DEFINITIONS

• AAI - The GEANT AAI Service
• DPO - Data Protection Officer
• CIRT: Computer Incident Response Team
• Participant - An entity providing, managing, operating, supporting or coordinating one or more service(s) connected to the AAI. 
• End User - An individual who by virtue of their membership of on the AAI is authorized to use the Participant's services.
• AAI Security Contact - The security contact point as identified by the AAI
• Participant Security Contact - The security contact point as identified by the Participant
• Security Incident Response Coordinator - The person or team identified by the AAI to coordinate responses to security incidents
  
• IoCs - Indicators of Compromise
• TLP - Traffic Light Protocol  - https://www.first.org/tlp/

Introduction

This procedure applies for any suspected or confirmed security breach with a potential impact on the AAI and/or its Participants and/or its End Users.

Security Incident Response Procedure for Participants

1. Aim at containing the security incident to avoid further propagation whilst aiming at carefully preserving evidence and logs. Record all actions taken, along with accurate timestamps.
2. Report the security incident to the Security Contact within one local working day of the initial discovery or notification of the security incident.
3. In collaboration with the Security Incident Response Coordinator:
1. Collect and strive to identify IoCs.
2. Share incident status reports and IoCs with all affected Participants (a “heads-up” and subsequent updates as needed), via the AAI Security Contact (and, if needed, with any external trusted entity involved)
4. Public announcements, if any, should not contain details other than “Security operations in progress”, unless agreed otherwise with the AAI Security Contact.
5. Perform appropriate investigation, system and network analysis and adequate forensics, and strive to understand the exact cause of the security incident, as well as its full extent. Identifying the cause of security incidents is essential to prevent them from reoccurring. The time and effort needs to be commensurate with the scale of the problem and with the potential damage and risks faced by affected participants.
6. Share additional status updates and IoCs as often as necessary to keep all affected Participant up-to-date with the security incident and enable them to investigate and take action should new information appear.
7. Respond to requests for assistance from other Participants involved in the security incident within one working day and investigate new IoCs being shared.
8. Take corrective action, restore access to service (if applicable) and legitimate user access.
9. In collaboration with the Security Incident Response Coordinator, produce and share a report of the incident with all Sirtfi-compliant organisations in all affected federations within one month. This report should be labeled TLP AMBER or higher.
10. Update documentation and procedures as necessary.

Security Incident Response Procedure for the AAI Security Contact

1. Assist Participants in performing appropriate investigation, system and network analysis and forensics, and strive to understand the cause of the security incident, as well as its full extent. The time and effort needs to be commensurate with the scale of the problem and with the potential damage and risks faced by affected Participants.
2. Report the security incident to the relevant Federation security contact point within one local working day of the initial discovery or notification of the security incident.
3. Coordinate the security incident resolution process and communication with affected participants until the security incident is resolved:
1. Collect and strive to identify IoCs from all involved entities.
2. Share incident status reports and IoCs with all affected participants (a “heads-up” and subsequent updates as needed), in the AAI and federation via their security contact (and, if needed, in other federations and with any external trusted entity involved). If other federations are affected, the eduGAIN security contact point must be notified, even if affected participants in all other federations have been contacted directly.
4. Ensure suspension of service (if applicable) is announced in accordance with any AAI, federation and interfederation practices.
5. Share additional status updates and IoCs as often as necessary to keep all affected participants up-to-date with the security incident and enable them to investigate and take action should new information appear.
6. Assist and advise participants in taking corrective action, or restoring access to service (if applicable) and legitimate user access.
7. Produce and share a report of the incident with all Sirtfi-compliant organisations in all affected federations within one month. This report should be labelled TLP AMBER or higher.
8. Update documentation and procedures as necessary.