1906 Incident Response and Reporting

Georgia State Seal

Department of Human Services
Online Directives Information System

Index:

POL1906

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

To establish and implement policies and procedures to ensure proper incident response and reporting for DHS information systems. The objective of this policy is to address the considerations that will help to ensure that the DHS IT resources and information systems properly respond to and report incidents concerning DHS information systems and data. Critical to achieving this objective is the implementation of controls that address each of the requirements stated in this policy.

Authority

  1. United States Department of Commerce National Institute for Standards and Technology (NIST)

  2. United States Internal Revenue Service

  3. United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)

  4. United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)

  5. Georgia Technology Authority

  6. Social Security Administration

  7. Federal Bureau Investigation (Criminal Justice Information Services)

References

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Responsibilities

DHS shall adopt the Incident Management principles established in the National Institute for Standards and Technology (NIST) Special Publication (SP) 800-61 “Computer Security Incident Handling Guide,” as the official policy for Incident Response. The following subsections outline the incident management standards that constitute DHS policy. Each DHS Business System is then bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related the standards documented.

IR-1 Incident Response Policies and Procedures

  1. Develop, document, and disseminate to designated agency personnel:

    1. All organizational level incident response and reporting policy that:

      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

    2. Procedures to facilitate the implementation of the incident response and reporting policy and the associated controls.

  2. Designate an agency official to manage the development, documentation, and dissemination of the incident response and reporting policy and procedures; and

  3. Review and update the current incident response and reporting:

    1. Policy every one (1) year (or if there is a significant change); and

    2. Procedures every one (1) year, (or when there is a significant change).

IR-2 Incident Response Training

  1. Provide incident response training to system users consistent with assigned roles and responsibilities:

    1. Within 30 days of assuming an incident response role or responsibility or acquiring system access;

    2. When required by system changes; and

    3. Annually thereafter; and

  2. Review and update incident response training content every one (1) year and following major business and system change impacting the CUI environment.

IR-2 (1) Simulated Events:

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

IR-2 (3) Breach:

Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach.

IR-3 Incident Response Testing and Exercise

Test the effectiveness of the incident response capability for the system annually using the following tests: tabletop exercises.

Coordinate incident response testing with organizational elements responsible for related plans.

IR-3 (3) Continuous Improvement:

Use qualitative and quantitative data from testing to:

  1. Determine the effectiveness of incident response processes;

  2. Continuously improve incident response processes; and

  3. Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format.

IR-4 Incident Handling

  1. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; Coordinate incident handling activities with contingency planning activities;

  2. Coordinate incident handling activities with contingency planning activities;

  3. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and

  4. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

IR-4 (1) Automated Incident Handling Processes:

Support the incident handling process using automated mechanisms.

IR-4 (3) Continuity of Operations:

Identify classes of incidents and take the following actions in response to those incidents to ensure continuation of organizational missions and business function:

  1. Graceful degradation;

  2. Information system shutdown;

  3. Fall back to manual mode/alternative technology whereby the system operates differently;

  4. Employing deceptive measures;

  5. Alternate information flows; or

  6. Operating in a mode that is reserved solely for when systems are under attack."

IR-4 (6) Insider Threats:

Implement an incident handling capability for incidents involving insider threats.

IR-4 (8) Correlation with External Organizations:

Coordinate with contractors, data centers, counties, and other agencies to correlate and share incidents involving CUI to achieve a cross-organization perspective on incident awareness and more effective incident responses.

IR-5 Incident Monitoring

Track and document incidents.

IR-6 Incident Reporting

  1. Require personnel to report suspected incidents to the organizational incident response capability immediately upon discovery; and

  2. Report incident information immediately, but no later than 24 hours after identification of a possible issue involving FTI to the appropriate special agent-in-charge and the IRS Office of Safeguards.

IR-6 (1) Automated Reporting:

Report incidents using automated mechanisms.

Report system vulnerabilities associated with reported incidents to designated agency personnel.

IR-6 (3) Supply Chain Coordination:

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.

IR-7 Incident Response Assistance

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.

IR-7 (1) Automation Support for Availability of Information and Support:

Increase the availability of incident response information and support using automated mechanisms.

IR-7 (2) Coordination with External Providers:

  1. Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and

  2. Identify organizational incident response team members to the external providers.

IR-8 Incident Response Plan

  1. Develop an incident response plan that:

    1. Provides the organization with a roadmap for implementing its incident response capability;

    2. Describes the structure and organization of the incident response capability;

    3. Provides a high-level approach for how the incident response capability fits into the overall organization;

    4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

    5. Defines reportable incidents;

    6. Provides metrics for measuring the incident response capability within the organization;

    7. Defines the resources and management support needed to effectively maintain and mature an incident response capability;

    8. Addresses the sharing of incident information;

    9. Is reviewed and approved by designated agency officials at a minimum on an annual basis; and

    10. Explicitly designates responsibility for incident response to agency-defined personnel.

  2. Distribute copies of the incident response plan to authorized incident response personnel and agency personnel with access to CUI;

  3. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

  4. Communicate incident response plan changes to authorized incident response personnel and agency personnel with access to CUI;

  5. Protect the incident response plan from unauthorized disclosure and modification.

IR-8 (1) Breaches:

Include the following in the Incident Response Plan for breaches involving personally identifiable information:

  1. A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;

  2. An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and

  3. Identification of applicable privacy requirements.

IR-9 Information Spillage Response

Respond to information spills by: a. Assigning designated incident response agency personnel with responsibility for responding to information spills; b. Identifying the specific information involved in the system contamination; c. Alerting designated agency officials of the information spill using a method of communication not associated with the spill; d. Isolating the contaminated system or system component; e. Eradicating the information from the contaminated system or component; f. Identifying other systems or system components that may have been subsequently contaminated; and g. Performing the following additional actions: Report incident information to the appropriate special agent-in-charge and the IRS Office of Safeguards.

  1. FOR SOCIAL SECURITY ADMINISTRATION DATA

    If the agency suspect a breach or loss of PII, or a security incident which includes SSA-provided data, they must notify the State official responsible for Systems Security designated in the agreement. That State official or delegate must then notify the SSA Regional Office Contact or the SSA Systems Security Contact identified in the agreement. If, for any reason, the responsible State official or delegate is unable to notify the SSA Regional Office or the SSA Systems Security Contact within one hour of discovering the incident, the responsible State Agency official or delegate must report the incident by contacting SSA’s National Network Service Center (NNSC) toll free at 1-877-697-4889 (select “Security and PII Reporting” from the options list). The EIEP will provide updates as they become available to SSA contact, as appropriate. Refer to the worksheet provided in the agreement to facilitate gathering and organizing information about an incident.

History

Date Change User Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

  1. Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.

  2. Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.