Security incident management, e-discovery, and cloud forensics
This section describes Itron’s policy for establishing a security incident response standard for the Itron Azure environment and the outcomes it hosts to help Itron implement best practices for identifying, responding to, and managing, in a consistent manner and with appropriate leadership and technical resources, cybersecurity incidents that threaten the confidentiality, integrity, and availability of Itron Azure environment assets.
The infrastructure team, developer teams, and users of the Itron Azure environment are responsible for ensuring they adhere to procedures and controls that demonstrate compliance with this policy. Teams are responsible for assigning resources necessary to achieve compliance. Itron management commits to actively supporting the teams with complying with this policy by ensuring the policy is reviewed and approved, responsibilities are defined, and resources and budget are available.
Policy
Itron adheres to formal, documented incident response procedures for the Itron Azure environment that facilitate the implementation of the incident response policy and associated incident response controls. The incident response procedures document addresses scope, roles, responsibilities, and the Incident Response processes and procedures necessary to ensure Itron implements best practices for identifying, responding to, and managing cybersecurity incidents that may occur across the Itron Azure environment. This policy is based on the NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations Rev 4 Incident Response (IR) control family guidelines.
Security incident training
The security incident response capability for the Itron Azure environment is tested annually to determine the security incident response effectiveness and document the results. Methods for testing/exercising the security incident response capability include walk through and tabletop exercises, checklists, simulations, and comprehensive exercises.
Security incident handling
An incident handling capability for security incidents across the Itron Azure environment is implemented that includes preparation, detection, and analysis, containment, eradication, and recovery. Lessons learned from security incident handling activities are incorporated into security incident response procedures, training, and testing.
Security incident monitoring
Security incidents that occur across the Itron Azure environment are tracked and documented, including the current status of the incident, details of the incident, information necessary for forensics, how the incident was handled.
Security incident reporting
Itron employees report suspected security incidents to Itron Security within one hour. Security incident information is reported to Itron internal stakeholders and management as appropriate. Security incident information is reported to external authorities as appropriate.
Security incident response plan
A security incident response plan for the Itron Azure environment is developed that:
-
Provides the roadmap for the implementation of the security incident response capability for the Itron Azure environment
-
Describes the structure, organization, and high-level approach of the security incident response capability for the Itron Azure environment.
-
Defines reportable incidents.
-
Provides metrics for measuring the Itron Azure environment security incident response capability.
-
Defines the resources and management support needed to effectively maintain and mature the Itron Azure environment security incident response capability.
-
Is reviewed and approved by infrastructure team managers and Itron Security.
The security incident response plan is distributed to all individuals who have roles and responsibilities in the plan. The security incident response plan is reviewed at least annually. The security incident response plan is updated when necessary to reflect changes to the organization or the Itron Azure environment, or to correct problems found during plan implementation, execution, or testing. Changes to the security incident response plan are communicated to relevant stakeholders. The security incident response plan is protected from unauthorized disclosure and modification.
Integrated information security analysis team
Itron establishes an Itron Security team of forensic/malicious code analysts, tool developers, and real-time operations personnel.
Procedure
All Itron Azure environment infrastructure assets, outcomes, and related employees are subject to the security incident response policy and security incident response procedures. A security incident can be anything from an active threat to an attempted intrusion to a successful compromise, data breach, policy violations, or unauthorized access to data. This section intends to establish procedures across training, testing, handling, reporting, and mitigating security incidents, as well as the roles and responsibilities of Itron employees in case of a security incident. Security incidents occurring in the Itron Azure environment are monitored and reported by Itron Security. They monitor security incidents using a centralized audit log analytics application and report incidents using the defined SOC mechanism.
Security incident response
Security Incident Response plan is defined by Itron Security. Handling a security incident is a collaboration of the impacted teams to analyze, quarantine, mitigate, and recover from the security incident.
The following teams may be involved based on the nature of the incident:
-
Itron Security
-
Infrastructure team
-
Developer team
Each of the teams needs to have a checklist of actions that need to be taken in case of an event for a security incident. It becomes the responsibility of these different teams to handle and perform a post-security incident review to take the learnings and make these learning as part of the security incident procedures.
Training
Infrastructure team and developer team members are trained to handle security incidents. The training needs to be given at least annually to the team members who are responsible for reporting/monitoring and handling security incidents.
Testing
Itron Security, infrastructure team, and developer teams conduct tests on the security incident response plan at least annually. These tests need to be conducted by either using tabletop tests or by simulated attacks.