Versions Compared

Old Version 12

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 13

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

draw.io Diagram
bordertrue
diagramNameSWAMID Incident Management Procedures
simpleViewerfalse
width
linksauto
tbstylehidden
diagramDisplayNameSWAMID Incident Management Procedures
lboxtrue
diagramWidth2162
revision6

Procedure for Federation Participants, i.e. Identity Providers, Service Providers and Attribute Authorites

  • FP1. In parallel with this procedure, follow all security incident response procedures established for your organisation.
  • FP2. Contain the suspected security incident to avoid further propagation to other entities, while preserving evidence and logs. Record all actions taken, along with accurate timestamps.
  • FP3. Report on the suspected security incident to Sunet CERT as soon as possible, but within one local working day of becoming aware of the suspected incident.
  • FP4. In collaboration with Sunet CERT, ensure that all affected Federation Participants are notified, including those belonging to other federations. Include relevant information, when possible, to allow them to take action.
  • FP5. Investigate and coordinate the resolution of the suspected security incident within your domain of operation and keep Sunet CERT and other involved parties updated appropriately.
  • FP6. Announce suspension of services (if applicable) to Sunet CERT.
  • FP7. Perform appropriate investigation, system analysis and forensics and strive to understand the cause of the security incident and its full extent. 
  • FP8. Share additional information as often as necessary to keep all affected parties up to date with the status of the security incident and enable them to investigate and take action should new information appear. It is strongly encouraged for such updates to occur at regular intervals, to include the time of the next update within each update and to issue a new update sooner if significant new information becomes available.
  • FP9. Respond to requests for assistance from others involved in the security incident within one local working day. In case of limited trust or doubt regarding the party behind a given request, involve Sunet CERT.
  • FP10. Take corrective action, restore legitimate access to services (if applicable).
  • FP11. In collaboration with Sunet CERT, produce and share a single report, including lessons learned and actions taken, of the incident with all Sirtfi-compliant organisations in all affected federations within one month of its resolution. This report should be labelled TLP AMBER or higher. If the participant is not Sirtfi-compliant, Sunet CERT assists in sharing the outcome of the action with Sirtfi-compliant organisations.
  • FP12. Review and update your own organisation’s documentation and procedures as necessary to prevent recurrence of the incident in the future.

Sunet CERT may be contacted and involved at any time for security advice, recommendations, technical support and expertise, regardless of the severity of the suspected incident, at the discretion of and based on the needs of the Federation Participant.