All security incidents must be managed in an efficient and time effective manner to make sure that the impact of an incident is contained and the consequences for your business and your customers are limited. This document sets out the Wooassist plan for reporting and dealing with security incidents.
What is a Security Incident?
A Security Incident means any incident that occurs by accident or deliberately that impacts your communications or information processing systems. An incident may be any event or set of circumstances that threatens the confidentiality, integrity or availability of information, data or services in Wooassist.
This includes unauthorised access to, use, disclosure, modification, or destruction of data or services used or provided by Wooassist.
An ‘Account Data Compromise’ is a security incident specific to payment card data. It is an event that results in unauthorised access to or exposure of payment card data (cardholder data or sensitive authentication data). If an unauthorised person obtains payment card data from your business, they can use this data to commit fraud.
How to Recognise a Security Incident
A security incident may not be recognised straightaway; however, there may be indicators of a security breach, system compromise, unauthorised activity, or signs of misuse within your environment, or that of your third party service providers.
You need to look out for any indications that a security incident has occurred or may be in progress, some of which are outlined below:
- Monitor excessive or unusual log-in and system activity, in particular from any inactive user IDs (user accounts)
- Watch out for excessive or unusual remote access activity into your business. This could be relating to your staff or your third party providers
- The occurrence of any new wireless (Wi-Fi) networks visible or accessible from your environment
- The presence of or unusual activity in relation to malware (malicious software), suspicious files, or new/unapproved executables and programs. This could be on your networks or systems and includes web-facing systems.
- Hardware or software key-loggers found connected to or installed on systems
- Suspicious or unusual activity on, or behaviour of, Web-facing systems, such on as your ecommerce website
- Point-of-Sale (POS) payment devices, payment terminals, chip & PIN/signature devices or dip/swipe card readers showing signs of tampering
- Any card-skimming devices found in your business
- Lost, stolen, or misplaced merchant copy receipts or any other records that display the full payment card number or card security code (the 3- or 4-digit number printed on the card)
- Lost, stolen, or misplaced computers, laptops, hard drives, or other media devices that contain payment card data or other sensitive data
Roles and Responsibilities
Your security incident response plan must be followed by all personnel in your business. This includes all employees, temporary staff, consultants, contractors, suppliers and third parties operating on behalf of Wooassist, working with Wooassist’ or your customers’ data or on Wooassist premises. For simplicity, all of these personnel are referred to as ‘staff’ within this plan.
The Wooassist Security Incident Response Team (SIRT) is comprised of:
|Information Security Officer||Incident Response Lead||Karl John Badeo|
|Senior Management Primary Contact||Executive Officer/Risk Owner||John Fabros|
|Communications||Handling of any external communications in relation to an incident||Robelle Tan|
|Human Resources||Handling of any personnel and disciplinary issues relating to security incidents||John Fabros|
The Incident Response Lead is responsible for:
- Making sure that your Security Incident Response Plan and associated response and escalation procedures are defined and documented. This is to make sure that the handling of security incidents is timely and effective.
- Making sure that the Security Incident Response Plan is up-to-date, reviewed and tested, at least once each year.
- Making sure that staff with Security Incident Response Plan responsibilities are properly trained, at least once each year.
- Leading the investigation of a suspected breach or reported security incident and initiating the Security Incident Response Plan, as and when needed.
- Reporting to and liaising with external parties, including the acquirer and card brands, legal representation, law enforcement, etc. as is required.
- Authorising on-site investigations by appropriate law enforcement or payment card industry security/forensic personnel, as required during any security incident investigation. This includes authorising access to/removal of evidence from site.
Security Incident Response Team (SIRT) members are responsible for:
- Making sure that all staff understand how to identify and report a suspected or actual security incident.
- Advising the Incident Response Lead of an incident when they receive a security incident report from staff.
- Investigating each reported incident.
- Taking action to limit the exposure of sensitive or payment card data and to reduce the risks that may be associated with any incident.
- Gathering, reviewing and analysing logs and related information from various central and local safeguards, security measures and controls.
- Documenting and maintaining accurate and detailed records of the incident and all activities that were undertaken in response to an incident.
- Reporting each security incident and findings to the appropriate parties. This may include the acquirer, card brands, third party service providers, business partners, customers, etc., as required.
- Assisting law enforcement and card industry security personnel during the investigation processes. This includes any forensic investigations and prosecutions.
- Determining if policies, processes, technologies, security measures or controls need to be updated to avoid a similar incident in the future. They also need to consider whether additional safeguards are required in the environment where the incident occurred.
All staff members are responsible for:
- Making sure they understand how to identify and report a suspected or actual security incident.
- Reporting a suspected or actual security incident to the Incident Response Lead (preferable) or to another member of the Security Incident Response Team (SIRT);
- Reporting any security related issues or concerns to line management, or to a member of the SIRT;
- Complying with the security policies and procedures of Wooassist. This includes any updated or temporary measures introduced in response to a security incident (e.g. for business continuity, incident recovery or to prevent recurrence of an incident).
Contact Name (if known)
|Philippine National Policefirstname.lastname@example.org||117|
|PNP Anti Cybercrime Groupemail@example.com||+63 (02) 414-1560|
Incident Response Plan Steps
There are a number of steps and stages that you must be taken to make sure that you protect your business by reacting to a security incident appropriately.
- Information security incidents must be reported, without delay, to the Incident Response Lead (preferable) or to another member of the Security Incident Response Team (SIRT). The member of the SIRT receiving the report will advise the Incident Response Lead of the incident.
- After being notified of a security incident, the SIRT will perform an initial investigation and determine the appropriate response, which may be to initiate the Security Incident Response Plan.
If the Security Incident Response Plan is initiated, the SIRT will investigate the incident and initiate actions to limit the exposure of cardholder data and in mitigating the risks associated with the incident.
Initial incident containment and response actions
Make sure that no-one can access or alter compromised systems.
- Isolate compromised systems from your network and unplug any network cables – without turning the systems off.
- If using a wireless network, change the SSID (Service Set Identifier) on the wireless access point and other systems that may be using this wireless network (but not on any of the systems believed to be compromised).
- Preserve all logs and similar electronic evidence, e.g. logs from your firewall, anti-virus tool, access control system, web server, application server, database, etc.
- Perform a back-up of your systems to preserve their current state – this will also facilitate any subsequent investigations.
- Keep a record of all actions you and all members of the SIRT take.
- Stay alert for further indications of compromise or suspicious activity in your environment, or that of your third parties.
- Seek advice before you process any further payment card transactions.
- If you can, gather details of all compromised or potentially compromised payment card numbers (the ‘accounts at risk’).
Once the SIRT has carried out their initial investigation of the security incident:
- The Incident Response Lead will alert the SIRT’s senior management primary contact.
- The Incident Response Lead and / or the SIRT personnel responsible for communications / PR will inform all relevant parties. This includes your acquirer and local law enforcement, and other parties that may be affected by the compromise such as your customers, business partners or suppliers. This also includes the personal data breach notification contacts, as applicable to the incident under investigation.
Maintain Business Continuity
- The SIRT will engage with operational teams in your business to make sure that your business can continue to operate while the security incident is being investigated.
- The SIRT will liaise with external parties, including your acquirer, law enforcement, etc., to ensure appropriate incident investigation (which may include on-site forensic investigation) and gathering of evidence, as is required.
- The members of the SIRT will take action to investigate and resolve the problem to the satisfaction of all parties and stakeholders involved. This will include confirmation that the required controls and security measures are operational.
- The Incident Response Lead will report the investigation findings and resolution of the security incident to the appropriate parties and stakeholders (including your acquirer, local law enforcement, etc.) as is needed.
- The Incident Response Lead will authorise a return to normal operations once satisfactory resolution is confirmed.
- The SIRT will notify the rest of the business that normal business operations can resume. Normal operations must adopt any updated processes, technologies or security measures identified and implemented during incident resolution.
The SIRT will complete a post-incident review after every security incident. The review will consider how the incident occurred, what the root causes were and how well the incident was handled. This will help to identify recommendations for better future responses and to avoid a similar incident in the future.
Changes and updates that may be required include:
- Updates to the Security Incident Response Plan and associated procedures.
- Updates to your business’ security or operational policies and procedures.
- Updates to technologies, security measures or controls (for example, improved measures to inspect payment terminals for card skimmers).
- The introduction of additional safeguards in the environment where the incident occurred (for example, more effective malware protection).
- The SIRT Executive Officer/Risk Owner (the senior management primary contact) will ensure that the required updates and changes are adopted or implemented as necessary.
Specific Incident Response Types
Some specific incident types requiring additional response actions are provided below.
Malware (or Malicious Code)
- Disconnect devices identified with malware from the network immediately.
- Examine the malware to identify the type (e.g. rootkit, ransomware, etc.) and establish how it infected the device. This will help you to understand how to remove it from the device.
- Once the malware has been removed a full system scan must be performed using the most up-to-date signatures available, to verify it has been removed from the device.
- If the malware cannot be removed from the device (as is often the case with rootkits) it should be rebuilt using original installation media or images. Prior to restoration from back-up media/images you must verify that the back-up media/images are not infected by the malware.
- Protect the system(s) to prevent further infection by implementing fixes and/or patches to prevent further attack.
Tampering of payment terminals, chip & PIN/signature devices or card readers detected, Card-skimming devices found, or devices substituted
- Stop using the substituted/tampered devices
- Report the substitution/tampering to your device provider and your acquirer
- Follow your device provider or acquirer’s advice to ensure the security of all future card payments, e.g. inspect and confirm the integrity of your remaining devices, deploy replacement devices, etc.
- Follow your device provider or acquirer’s guidance to investigate the incident e.g. send the substitute/tampered devices to them, allow on-site investigations, etc.
Unauthorised Wireless Access Points
If unauthorised wireless access points are detected, or reported by staff, these must be recorded as a security incident.
- SIRT will investigate to identify the location of the unauthorised wireless access point/device.
- The SIRT will investigate as to whether or not the unauthorised wireless access point/device is being used for a legitimate business purpose/need. If a legitimate business reason is identified, then this wireless access point or device must be reviewed and go through the correct management approval process. This is to make sure that the business justification is documented and the wireless access point/device is securely configured (e.g. change default passwords and settings, enable strong authentication and encryption, etc.).
- All other unauthorised wireless access points/devices must be located, shutdown and removed.
Loss of Equipment
- The theft or loss of an asset, such as a PC, laptop or mobile device, must be reported immediately to a member of the SIRT and local law enforcement. This includes losses/thefts outside of business hours and at weekends.
- If the device that is lost or stolen contained sensitive or payment card data, and the device is not encrypted, SIRT will complete an analysis of the sensitivity, type and volume of data stolen, including any potentially exposed payment card numbers.
- Where possible, SIRT will use available technology/software to lock down/disable lost or stolen mobile devices (e.g. smart phones, tablets, laptops, etc.) and initiate a remote wipe. Evidence should be captured to confirm this was successfully completed.
Non Compliance with your Security Policy
This covers incidents resulting from deliberate or accidental actions that are in breach of your security policy and which put sensitive and payment card data at risk. This includes any systems or data misuse, unauthorised exposure of data to external parties, unauthorised changes to systems or data.
- SIRT will engage with the relevant business area to establish an audit trail of events and actions. They will determine who is involved in the policy violation and the extent of the violation.
- SIRT and/or line managers will notify Human Resources of the incident.
- SIRT will liaise with Human Resources and line managers to determine whether disciplinary action is needed.
- SIRT will undertake an assessment of the impact and provide advice and guidance to the business area to prevent reoccurrence, for example re-training of staff.
Testing and Updates
Annual testing of the Incident Response Plan using walkthroughs and practical simulations of potential incident scenarios is necessary to ensure the SIRT are aware of their obligations, unless real incidents occur which test the full functionality of the process.
- The Incident Response Plan will be tested at least once annually.
- The Incident Response Plan Testing will test your business response to potential incident scenarios to identify process gaps and improvement areas.
- The SIRT will record observations made during the testing, such as steps that were poorly executed or misunderstood by participants and those aspects that need improvement.
- The Incident Response Lead will ensure the Security Incident Response Plan is updated and distributed to SIRT members.