Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 05/25/2021
To establish requirements for effective and efficient identification, reporting, escalation, response to, and evaluation of whether any security compromises or other related incidents that occur within the District of Columbia Government (“District”)’s Information Systems have been resolved.
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
This policy applies to all District workforce members (including contractors, vendors, consultants, temporary staff, interns, and volunteers) performing official functions on behalf of the District Government, and/or any District Government agency/District/entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from the District of Columbia Office of the Chief Technology Officer (OCTO). In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.
The Office of the Chief Technology Officer (OCTO), under the management of the Chief Technology Officer, is responsible for coordinating and leading security incident response when an incident involves the District, any of the District agency or multiple agencies, and entities such as business partners who have access to the District network and data repositories. In addition, OCTO is responsible for the District's cybersecurity readiness, threat analysis, and remediation efforts.
The requirements described in this Incident Response Policy are designed to help the District and agencies respond to and minimize the impact of security incidents.
4.1. Incident Response Training
The District agencies provide incident response training to information system users consistent with assigned roles and responsibilities:
- Provide training before assuming an incident response role or responsibility, when required by information system changes, and annually thereafter
- Provide additional or supplemental IR training when information system changes occur.
- Annually thereafter.
4.2. Incident Response Testing
The District agencies coordinate incident response testing with organizational elements responsible for related plans.
4.3. Incident Handling
The District agencies
- Must develop, adhere to or adopt within their Incident Management Plans, incident handling capabilities for security incidents that include:
- Detection and Analysis.
- Containment, Eradication, and Recovery.
- Post-Incident Activity.
- Coordinates incident handling activities with contingency planning activities.
- Lessons learned from incident handling activities shall be incorporated into incident response procedure s, training, and testing/exercises, and implements the resulting changes.
4.4. Incident Monitoring
The District agencies must develop, adhere to or adopt incident monitoring processes that track and document information asset security incidents on an ongoing basis.
4.5. Incident Reporting
The District agencies:
- Requires personnel to report suspected security events to the District Security Operations Center (SOC) immediately the event is discovered.
- Reports all identified Information Security Incidents to the Office of Information Security
- Contact the SOC by phone at +1-202-724-2447
- Contact the SOC by email at [email protected]
4.6. Incident Response Assistance
The District agencies must provide incident response support that offers advice and assistance to users of agency-managed information systems for the handling and reporting of security incidents.
4.7. Incident Response Record Retention
The District agency must retain all documents and data related to an incident according to the agency’s data retention schedule.
4.8. Incident Response Plan
The District must develop an incident response plan that:
- Provides the organization with a roadmap for implementing its incident response capability.
- Describes the structure and organization of the incident response capability.
- Provides a high-level approach for how the incident response capability fits into the District processes.
- Meets the unique requirements of the District, which relate to mission, size, structure, and functions.
- Is tested at least once every 6 months.
- Defines reportable incidents.
- Provides metrics for measuring the incident response capability within the District.
- Defines the resources and management support needed to effectively maintain and mature an incident response capability.
- Is reviewed and approved by the Chief Technology Officer who will in turn.
- Distribute copies of the incident response plan to all the District agencies.
- Review the incident response plan once every quarter.
- Update the incident response plan to address system/organizational changes or problems encountered during implementation, execution, or testing of the plan.
- Communicates incident response plan changes to all the District agencies.
- Protects the incident response plan from unauthorized disclosure and modification.
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
The definition of the terms used in this document can be found in the Policy Definitions website.