Incident Management

Overview

The California Office of Information Security works collaboratively with agency Information Security Officers, California Highway Patrol (CHP), Office of Privacy Protection, Office of HIPAA Implementation, and other essential agencies on identifying, notifying, reporting, and mitigating information security incidents. These agency incident notification and reporting instructions are outlined in the Statewide Information Management Manual (SIMM) 65B.

The following policy, standards, and guidelines are provided to assist state agencies in compliance with current incident notification and reporting requirements, and establishing and maintaining internal incident management functions.

Incident Notification

State policy requires agencies to follow a prescribed notification process when information security incidents occur. Typically, it is each agency's Information Security Officer's (ISO) responsibility to notify the proper authorities. The prescribed process includes the following steps:

1. Immediately call (916) 657-8287 to report the incident.

This number is a 24-hour telephone line at the California Highway Patrol (CHP) Emergency Notification and Tactical Alert Center (ENTAC). The ENTAC contact will require specific information about the incident and will forward that information to the Office of Information Security and to the CHP Computer Crimes Investigation Unit (CCIU). Representatives from the Office of Information Security and CCIU will contact you as soon as possible following their receipt of the ENTAC notification.

IMPORTANT: A notification made to CHP or our Office outside of the ENTAC notification process by email or other means is NOT an acceptable substitute for the required notification to ENTAC.

2. Guidance for reporting the incident.

See the CHP's Web site at www.chp.ca.gov under "Computer Crime Reporting for State Agencies." Tthe following information should be gathered before calling ENTAC:

Name and address of the reporting agency.
Name, address, e-mail address, and phone number(s) of the reporting person.
Name, address, e-mail address, and phone number(s) of the ISO.
Name, address, e-mail address, and phone number(s) of the alternate contact (e.g., alternate ISO, system administrator, etc.).
Description of the incident.
Date and time the incident occurred.
Date and time the incident was discovered.
Make / model of the affected computer(s).
IP address of the affected computer(s).
Assigned name of the affected computer(s).
Operating system of the affected computer(s).
Location of the affected computer(s).
Any actions at and following the time of discovery that were taken prior to calling ENTAC

The following additional information should be gathered and available when calling ENTAC about incidents involving computer-related theft or crime

Make / model of the affected computer(s).
Serial and state asset identification numbers of affected devices
IP address of the affected computer(s).
Assigned name of the affected computer(s).
Operating system of the affected computer(s).
Location of the affected computer(s).

3. Personally Identifiable Information.

During this notification process, it is also important to report if the incident involves personally identifiable information, such as notice-triggering personal information as defined in California Civil Code Section 1798.29.

4. Additional Information.

The CCIU, the Office of Information Security, and Office of Privacy Protection may contact the agency for additional information or further investigation.

Incident Reporting

An Agency Information Security Incident Report outlining the details of the incident, corrective actions taken or to be taken, and the estimated costs associated with the incident must be completed and forwarded to the Office of Information Security within 10 business days following the incident per SAM Section 5350. The form to be used in making the report is SIMM 65C and must be signed by the agency's director, Information Security Officer, and when applicable the Privacy Officer/Coordinator.

Incident reports should be mailed to:

Office of Information Security and Privacy Protection
Attention: Office of Information Security
1325 J Street, Suite 1650
Sacramento, CA 95814

See Frequently Asked Questions (FAQ) for more details on this topic.

Questions may be directed to security@oispp.ca.gov or by calling (916) 445-5239.

Other Contact Information:

CHP ENTAC (916) 657–8287
California Office of Privacy Protection (866) 785–9663
California Office of HIPAA Implementation (CalOHI) (916) 654–3454

CHP: Computer Crime Incident Response Do's and Don'ts — Provides summary of incident response and other considerations

CalOHI Policy Memorandum (2006-77) – Security Incident Reporting Policy (.doc, 119k)

Other Resources

Links and resources for incident notification and reporting documentation, "best" practices, and federal standards to help develop and/or update your agency's reporting procedures. Contact the Office of Information Security if you have questions or need assistance with incident reporting.

National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Incident Handling Guide (.pdf, 2.71m)
Federal Incident Reporting Guidelines – United States Computer Emergency Readiness Team (US-CERT)
United States Computer Emergency Readiness Team (US-CERT) How to Establish a Computer Security Incident Response Team (CSIRT)
US Secret Service - Best Practices for Seizing Electronic Evidence
SANS InfoSec Reading Room – Incident Handling

The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.

Last Updated: Thursday, June 26, 2008