Good incident management enables the MOJ to respond to security incidents in a calm, efficient and effective manner. This incident management policy describes what must be done when an incident occurs.
The Incident Management Standard [link to follow] provides help with creating an incident management plan that complies with the policy. For example, the standard describes the roles and responsibilities of people working to address the incident.
The policy statements are as follows:
| Each MoJ Business Group must have an IT Security Incident Management Plan which aligns to this policy. This plan must be common to all IT systems within a particular business group. |
| All IT Security incidents or suspected incidents must be reported to the MoJ Operational Security Team (OST) within 60 minutes of detection. |
| For all incidents involving an IT Security incident, an IT Security Incident Report Form must be completed and submitted to the OST [Ref, 10]. This is irrespective of the reporting route (i.e. a User direct with OST or a user via the IT helpdesk). |
| All IT Security incidents involving personal data (or other information assets) must be reported to MoJ Data Access and Compliance Unit [Ref, 9]. |
| All IT Security incidents must be categorised in accordance with this policy. |
| All MoJ staff must report any concerns that the MoJ ICT Security Policy [Ref, 1] is not being followed to their line manager. |
| All MoJ staff must report any breach of the MoJ ICT Security Policy [Ref, 1] as an IT Security incident. |
| All MoJ staff must report any suspicious activity which indicates an IT Security incident has occurred. |
| All MoJ staff must report an IT Security incident either to the IT helpdesk or directly to the MoJ Operational Security Team using an ICT Security Incident Report Form. |
| All MoJ Local Managers must ensure that all IT Security or personal data incidents or breaches are reported and taken seriously. These include facilitating any investigation and, where appropriate, pursue disciplinary action and/or legal proceedings. |
| Each MoJ business group SIRO must ensure that each ICT domain (e.g. DISC or OMNI) which fall under their remit has an IT Security Incident Management Plan which implements this policy. A template plan and guidance is available in ICT Security – Incident Management Plan and Process guide [Ref, 11]. |
| All High impact IT Security incidents and any IT Security incident involving personal data must be reported to the SIRO immediately. |
| All IT Security incidents involving the loss, theft or compromise of an Information Asset must be reported to the asset's IAO. |
| Where the IT helpdesk receives a report of a security incident, this must be reported and escalated to the OST immediately. |
| Each IT Security Incident Management Plan must include a pre-arranged escalation path where each stakeholder is named and aware of their role in the Incident Management Plan. |
| The OST must maintain files on any investigation undertaken. |
| Any diagnosis of an IT Security incident and the events surrounding it must be shared and reported to relevant stakeholders. |
| An IT system which has a significant compromise (Medium or High impact) must be reported to the system Accreditor and a review of that system’s risk assessment and accreditation must be conducted. |
| All IT Security incidents for an IT system must be collated and provided to the system Accreditor during the re-accreditation process. |
| The IT Security Incident Management Plan for an IT System or overarching ICT Domain must include details on how that system or ICT domain IT services are restored (or recovered) following an IT Security incident. |
For each Medium and High impact IT Security incident, a
management report must be prepared covering:
|
| This policy is dated October 2017, and is an update of the IT Incident Management Policy, v1.0, May 2013. |