Information Technology Policies and Standards

Title
Computer Abuse Incident Response
Type
Procedure
Related Policy
Category
Security
Status
Superseded
Approved
01/14/2004
To Be Reviewed
02/16/2008
Scope
Applies to all City information technology assets.
Procedure
The Information Security Manager will first attempt to determine if the abuse incident is administrative or criminal in nature. If the nature of the incident is unclear, the Information Security Manager may contact APD's Forensic Computer Unit at 823-4200 for assistance.

If the abuse incident involves a threat to personal safety/physical property or criminal activity, the Information Security Manager will immediately contact APD's Communications Unit via the non-emergency reporting number (242-COPS(2677)) and request that APD dispatch a uniformed patrol officer to secure any affected information technology assets until a representative from the Metropolitan Forensic Science Center can assume custody of those assets. The Information Security Manager will report the incident (and that the incident has been referred to law enforcement) to the Chief Information Officer.

If the abuse incident is administrative in nature, the Information Security Manager will attempt to determine if it warrants a formal incident response.

In cases where an abuse incident does not require a formal incident response, the situation will be forwarded to the appropriate ISD staff to ensure that all technology support services required are rendered. The Information Security Manager will report the incident and its resolution to the Chief Information Officer.

If the Information Security Manager determines that a formal incident response is warranted, he will report the incident and his initial assessment to the Chief Information Officer. The Chief Information Officer will report the incident to the affected Department Manager and request that the Department Director assign an Incident Manager to coordinate the investigation and resolution of the incident.

When the Department assigns an Incident Manager, the Chief Information Officer will assign one or more Specialists as required to assist in the investigation and resolution of the incident. Specialists, under the coordination of the Information Security Manager, may be responsible for: identifying affected information technology assets; obtaining evidence or assisting the Incident Manager in obtaining evidence; reporting their actions and/or findings to the Information Security Manager; and testifying to their actions and/or findings in any administrative or legal proceedings that may occur as a result of the abuse incident.

Where the abuse incident involves information technology assets that are centrally managed, the Information Security Manager will assume custody of those assets and coordinate the provision of access necessary for the Incident Manager, with the assistance of Specialists if required, to obtain and review evidence.

Where the abuse incident involves information technology assets that are the property of and/or located in the affected Department, the Incident Manager will, with the assistance of Specialists if required, identify those assets. The Incident Manager will assume custody of those assets for purposes of continuous custody of evidence. Any inspection or alteration of those assets performed by Specialists will be done only in the physical presence of the Incident Manger to ensure continuous custody.

The Incident Manager will determine when the affected assets no longer need to be retained as evidence. Upon request, ISD will coordinate restoring departmental assets to a standard condition so that they may be returned to service.

When the Specialist(s) have completed their required actions, the Information Security Manager will report their actions and/or findings to the Chief Information Officer (concluding ISD's involvement in the incident) and to the Incident Manager (for any possible Department action). The Incident Manager will report all actions and/or findings to the Department Director, and should notify ISD when final resolution of the incident has been achieved.
Rationale
Due to a variety of issues, including the safety and privacy of City employees, it is imperative that a formal reporting and response policy be followed when responding to incidents of City computer abuse.

City computer abuse may constitute violations of: the City Employee Code of Conduct, City Personnel Rules and Regulations Section 301.15; the City Internet Usage Policy, Administrative Instruction 8-12; Guidelines for City E-Mail Services, Administrative Instruction 8-13; other City computing policies as approved by the Information Services Committee or issued by the Chief Information Officer; or other City ordinances or New Mexico or Federal law, including but not limited to the Federal Computer Fraud and Abuse Act (18 USC §1030 et seq), Electronic Communications Privacy Act (18 USC §2501 et seq), and Digital Millennium Copyright Act (17USC §512 et seq).

Contact: Lee Stark, (505) 768-2978