Flint Inc (flintk12.com)
|
Last Updated: 12/13/2023
Flint Security Incident Response Plan
Table of Contents
Introduction
This is the Security Incident Response Plan for Flint that documents the procedures for responding to a security incident. At Flint, we believe transparency and security are crucial for the safety and privacy of our customers, especially because we work with data from educational institutions and students. If customers’ data is breached during a security incident, Flint will communicate about the incident in a timely and transparent manner and respond in a way outlined in this document in order to fulfill the goals mentioned in the next section.
This Security Incident Response Plan will provide general guidance on key activities before, during, and after confirmed or suspected security incidents. The reason for this response plan is to provide tools to help technical staff who are responsible for supporting systems to effectively respond to security incidents and to minimize any negative impact on institutional operations through a set of detection, analysis, and recovery activities. Some details like specific infrastructure and team member contact information have been omitted from this document for security reasons. If you have any questions, please contact sohan@flintk12.com.
Goals for Cyber Incident Response
When a cyber security incident occurs, timely and thorough action to manage the impact of the incident is critical to an effective response process. The response should limit the potential for damage by ensuring that actions are well-known and coordinated. Specifically, the response goals are:
Preserve and protect the confidentiality of constituent and employee information and ensure the integrity and availability of Flint systems, networks, and related data.
Help Flint personnel recover their business processes after a computer or network security incident or other type of data breach.
Provide a consistent response strategy to system and network threats that put Flint data and systems at risk.
Develop and activate a communications plan including initial reporting of the incident as well as ongoing communications, as necessary.
Address cyber-related legal issues.
Coordinate efforts with external Computer Incident Response Teams and law enforcement.
Minimize Flint’s reputational risk by mitigating damage and maintaining immediate transparency with parties whose data was affected.
Purpose and Scope
This publication provides practical guidelines on responding to cyber security and data breach incidents consistently and effectively. The plan establishes a team of first responders to an incident with defined roles, responsibilities, and means of communication.
Details covered in this plan include:
Methods of detecting security breaches at Flint
Incident response team (IRT) of Flint’s first responders to an incident with defined roles, responsibilities, and means of communication
Policy for Flint’s communication with stakeholders about breaches
While this plan is primarily oriented around cyber-related incidents and breaches, it can also be utilized for data breaches that are not related to computer systems.
Incident Response Life Cycle Process
Cyber incident response management is an ongoing process with a cyclical pattern. The specific incident response process elements that comprise the Cyber Incident Response Plan include:
Preparation: The ongoing process of maintaining and improving incident response capabilities and preventing incidents by ensuring that systems, networks, applications, and data handling processes are sufficiently secure, and employee awareness training is in place.
Identification: The process of confirming, characterizing, classifying, categorizing, scoping, and prioritizing suspected incidents.
Notification: Alerting IRT members to the occurrence of an incident and communicating throughout the incident.
Containment: Minimizing financial and/or reputational loss, theft of information, or service disruption. Initial communication with constituents and news media, as required.
Eradication: Eliminating the threat.
Recovery: Restoring computing services to a normal state of operation and the resumption of business activities quickly and securely. Provide reputational repair measures and news media updates, if needed. Provide credit monitoring services to affected constituents, or other remediation measures, as appropriate.
Post-incident Activities: Assessing the overall response effectiveness and identifying opportunities for improvement through, ‘lessons learned’ or mitigation of exploited weaknesses. Incorporation of incident learnings into the cyber fortification efforts and the response plan, as appropriate.
These process elements are depicted in the figure below, showing the closed-loop nature of the process, in that the learnings from any prior incidents are used to improve the prevention and response process of potential future incidents.
Incident Occurrence & Awareness
The way an incident becomes known will have an impact on the response process and its urgency. Examples by which Flint becomes aware of an incident include, but are not limited to the following:
Flint discovers through its internal monitoring that a cyber incident or data breach has occurred.
Flint is notified by one of its technology providers of an incident or becomes aware of the same.
Flint is made aware of a breach through a constituent or a third-party informant.
Flint and the public are made aware of the incident through the news media.
Common categories of cyber security incidents, incident impact definitions, and incident severity and response classifications are listed and described in Appendices B, C, and D.
Incident Response Protocol
The following sections provide guidance for key events and decisions in the case of an incident. Details about the company’s infrastructure and operations have been purposefully omitted for security reasons. If you have any questions regarding our response protocol or incident response plan, please contact sohan@flintk12.com.
Roles and Responsibilities
A team comprised of company staff, advisors, and service providers shall be responsible for coordinating incident responses and known as the Incident Response Team (IRT). The IRT shall consist of the individuals listed in Appendix A, having the noted roles and responsibilities. This team will have both primary members and secondary members. The primary members of the IRT will act as first responders or informed members to an incident that warrant IRT involvement, according to the incident’s severity. The entire IRT would be informed and involved in the most severe incidents.
IRT members may take on additional roles during an incident, as needed. Contact information, including a primary and secondary email address, plus office and mobile telephone numbers shall be maintained and circulated to the team. The IRT will draw upon additional staff, consultants, or other resources, (often referred to as Subject Matter Experts – SMEs) as needed, for the analysis, remediation, and recovery processes of an incident.
There shall be a member of the IRT designated as the Incident Response Manager (IRM), who will take on organizational and coordination roles of the IRT during an incident where the IRT is activated for response to the incident.
Response Process Detail
The response process, at a detail level, for an incident includes 5 of the 6 life cycle phases, as it excludes the Preparation phase. The detailed steps and general timing of an incident response are outlined below. The IT function is specifically called out as an involved party, separate from other SMEs.
Process Phase & Approximate Timing
Process Detail Steps
Involved Parties
Identification (hours)
1. Identify and confirm that the suspected or reported incident has happened and whether malicious activity is still underway.
2. Determine the type, impact, and severity of the incident by referring to Appendices B, C, and D.
3. Take basic and prudent containment steps.
IT and any monitoring service provider
Notification (hours - 1 day)
4. Inform or activate the IRT, based on the severity of the incident, as outlined in Appendix D, and provide the type, impact, and details of the incident to the extent that they are known.
5. Determine the need for Subject Matter Experts (SME) to be involved in the Containment, Eradication, and Recovery processes.
IT & IRT
Containment (hours - 2 days)
6. Take immediate steps to curtail any ongoing malicious activity or prevent the repetition of past malicious activity.
7. Re-direct public-facing websites, if needed. Provide initial public relations and legal responses as required.
IRT, IT, SMEs
Eradication (days -weeks)
8. Provide full technical resolution of threat and related malicious activity.
9. Address public relations, notification, and legal issues.
IT, IRT, SMEs
Recovery (weeks - months)
10. Recover any business process disruptions and re-gain normal operations.
11. Address longer term public relations or legal issues, if required, and apply any constituent remedies.
SMEs, IRT
Post-incident (months)
12. Formalize documentation of incident and summarize learnings.
13. Apply learnings to future preparedness.
IRT
Communication Methods
Company communication resources (email, phone system, etc.) may be compromised during a severe incident. Primary and alternate methods of communication using external infrastructure will be established and noted on the IRT member contact list to provide specific methods of communication during an incident. The IRT and any other individuals involved in an incident resolution will be directed as to which communication method will be used during the incident.
Notifying Internal Stakeholders
The IRM is responsible for making sure the IRT and any other necessary staff are notified of an incident and mobilized. The IRT (and other key operational staff) are contactable 24x7 in an emergency or disaster.
Notifying Customers
Incident Declaration: Impacted customers and business partners will be notified immediately if a disaster is declared. The notification will include a description of the event, the effect to the service, and any potential impact to data.
Updates throughout Execution Phase: Impacted customers and business partners will be kept up to date throughout the disaster recovery process via phone, messaging, and/or email.
Completion of Recovery: Once recovery is complete and services have resumed, our customer notifications will include general information about the steps taken to recovery, and any data that may have been impacted. If the recovery is partial and the service is still in a degraded state, notifications will include an estimate of how long the degradation will continue. If the primary contact(s) for disaster recovery (nominated by the customer) is unavailable, we will notify the alternative contact (also nominated by the customer). If, for any reason, we are unable to contact the customer’s primary and alternative contacts, we will endeavor to make contact with other representatives of the customer’s organization.
Information Recording
Information recording is very important during an incident, not only for effective containment and eradication efforts but also for post-incident lessons learned, as well as any legal action that may ensue against the perpetrators. Each member of the IRT shall be responsible for recording information and chronological references about their actions and findings during an incident. An example incident record form can be found in Appendix E.
Summary
No perfect script can be written for the detailed activity encountered and decisions that will need to be made during an incident, as each incident will have its own uniqueness. This plan shall serve as a framework for managing cyber security and data breach incidents, allowing the details of confirmation, containment, eradication, and communication to be tailored to fit the specific situation.
The plan was created with the help of templates derived from public domain information of the SANS Institute cybersecurity sample policies and other public sources. If you have any questions about the content of this plan or specifics about how incidents would be handled, please contact sohan@flintk12.com.
Additional Resources
Appendix A - Flint Incident Response Team (IRT)
The team members and responsibilities of each member in responding to security incidents is outlined below. Contact information and communication methods for the IRT members will be distributed to the team separately as confidential information.
Primary Team Members
Tech Manager (TM, also head of IT): Chief Technology Officer, Jinseo Park
Maintain proactive cybersecurity policies and procedures
Discover and/or verify cyber incidents
Notify IRT members of incidents and provide updated
Coordinate computer forensic and technical remediation activities
Apply corrective actions to technology infrastructure
Incident Response Manager (IRM): Chief Executive Officer, Sohan Choudhury
Coordinate communications and activities of the IRT when it is activated
Financial impact and financial data exposure
Public relations
News media management
Communications Manager (CM): Head of Teacher Experience, Lulu Gao
External and internal communication
Communication to employees
Employee data exposure issues
Operational impact and/or overall data exposure assessment
Secondary Team Members
For some more severe security incidents, the Flint team may seek guidance and advice from SMEs and advisors who specialize in monitoring, legal, public relations, and cyber insurance.
Appendix B - Incident Categorization
Incident Type
Type Description
Unauthorized Access
When an individual or entity gains logical or physical access without permission to a company network, system, application, data, or other resource.
Denial of Service (DoS, DDoS)
An attack that successfully prevents or impairs the normal authorized functionality of networks, systems, or applications by exhausting resources.
Malicious Code
Successful installation of malicious software (e.g., a virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application.
Improper or Inappropriate Usage
When a person violates acceptable computing policies, including unauthorized access or data theft.
Suspected PII Breach
An incident where it is suspected that Personally Identifiable Information (PII) has been accessed.
Suspected loss of Sensitive Information
An incident that involves a suspected loss of sensitive information (not PII) that occurred because of Unauthorized Access, Malicious Code, or Improper (or Inappropriate) use, where the cause or extent is not known.
Appendix C - Incident Impact Definitions
Security Objective
General Description
Potential Impact Examples
Confidentiality: Preserving restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
The unauthorized disclosure of information could be expected to have the following adverse effect on organizational operations, organizational assets, or individuals.
Low Impact: Limited to a single or several Users or computers in an isolated fashion, with easy remediation.
Medium impact: Involving or affecting a group of Users, resulting in access to proprietary information. Limited or no external
High Impact: Involving or affecting a group of Users, resulting in access to proprietary information. Limited or no external exposure.
Integrity: Guarding against improper information modification or destruction; includes ensuring information non-repudiation and authenticity
The unauthorized modification or destruction of information could be expected to have the following adverse effect on organizational operations, organizational assets, or individuals.
Low Impact: Inadvertent or non-malicious alteration or deletion of company data that is easily remediated.
Medium impact: An ongoing improper data alteration act (or series of acts) of malicious or negligent nature that will have a moderate business impact.
High Impact: A massive alteration or destruction of company data of a malicious or obstructive nature.
Availability: Ensuring timely and reliable access to and use of information systems.
The disruption of access to or use of information or an information system could be expected to have the following adverse effect on organizational operations, organizational assets, or individuals.
Low Impact: Isolated outage or inaccessibility affecting a limited number of Users for a short amount of time (< 2 hours)
Medium impact: A widespread outage or inaccessibility of a primary business system lasting more than 2 hours, but less than a day
High Impact: Severe outage or inaccessibility of the company business systems lasting a day or more.
Appendix D - IRT Incident Severity and Response Classification Matrix
Severity Level (5=Most Severe)
Typical Incident Characteristics
Example of Impact
Incident Response
Activate IRT?
5
DDoS attack against on-premise or hosted Servers. Active attacks against network infrastructure. Access to internal company data by nefarious parties.
An enterprise-wide attack involving multiple departments that prevents access to systems and disrupts business operations. Access to or theft of proprietary data.
IRT and the IRM direct response. Remediation coordinated by IT, Forensics, and SME’s. Possible Legal Counsel, Law Enforcement involvement.
Full team active
4
Affects data or services for a group of individuals and threatens sensitive data, or involves accounts with elevated privileges with potential threat to sensitive data.
Compromised business application. Improper or unauthorized access to data.
Response coordinated by IRM, IT, and SME’s; IRT advised. Legal Counsel specifically notified if there is a PII breach.
Full team informed and advised
3
Affects data or services of a single individual, but involves significant amounts of sensitive data, may include PII.
Employee computer or account with sensitive data access compromised, physical theft of device, unprotected media, or hard copy data.
Response coordinated by IT or IRM, with information sent to the IRT members. Legal Counsel notified if a PII breach.
Primary team informed
2
Affects data or services of a group of individuals with no sensitive data involved.
Compromise of an account or device with shared folder access.
Response coordinated by IT. IRM advised and IRT informed. IT documentation process used to record findings.
Primary team informed
1
Affects data or services of a single individual with no sensitive data beyond them; focus is on correction and future prevention.
Compromised computer with no sensitive data etc.
Documentation of issue and findings. Response/remediation coordinated by IT, IRM advised of incident.
No
0
Occurrences of very minor or undetermined focus, origin and/or effect for which there is no practical follow-up.
Impaired computer requiring review of system access logs, AV scans, or other repairs.
Documentation through normal IT support processes to record actions and resolution. Reset passwords as needed.
No
