LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 552.01 Computer Security Incident Report and Response
 
  PROCEDURES
  1. Organization of Emergency Response Teams
     
    1. The Departmental Information Security Officer (DISO) or his/her designee must represent the Los Angeles County Department of Mental Health (DMH/Department) in the County Computer Emergency Response Team (CCERT) as the primary Departmental Computer Emergency Response Team member (DCERT).
       
    2. DMH must organize a DCERT. The DISO will designate primary DCERT members and alternate members. Each DCERT member will actively participate in training and DCERT and CCERT activities.
       
    3. The DISO or his/her designee will update the CCERT contact information. The DISO must maintain current contact information for personnel responsible for managing information technology (IT) resources and remediating security threats.
       
    4. DMH must provide primary and secondary DCERT members with adequate portable communication devices (e.g., cell phone, pager, laptop).
       
    5. DCERT must adopt and adhere to County policies, procedures, and guidelines that pertain to computer security threat response.
       
  2. Computer Security Incident Response and Report Procedure

    According to the Health Insurance Portability and Accountability Act of 1996, Security Rule, 164.304, a security incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
     
    1. Pre-Incident

      An organized and careful reaction to an incident can mean the difference between complete recovery and total disaster. The purpose of having incident handling procedures is to know what to do when an incident occurs. This means anticipating scenarios before they happen and making many decisions about them in advance.

      To assist facility workforce members and others in knowing what to do when an incident occurs, DMH DISO must prepare and maintain a Computer Security Incident Response Matrix as part of the process of implementing the DMH Security Compliance Program. 

      The Matrix is a tool that the DCERT uses when confronted with a computer security incident and that shows the type of response that is required. In the matrix, a narrative of the required response must be placed in each cell corresponding to the intersection of the type of threat and the level of impact to the facility.
       
    2. Post-Incident

      DCERT response to computer security threats will consist of the following:
       
      1. Identification
         
        1. A DMH workforce member must immediately report any and all suspected and actual breaches of information security (i.e., confidentiality, integrity, or availability) to his/her supervisor and the DMH Helpdesk or the DISO.
        2. Once a problem is reported and the DCERT is activated, the first priority for the DCERT is to determine the type, scope, and status of the incident, as DCERT's response is dependent upon the severity of the event. Each DMH facility must comply with all County policies for preservation of evidence and notification of appropriate authorities.
        3. A Computer Security Incident Report form must be completed for each incident reported to DCERT.
           
      2. Isolation
         
        1. Affected systems must be immediately isolated from the rest of the network. During a wide-scale attack, isolation will be done frequently at the network level via routing and/or filtering components. DMH must comply with all County policies for preservation of evidence and notification of appropriate authorities.
        2. The DISO or his/her designee and DCERT representatives are responsible for taking necessary corrective action to remediate a computer security threat while preserving evidence related to the breach, as appropriate.
           
      3. Notification
         
        1. If the computer security incident is a Countywide security threat, then the DCERT must inform the DISO and CCERT as early as possible of computer security threat events that could adversely affect Countywide computer systems and/or data.
        2. When violation of County IT resources is identified, DMH must comply with the Board of Supervisors Policies 6.103, Security Incident Reporting and Response and 6.101, Use of County Information Assets, for notification of appropriate authorities.
        3. If the computer security incident is a DMH security threat, then the DCERT must inform:
           
          • The DISO as early as possible
          • Other DMH facilities and/or persons of computer security threat events, (e.g., DMH CIO, System Managers/Owners)
          • The DMH Privacy Officer if the computer security incident involves Protected Health Information.
             
        4. Each facility must have in place a notification process to manage computer security threats within and outside their facility (including notification of vendors, business associates, and State/Federal contacts).
           
      4. Evaluation
         
        1. Once a DMH computer security threat has been identified and the DCERT activated, evaluation must begin to determine the steps necessary to mitigate the threat.
        2. The evaluator must recommend to the DCERT a course of action and the DCERT will either act on the recommendation or modify as necessary.
           
      5. Mitigation
         
        1. After the DCERT has endorsed the recommended course of action, remediation information will be communicated to all facilities.
        2. DCERT members must then rapidly implement the recommended course of action.
           
      6. Assessment
         
        1. During a computer security threat, DCERT representatives must document the number of affected systems within the organization in the DMH Computer Security Incident Report.
        2. The DMH facility impact of any such incident also shall be assessed and documented by the DCERT representatives in terms of downtime, impacted services, and quantifiable resources expended to mitigate the threat.
           
      7. Reporting
         
        1. The DCERT representatives must forward all information generated by assessment to the DISO within five (5) working days following a DMH computer security threat. 
        2. Within ten (10) working days of any such incident, the DCERT will develop an event chronology that will be presented to the DISO.
           
      8. Follow-Up
         
        1. After the threat has been contained and the majority of DMH systems have been restored to normal operation, DCERT will perform a postmortem analysis.
        2. In order to remain effective, the DCERT will discuss amongst its members the actions taken, derive "lessons learned," and if necessary, modify existing guidelines and procedures to be more effective and efficient in the future when responding to similar incidents.