Cybersecurity Incident Response Process

If you believe you have an ongoing Cyber Security Incident (i.e., signs that unauthorized agents have access and are using a computing device), please report your concern to the OCIO Customer Service Centre at 7-7000 option 3 (1-250-387-7000).

The OCIO/CDT Security Investigations and Incident Response Team (SIIRT) will evaluate the threat and work with you to investigate and eliminate the unauthorized activity.

The OCIO/CDT SIIRT uses the SANS PICERL Incident Response model.  Specifically…

P     Preparation.  The SIIRT maintains a Security Incident Response Plan and multiple procedures (‘Playbooks’) to standardize our response to various cyber security event types including Phishing, Compromised Device, Compromised Credentials and more.

I       Identification. Based on the reports and other available information, the SIIRT will identify the type, scope and severity of the incident so we can mount the appropriate response. If the incident was reported (and not automatically identified), then the SIIRT will communicate with the reporter to ensure they have all the information and keep the original reporter(s) informed as we work through our process.

C      Containment. Once we have completed enough of the Identification phase, then we can start the response. This step usually requires some steps to ensure the attach/problem is not getting worse or can be stopped completely. Example actions could include additional network protective measures or isolating a device or disabling a user computer account or modifying our email policy rules.

E      Eradication.  Once we have contained the problem from getting worse, we need to completely remove the threat from our environment.  This step means we need to find all instances of the problem and eliminate it from our environment. Examples include re-imaging computers, cleaning messages out of mailboxes, resetting passwords. 

R      Recovery.  This step is usually the responsibility of the business areas affected by the cyber security event. This step is to return all user access and equipment back to a normal operating condition.  For us, it may include removing protective controls that were added during the containment phase if no longer required.

L       Learning.  This is one of the most important steps. This is where we review the incident and our response to ensure we have the best protocols in place to address the situation efficiently and effectively. We update our Security Incident Response Plan and Playbooks as appropriate to improve our response capability and protocol.  We also close our cyber incident documentation and give final notification to our reporter(s) and stakeholders that the incident response is complete.