11. Security Incident and Response
11.1. Security incident monitoring
The following suspected or actual events or activities should be monitored for:
•
Triggering of tamper evident or response functions in the HSM
•
Physical non availability of HSM, card reader, card sets, client application,
%NFAST_KMDATA% folder contents, nShield Connect config file, SIEM collector data,
backup data
•
Logical non availability of HSM, card reader, card sets, client application,
%NFAST_KMDATA% folder contents, nShield Connect config file, SIEM collector data,
backup data
•
Gaps or unexplained entries in the logs, or suspected log tamper
•
Evidence of access control violation contrary to any security policy e.g. lost token
and subsequent logon.
•
Evidence of unauthorized use
•
Evidence of network attacks on the HSM
•
Evidence of excessive performance demands
•
Evidence of violation of environmental controls
•
Unauthorized changes to configuration settings for HSM and client application e.g.
updating the module’s clock.
•
Non-compliance with security process e.g. commissioning on an open network
•
Non-compliance with security policy e.g. using incorrect algorithm strength or
continuing to use a key outside of its cryptoperiod.
11.2. Security incident management
If a security incident is suspected the Company Security Officer should be alerted
immediately and determine which actions must be implemented as advised by your
Security Incident and Response Policy. This should cover the following areas:
•
Quarantine area, isolate unit and evidence preservation – witnessed snapshot of unit
(this should cover determining whether to power off the unit which may result in the
loss of evidence against the need to isolate any potential malware resident on the
unit)
•
Investigation
•
Reporting structure and timescales.
nShield® Security Manual 70 of 90
To Next Page
Loading...
