons learned 

A follow-up report shall be submitted upon resolution by those directly involved in addressing the incident

Review

After the initial reporting and/or notification, the CSO and CEO shall review and reassess the level of impact that the incident created. A post-mortem review of the incident will help identify policy and procedure improvements that will further strengthen our corporate security. Items to consider during this review may include:

1. Consider whether an additional policy could have prevented the intrusion.
2. Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future.
3. Was the incident response appropriate? How could it be improved?
4. Was every appropriate party informed in a timely manner?
5. Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved?
6. Have changes been made to prevent a re-infection or repeat of the intrusion/attack? Have all systems been patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.
7. Have changes been made to prevent a new and similar infection/breach?
8. Should any security policies be updated?
9. What lessons have been learned from this experience? 

The CSO will assign any identified tasks and manage those tasks to completion.