Policy Number: 07
Authority: Executive Order 42
Corzine (11/20/2006)
Effective Date: September 21, 2001
Policies and standards | Computer (Cyber) Incident Reporting

Purpose

The purpose of this document is to describe the computer incident reporting & response process that the State of New Jersey will employ in the event of an intrusion to or an attack on government computer systems. This reporting and response process provides a coordinated approach to handling incidents across all levels of government. The intention of this coordinated process is to minimize or eliminate the propagation of an event to other computers and networks.

Scope

This policy applies to all agency, authority, board, department, division, commission, institution, institution of higher education, bureau, or like governmental entity of the executive branch of the state government.

Definitions

A computer or cyber incident is an event violating an explicit or implied computer security policy. The following types of events or activities are widely recognized as being in violation of a typical security policy. These activities include but are not necessarily limited to:

  • attempts (either failed or successful) to gain unauthorized access to a system or its data
  • unwanted disruption or denial of service
  • the unauthorized use of a system for the transmission, processing or storage of data
  • changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent

Cyber-terrorism is the unlawful and deliberate use, modification, disruption or destruction of computing resources.

Policy

It is the responsibility of all State employees to report suspected computer incidents as quickly as possible. The ultimate goal, regardless of incident, is the protection of assets, containment of damage, and restoration of service.

  • Any cyber incident whether confirmed or unconfirmed, will be coordinated by the State of New Jersey Office of Information Technology (NJOIT), through its Call Center.
  • The NJ OIT Security & Contingency Planning Office shall direct the computer incident response effort, and be responsible for requesting assistance of the New Jersey State Police Office of Emergency Management (NJOEM).
  • The NJOEM Incident Command System (ICS) will be used to manage the emergency and criminal investigative elements of a response to a cyber incident.

Primary support for this response will be at the request of NJOIT through NJOEM, and be provided by the New Jersey State Police High Tech Crimes Unit (NJSP HTCU) and the Federal Bureau of Investigation's Newark Division National Infrastructure Protection Squad (NIPS).

Notification Procedures:

  1. Initial notification of a cyber incident, whether confirmed or unconfirmed should be made through the NJOIT Call Center at 800-NCC-HELP (800-622-4357) which operates 24 hours a day, seven days a week. Recognizing, however, that in some cases an information systems failure or other anomaly may be experienced by an unsuspecting third party, notification may be made through the NJOEM at 609-882-4201, the Federal Bureau of Investigation at 973-792-3000 or the main switchboard of NJ State Police at 609-882-2000. The NJ State Police may utilize the National Attack Warning System (NAWS) or the National Law Enforcement Telecommunications System (NLETS) for notification purposes.

  2. In the event that notification of a cyber incident, whether confirmed or unconfirmed, is not made through NJOIT Call Center, the caller shall inform the Duty Trooper or other duty official that NJOIT Call Center was not notified of the incident. The Duty Trooper or other duty official will immediately contact the NJOIT Call Center and advise staff of the report.

  3. NJOIT will contact the NJOIT Security Emergency Management Coordinator who will notify:
    • The NJOEM, which will contact the NJOEM Deputy State Director who will determine if activation of the State Emergency Operations Center (EOC) is warranted;
    • The NJSP High Tech Crimes Unit at 609-882-2000, ext. 2904; and
    • The Federal Bureau of Investigation Newark Division Supervisory Special Agent responsible for computer intrusion and infrastructure protection investigations, at 973-792-3000.

Response Actions:

  1. Once an incident has been reported to the NJOIT Call Center and the NJOIT Security Emergency Management Coordinator, NJOIT staff will attempt to ascertain incident specifics such as time, date, location, affected systems, and the nature and consequence of the incident.

  2. An initial Response Team (IRT) consisting of representatives from NJOIT, NJSP HTCU, the affected agency and if appropriate, the FBI, will respond to the incident location to determine escalation requirements.

  3. If the Initial Response Team determines the incident in question is, or suspects it to be a cyber terrorism incident, the NJOIT Security Emergency Management Coordinator will immediately apprise the NJOEM staff or Duty Trooper if the State EOC has not been activated, who will immediately notify the NJOEM Deputy State Director.

  4. NJOEM will apprise the Supervisory Special Agent (SSA) in charge of computer intrusion and infrastructure investigations of the results of the IRT assessment. If the event is identified as or suspected to be a cyber-terrorism incident the FBI SSA will contact the FBI's National Infrastructure Protection Center (NIPC) in Washington, D.C. The SSA will act as the point of contact between the State, FBI Newark Division, and the NIPC for the duration of the event, and arrange for any necessary federal investigative or forensic assistance.

  5. The NJOIT Emergency Management Coordinator, through the NJSP OEM, will contact each of the 21 County Emergency Management Coordinators and all state agency Emergency Management Coordinators to obtain damage assessments.

  6. Based on the continuing analysis and assessments the IRT will begin to focus on remediation of mission critical information and telecommunications systems, as well as those systems whose loss would constitute an immediate threat to public health or safety. Law enforcement investigative efforts of the FBI and the NJSP will focus on identifying the origins of the incident and apprehending those responsible for it.

  7. The NJOIT Emergency Management Coordinator shall apprise the agency chief information officer affected by the computer incident of the progress of the investigation and final outcomes.

Functions

Employee:

  • To adhere to this policy and any other state or agency security policies.
  • To report all suspected computer incidents to their supervisor and to the appropriate business or technical area manager who in turn will notify the NJOIT Call Center.
  • To fully cooperate with any subsequent investigation of a computer incident.

 

Agency

  • To communicate this policy to all employees.
  • To implement procedures to ensure compliance with the initial notification procedures described in this policy.
  • To provide periodic security awareness training to agency employees.
  • It is the responsibility of each agency to identify procedures whereby its IT staff will determine if a computer or cyber incident has taken place and if it should be reported under this policy.