The SWAMID Incident Management Procedures should be followed when a suspected security incident at a Federation Participant is expected to affect other Federation Participants. More specifically, the procedures applies to all suspected federated security incidents unless their extent is known, contained within the Federation Participant and cannot affect any other party. In addition to federated identities, threats to federated entities such as Identity Providers, Service Providers, Attribute Authorities and federation infrastructure such as Metadata repositories are also in scope.

• SWAMID Incident Management Procedures

Responsibilities

Federation Participants and the Federation Operator are mutually responsible for diagnosing and resolving the ongoing security incident by ensuring that it is contained, coordinating the response between the affected parties, tracking the progress of the incident response process, disseminating information, and providing expertise and guidance. In case of a security incident suspected to affect other federations or their participants, their security procedures should be respected.

...

• SWAMID Incident Management Procedures
• Contact information for SUNET CERT: abuse@cert.sunet.se

The diagram below shows the correlation between all steps and involved parties for when a suspected security incident is in progress. Steps for federation participants are further explained after the diagram.

Procedure for Federation Participants, i.e. Identity Providers, Service Providers and Attribute Authorites

• FP1. In parallel with this procedure, follow all security incident response procedures established for your organisation.
• FP2. Contain the suspected security incident to avoid further propagation to other entities, while preserving evidence and logs. Record all actions taken, along with accurate timestamps.
• FP3. Report on the suspected security incident to Sunet CERT as soon as possible, but within one local working day of becoming aware of the suspected incident.
• FP4. In collaboration with Sunet CERT, ensure that all affected Federation Participants are notified, including those belonging to other federations. Include relevant information, when possible, to allow them to take action.
• FP5. Investigate and coordinate the resolution of the suspected security incident within your domain of operation and keep Sunet CERT and other involved parties updated appropriately.
• FP6. Announce suspension of services (if applicable) to Sunet CERT.
• FP7. Perform appropriate investigation, system analysis and forensics and strive to understand the cause of the security incident and its full extent. 
• FP8. Share additional information as often as necessary to keep all affected parties up to date with the status of the security incident and enable them to investigate and take action should new information appear. It is strongly encouraged for such updates to occur at regular intervals, to include the time of the next update within each update and to issue a new update sooner if significant new information becomes available.
• FP9. Respond to requests for assistance from others involved in the security incident within one local working day. In case of limited trust or doubt regarding the party behind a given request, involve Sunet CERT.
• FP10. Take corrective action, restore legitimate access to services (if applicable).
• FP11. In collaboration with Sunet CERT, produce and share a single report, including lessons learned and actions taken, of the incident with all Sirtfi-compliant organisations in all affected federations within one month of its resolution. This report should be labelled TLP AMBER or higher. If the participant is not Sirtfi-compliant, Sunet CERT assists in sharing the outcome of the action with Sirtfi-compliant organisations.
• FP12. Review and update your own organisation’s documentation and procedures as necessary to prevent recurrence of the incident in the future.

Sunet CERT may be contacted and involved at any time for security advice, recommendations, technical support and expertise, regardless of the severity of the suspected incident, at the discretion of and based on the needs of the Federation Participant.