Incident Response Procedures

These procedures apply for any suspected or confirmed security breach with a potential impact on the LS AAI or on other Participants.

The procedures build on the function of  the LS AAI Security Contact as defined in the Terms of Use for Service Providers [ToU].

 

Security Incident Response Procedure for Service Providers

  1. Aim at containing the security incident to avoid further propagation whilst aiming at carefully preserving evidence and logs. Record all actions taken, along with accurate timestamps.

  2. Report the security incident to the LS AAI Security Contact point within one local working day of the initial discovery or notification of the security incident.

  3. In collaboration with the Security Incident Response Coordinator (identified by the LS AAI Security Contact):

    1. Collect and strive to identify indicators of compromise (IoCs)

    2. Share incident status reports and IoCs with all affected participants (a “heads-up” and subsequent updates as needed), in the LS AAI and federation via their security contact (and, if needed, in other federations and with any external trusted entity involved)

  4. Announce suspension of service (if applicable) in accordance with LS AAI, federation and interfederation practices. Public announcements should not contain details other than “Security operations in progress”, unless agreed otherwise with the LS AAI Security Contact point.

  5. Perform appropriate investigation, system and network analysis and adequate forensics, and strive to understand the exact cause of the security incident, as well as its full extent. Identifying the cause of security incidents is essential to prevent them from reoccurring. The time and effort needs to be commensurate with the scale of the problem and with the potential damage and risks faced by affected participants.

  6. Share additional status updates and IoCs as often as necessary to keep all affected participants up-to-date with the security incident and enable them to investigate and take action should new information appear.

  7. Respond to requests for assistance from other participants involved in the security incident within one working day and investigate new IoCs being shared.

  8. Take corrective action, restore access to service (if applicable) and legitimate user access.

  9. In collaboration with the Security Incident Response Coordinator, produce and share a report of the incident with all Sirtfi-compliant organisations in all affected federations within one month. This report should be labelled TLP AMBER or higher.

  10. Update documentation and procedures as necessary.

 

Security Incident Response Procedure for the LS AAI Security Contact

  1. Assist Participants in performing appropriate investigation, system and network analysis and forensics, and strive to understand the cause of the security incident, as well as its full extent. The time and effort needs to be commensurate with the scale of the problem and with the potential damage and risks faced by affected participants.

  2. Report the security incident to their federation security contact point within one local working day of the initial discovery or notification of the security incident.

  3. Coordinate the security incident resolution process and communication with affected Participants until the security incident is resolved:

    1. Collect and strive to identify indicators of compromise (IoCs) from all involved entities

    2. Share incident status reports and IoCs with all affected Participants (a “heads-up” and subsequent updates as needed), in the LS AAI and federation via their security contact (and, if needed, in other federations and with any external trusted entity involved). If other federations are affected, the eduGAIN security contact point must be notified, even if affected participants in all other federations have been contacted directly.

  4. Ensure suspension of service (if applicable) is announced in accordance with LS AAI, federation and interfederation practices.

  5. Share additional status updates and IoCs as often as necessary to keep all affected participants up-to-date with the security incident and enable them to investigate and take action should new information appear.

  6. Assist and advise participants in taking corrective action, or restoring access to service (if applicable) and legitimate user access.

  7. Produce and share a report of the incident with all Sirtfi-compliant organisations in all affected federations within one month. This report should be labelled TLP AMBER or higher.

  8. Update documentation and procedures as necessary.

 

Version 27 January 2022

Based on AARC Policy development kit (CC BY-NC-SA 4.0)

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 654248.