All executive branch agencies including institutions of higher education are required to report information security incidents to VITA except for the University of Virginia (UVA), Virginia Polytechnic Institute and State University (VPI), and the College of William and Mary. The Code of Virginia § 2.2-603.F, listed below, describes the reporting requirements agency's must follow.
§ 2.2-603. Authority of agency directors.
F. The director of every department in the executive branch of state government shall report to the Chief Information Officer as described in § 2.2-2005, all known incidents that threaten the security of the Commonwealth's databases and data communications resulting in exposure of data protected by federal or state laws, or other incidents compromising the security of the Commonwealth's information technology systems with the potential to cause major disruption to normal agency activities. Such reports shall be made to the Chief Information Officer within 24 hours from when the department discovered or should have discovered their occurrence.
Guidance on Reporting Information Security Incidents
The purpose of this section is to provide information that may be helpful in information security incident reporting. Information security incidents will happen and the ability to quickly identify and act in a coordinated manner can lessen the impact of an information security incident. The information security incident reporting form is an important first step in handling information security incidents in a coordinated response.
Information Technology Incident
Information security incident refers to an adverse event in an information system, network, and/or workstation, or the threat of the occurrence of such an event.
An event is any observable occurrence in a system, network, and/or workstation. Although natural disasters and other non-security related disasters (power outages) are also called events, these reporting requirements are for IS security related events only. Events can many times indicate an information security incident is happening.
What to Report
An information security incident should be reported if the following conditions are met and it resulted in:
- An adverse event to an information system, network, and/or workstation OR
- The exposure, or an increased risk of exposure, of Commonwealth data OR
- A threat of the occurrence of such an event or exposure.
Please note: An adverse event does not include situations such as unintentional visits to Web sites prohibited by Commonwealth/agency policy or law, or excessive use of a provided resource. These types of situations should be handled internally as personnel issues.
You should report events that have a real impact on your organization. An information security incident includes, but is not limited to the following events regardless of platform or computer environment:
- When damage is done
- Loss occurs
- Malicious code is implanted
- Evidence of tampering with data
- Unauthorized access or repeated attempts at unauthorized access (from either internal or external sources)
- Threat or harassment via electronic medium (internal or external)
- Access is achieved by the intruder
- Web pages are defaced
- When you detect something noteworthy or unusual (new traffic pattern, new type of malicious code, specific IP as source of persistent attacks).
- Denial of service attack on the agency
- Virus attacks which adversely affect servers or multiple workstations
- Other information security incidents that could undermine confidence and trust in the Commonwealth's Information Technology systems
Do not report routine probes, port scans, or other common events.
Clues for determining an information security incident
The following are clues that an information security incident may be in progress, or one may have already occurred. These indicators can have legitimate explanations and be part of day-to-day operations. The key in determining whether a suspected event is a legitimate event or is actually an information security incident is recognizing when things happen without an explanation, events that are contrary to your policies and procedures. The key word to using these indicators is "UNEXPLAINED."
- Unsuccessful logon attempts
- Accounting/system/network logs discrepancies that are suspicious (e.g., gaps/erasures in the accounting log in which no entries whatsoever appear; user obtains root access without going through the normal sequence necessary to obtain this access)
- "Door knob rattlin" (e.g., use of attack scanners, remote requests for information about systems and/or users, or social engineering attempts)
- New user accounts not created by system administrators
- New files or unfamiliar file names
- Modifications to file lengths or dates (especially in system executable files)
- Attempts to write to system files or changes in system files
- Modification or deletion of data
- Changes in file permissions
- Logins into dormant accounts (one of the best SINGLE indicators)
- A system alarm or similar indication from an intrusion detection tool
- Denial of Service (DoS) (DDoS) (e.g. inability of one or more users to login to an account; inability of customers to obtain information or services via system)
- System crashes
- Abnormally slow or poor system performance
- Unauthorized operation of a program or sniffer device to capture network traffic (e.g., presence of cracking utilities)
- Unusual time of usage (remember, more computer security incidents occur during non-working hours than any other time)
- Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program; use of commands/functions not normally associated with user's job)
- Physical theft and intrusion (e.g., theft of laptop computer with critical information)
Information Security Incident Reporting Form
Fill out a Information Security Incident Reporting Form.