9. Security Incident Response Mgt

Report

INTERNAL AUDIT REPORT



Information Technology Audit
Security Incident Response Management (ICT and Aviation
Maintenance)
January 2021 – July 2022
Issue Date: August 11, 2022 
Report No. 2022-09

         Security Incident Response Management (ICT and Aviation Maintenance)
TABLE OF CONTENTS 

Executive Summary ................................................................................................................................................. 3 
Background ............................................................................................................................................................. 4 
Audit Scope and Methodology ............................................................................................................................... 6 
Appendix A: Risk Ratings ......................................................................................................................................... 7 
Appendix B: Center for Internet Security (CIS) Controls ........................................................................................ 8 















2

         Security Incident Response Management (ICT and Aviation Maintenance)
Executive Summary
Internal Audit completed an Information Technology audit of the security incident response management
processes for the period January 2021 through July 2022. This audit was performed to evaluate the
adequacy of internal controls related to the processes for developing and maintaining an incident
response capability to prepare, detect, and quickly respond to an attack. The scope of this audit covered
the Enterprise network; managed by the Port of Seattle’s (Port’s) Information and Communication
Technology (ICT) department, and the Access Control System (ACS) network, Industrial Control System
(ICS) network, and OpsLan network; managed by the Port’s Aviation Maintenance (AV/M) department.
Security Incident Response is part of the 18 critical Center for Internet Security (CIS) controls1. The CIS
security controls are a prioritized set of best practices created to protect organizations and data from
cyber-attack vectors. By adopting these controls, organizations can quickly detect the majority of cyberattacks.
A comprehensive cybersecurity program includes protections, detections, response, and
recovery capabilities. The primary goal of incident response is to identify threats on the enterprise,
respond to them before they can spread, and remediate them before they can cause harm2.
Computer security incident response has become an important component of Information Technology
(IT) programs. Cybersecurity-related attacks have become not only more numerous and diverse, but
also more damaging and destructive. An incident response capability is therefore necessary for rapidly
detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and
restoring IT services.
Incident response capability supports responding to incidents systematically so that the appropriate
actions are taken. Additionally, information gained during incident handling can be used to better prepare
for handling future incidents and to provide stronger protection for systems and data.
Our audit focused on the overall design and effectiveness of the security incident process to assure the
protection of critical information and systems.
Based on the results of our audit, we concluded that the security incident response processes
for the Enterprise network and the OpsLan, ACS, and ICS networks, are operating effectively.
During the course of our audit, Internal Audit identified some opportunities for improvement in the
security incident response management processes which were immediately addressed by management
upon being notified.
We would like to thank management and staff of Information and Communication Technology,
Information Security, and Aviation Maintenance, for their cooperation and responsiveness to our
requests during the audit.


Glenn Fernandes, CPA
Director, Internal Audit
Responsible Management Team 
Matt Breed, Chief Information Officer
Ron Jimerson, Chief Information Security Officer
Mike Tasker, Director, Aviation Maintenance

1 See Appendix B – Center for Internet Security (CIS) Controls. 
2 See https://learn.cisecurity.org/cis-controls-download 
3

         Security Incident Response Management (ICT and Aviation Maintenance)
Background
The Port of Seattle (Port) is a municipal corporation of the State of Washington, organized on September
5, 1911, under the State statute RCW 53.04.010. The Port is composed of three operating divisions,
namely, Aviation, Maritime, and Economic Development, and employs approximately 2,000 employees.
The Port owns and operates assets, including Seattle-Tacoma International Airport (SEA), conference
facilities, fishing and recreational boating marinas, industrial properties, and cruise ship terminals. This
Information Technology audit included the following departments in its scope:
Information and Communication Technology (ICT) delivers and supports a wide variety of
technology solutions to enable Port objectives.
The Information Security Department is integrated with ICT, Maritime, and Aviation Maintenance.
The department provides strategies, operations, and controls for protecting the Port’s information
systems and sensitive data, while increasing business resiliency.
Aviation Maintenance (AV/M) provides services to support the operations of SEA, its tenants, and
guests. Within AV/M, in the Aviation Electrical & Electronic Systems team, the 44 Electronic
Technicians (ETs) provide support and maintenance of custom and off-the-shelf operational
applications to the airport’s business units.
According to the Center for Internet Security (CIS) controls, a comprehensive cybersecurity program
includes protections, detections, response, and recovery capabilities. The primary goal of incident
response is to identify threats on the enterprise, respond to them before they can spread, and remediate
them before they can cause harm. When an incident occurs, if an enterprise does not have a
documented plan; it is almost impossible to know the right investigative procedures, reporting, data
collection, management responsibility, legal protocols, and communications strategy that will allow the
enterprise to successfully understand, manage, and recover.
As per the National Institute of Standards and Technology (NIST) Computer Security Incident Handling
Guide3, an event is “any observable occurrence in a system or network”, while a computer security
incident is “a violation or imminent threat of violation of computer security policies, acceptable use
policies, or standard security practices”.
The incident response lifecycle (Figure 1), consists of four phases:
 Preparation: Establishing an incident response capability so the organization is ready to
respond to incidents, but also preventing incidents by ensuring that systems, networks, and
applications, are sufficiently secure.
 Detection and Analysis: Determining whether an incident has occurred and, if so, the type,
extent, and magnitude of the problem.
 Containment, Eradication, and Recovery:
a.  Containment - provides time for developing a tailored remediation strategy. An essential
part of containment is decision-making (e.g., shut down a system, disconnect it from a
network, or disable certain functions).
b.  Eradication - may be necessary to eliminate components of the incident, such as deleting
malware and disabling breached user accounts.
c.  Recovery - restore systems to normal operation, confirm that the systems are functioning
normally, and (if applicable) remediate vulnerabilities to prevent similar incidents.
Recovery may involve such actions as restoring systems from clean backups, and
rebuilding systems from scratch.
3 https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800‐61r2.pdf 

4

         Security Incident Response Management (ICT and Aviation Maintenance)
 Post-Incident Activity: Learning from the incident by reviewing what happened and how staff
and management performed in dealing with the incident. Lessons learned meetings improve
future responses; a post-mortem analysis of the way an incident was handled can expose
missing steps or inaccuracies in procedures. The reports gathered from these meetings provide
a reference when handling similar events in the future.

Figure 1 – Source: NIST800-61 Rev 2 Computer Security Incident Handling Guide







The CIS controls for Incident Response Management, apply to the Port in the following manner:
1)  Designate Personnel to Manage Incident Handling–one official has been designated as the
key resource to manage incident handling, and one as their backup, under both the Enterprise
and AV/M environments.
2)  Establish and Maintain Contact Information for Reporting Security Incidents–a RACI
(Responsible, Accountable, Consulted, and Informed) Chart has been developed to maintain the
contact information for reporting security incidents. 
3)  Establish and Maintain an Enterprise Process for Reporting Incidents–FreshService, a
ticketing system, is utilized to report, manage, and document security incidents for both ICT and
AV/M environments. AV/M initially tracks their incidents on Maximo (Asset Management
Software) but also informs InfoSec who then also tracks those incidents on FreshService.
4)  Establish and Maintain an Incident Response Process–the Port’s Information Security
department is responsible for managing incident response activities, including incorporating
other Port staff as necessary, based on the nature of the incident.
5)  Assign Key Roles and Responsibilities–key roles and responsibilities have been assigned as
documented in the Port’s Cyber Incident Response Standard Operating Procedures (SOP).
6)  Define Mechanisms for Communicating During Incident Response–mechanisms used for
communicating have been documented in the Cyber Incident Response SOP.
7)  Conduct Routine Incident Response Exercises–routine tabletop exercises are performed by
InfoSec and ICT, with top executives and key leadership stakeholders. AV/M also participates in
these exercises.
8)  Conduct Post-Incident Reviews–lessons learned, and post incident reviews are performed for
major incidents to help improve the response effort.
5

         Security Incident Response Management (ICT and Aviation Maintenance)
Audit Scope and Methodology
Internal Audit conducted this Information Technology audit in accordance with Generally Accepted
Government Auditing Standards (GAGAS) and the International Standards for the Professional Practice
of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit
objectives. We believe the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
To achieve the audit objective, Internal Audit used a detailed audit program based on the Center for
Internet Security controls. Internal Audit used judgmental sampling methods to determine the samples
selected for our audit test work. The results of this work cannot be projected to the population as a
whole.
Multiple methodologies were applied to gather and analyze information pertinent to the objective and
scope of this audit. The period audited was January 2021 through July 2022. The audit covered polices,
processes, and mechanisms in place at the time of the audit. The audit included a review of security
incident response processes for the Port’s Enterprise network, Access Control System (ACS), Industrial
Control System (ICS), and OpsLan networks, and included the following procedures:
Policies and Procedures Review
 Reviewed and assessed policies and procedures related to security incident response
management.
 Interviewed personnel to assure knowledge of, and compliance with policies and procedures.
 Reviewed the Cyber Incident Response SOP to verify that roles/responsibilities were defined
and aligned with the incident management roles on identifying and determining if an incident had
occurred.
 Assessed whether the design of the policies and processes were adequate to address the
prevention and detection of cybersecurity threats and reduce the risk of service disruption, and
data loss. 
Process Walkthroughs
 Performed walkthroughs of security incident response management processes with the following
personnel to gain an understanding of the processes and related internal controls:
 Manager, Information Security
 Director, ICT Infrastructure Services
 Electronic Technician (ET) Foreman, Aviation Maintenance
Testing
 Performed testing and review of evidence to determine whether annual reviews were performed
for existing processes.
 Performed a review of evidence collected to determine the design and operating effectiveness
of the controls being tested, including examples of FreshService tickets and a judgmental sample
selection of the Incident Response Timeline Tracking (IRTT) document for Security Incidents,
RACI Chart, ICT Priority Response Chart, tabletop exercise presentation materials, etc.
 Reviewed examples of communication that occurred between the responsible officials, upon
being notified of an Incident.


6

         Security Incident Response Management (ICT and Aviation Maintenance)
Appendix A: Risk Ratings
Findings identified during the audit are assigned a risk rating, as outlined in the table below. Only one
of the criteria needs to be met for a finding to be rated High, Medium, or Low. Findings rated Low will
be evaluated and may or may not be reflected in the final report.

Financial     Internal                                             Commission/
Rating                                 Compliance      Public
Stewardship  Controls                                       Management
High probability
Non-compliance
for external audit    Requires
Missing or not   with Laws, Port
High      Significant                                  issues and / or     immediate
followed         Policies,
negative public     attention
Contracts
perception
Moderate
Partial
Partial controls                        probability for
compliance with
external audit       Requires
Medium  Moderate    Not functioning  Laws, Port
issues and / or      attention
effectively        Policies,
negative public
Contracts
perception
Low probability
Functioning as   Mostly complies                       Does not
for external audit
intended but     with Laws, Port                        require
Low     Minimal                              issues and/or
could be        Policies,                             immediate
negative public
enhanced      Contracts                        attention
perception










7

         Security Incident Response Management (ICT and Aviation Maintenance)
Appendix B: Center for Internet Security (CIS) Controls
The Center for Internet Security (CIS) Controls are a recommended set of actions for cyber defense that
provide specific and actionable ways to block or mitigate known attacks. Below is a list of the 18 CIS
Controls, Version 8.0 which was launched by CIS on May 18th, 2021:

1. Inventory & Control of           7. Continuous Vulnerability            13. Network Monitoring & 
Enterprise Assets                      Management                            Defense 

2. Inventory & Control of            8. Audit Log Management              14. Security Awareness & 
Software Assets                                                           Skills Training 

3. Data Protection               9. Email & Web Browser                 15. Service Provider 
Protections                          Management 

4. Secure Configuration of              10. Malware Defenses                16. Application Software 
Enterprise Assets                                                              Security 

5. Account Management              11. Data Recovery                17. Incident Response 
Management 

6. Access Control                 12. Network Infrastructure              18. Penetration Testing 
Management                    Management 







8



Limitations of Translatable Documents

PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.