Subject: Information Security Incident Response
Last Reviewed 6/28/2021
Information security-related threats have become not only more sophisticated, numerous and diverse, but also more damaging and disruptive to the University. Preventative measures lessen the number and severity of threats, but cannot completely prevent them. This threat environment necessitates University preparedness to respond to incidents.
Definition of an Incident
An information security or privacy incident is a violation or imminent threat of violation from external organizations or actors, or of information security policies, acceptable use policies, or standard information security practices or controls. An incident is an event attributable to a human cause. Incidents may be intentional or malicious in nature, or a result of accident or negligence.
Examples of Incidents
An incident may take many forms, and may be electronic or non-electronic in nature. Although not an exhaustive list, common types of incidents include:
- Unauthorized access to information
- Unauthorized disclosure
- Viewing University Restricted Use or Confidential information without a bona fide need to know (browsing or snooping)
- Unauthorized modification or destruction of information
- Network attacks or unwanted disruption (denial of service, scanning, sniffing)
- Malware (viruses, worms, trojans)
- Theft or loss of equipment
- Physical intrusion or break-in
- Social engineering (e.g. phishing)
- Policy violations such as unauthorized use of user credentials, applications or systems; bypassing security controls or procedures; or violations of University Acceptable Use.
Primary Goal of Incident Response
The primary goal of incident response is to return to a secure state.
Incidents may vary in scope and sensitivity. Information regarding security incidents will be kept confidential by all parties involved. Only authorized personnel may disclose information regarding incidents.
Reporting an Incident
Prompt reporting of an actual or suspected incident is imperative, in order to ensure proper investigation, containment, meet legal or regulatory requirements, and to allow appropriate University response.
If the incident poses any immediate danger to persons or personal health or safety, or facilities, call 911 to contact law enforcement authorities immediately.
If the incident has a low level of sensitivity, report the incident to the University Service Desk (email@example.com). If the incident has a higher level of sensitivity, report the incident to the University Information Security Office (firstname.lastname@example.org). Phishing emails can be forwarded to email@example.com.
Provide as much detail as possible, including:
- Your name and contact information to include, name, phone number, email address, role and department or unit
- Date and time of the incident discovery, and date incident occurred, if known
- General description of the incident to include nature of the incident, the system that is affected, and the organization that is involved
- Scope of the incident to include systems and/or data at possible risk
- Prioritization factors, such as functional impact, availability of workaround, or recoverability
- Actions taken since incident discovery.
Actions or Initial Steps for Individuals Reporting an Incident
It is important that investigative or corrective action be taken only at the direction of the Chief Information Security Officer (CISO), or specially-designated Incident Response personnel (for example, in University IT units). Depending on the nature of the incident, preserving evidence and chain of custody is of vital importance, and must be collected in a manner that ensures compliance with legal requirements.
When faced with a potential situation, faculty and staff should do the following:
- If the incident involves a compromised computer or system:
- Do not alter the state of the computer or system. The computer or system should remain on and all of the currently running programs left as-is (e.g., do not shut down or restart the computer).
- Immediately disconnect the computer from the network by, as applicable, removing it from the docking station, disconnecting network cables, and disconnecting from wifi.
- For all other scenarios, report the incident and wait for response from the Information Security Office, or IT Service Desk (in the event that the incident is of low-sensitivity and initially reported to the Service Desk).
Note: Incident responders should use caution when seizing electronic evidence devices. The improper access of data stored in electronic devices may violate provisions of Federal Law such as the Electronic Communications Privacy Act (ECPA). Additional legal process or policy may be necessary.
Categorization of Incident Severity
Upon notification of an incident, the Information Security Office will classify the incident according to the type and severity. Consideration factors may include:
- Criticality of systems
- Value of information compromised
- Number of people or functions impacted
- Business considerations
- Public relations
- Impact to the University.
|Low||Minimal business disruption or compromise or loss of internal data or minimal confidential data||Work with affected teams. Notify primary stewards of data. Report to CIO as needed.|
|Medium||Business disruption or loss of confidential data, or threats to compromise or loss||Notify CIO and appropriate and systems administrators and primary stewards of data.|
|High||Threats to Critical Systems or compromise or loss of restricted data or large volumes of Confidential Data||Notify CIO. Consider activating the incident response team or at least notifying leadership stakeholders HR/legal/etc and stewards of that data.|
|Severe||Threats to human life and people’s safety or catastrophic loss||Call 911, report to Public Safety, or upchannel immediately|
Roles and Responsibilities
Roles and responsibilities may vary depending on the nature of the incident. The Chief Information Security Officer (CISO) will rely on individuals with expertise to collaboratively limit the impact of the incident and to increase the speed and effectiveness with which the University can recognize, analyze and respond to the incident. Depending on the nature of the incident, the CISO may form an Incident Response Team.
Individuals that may be engaged depending on the nature of the incident may include:
- Chief Information Officer (CIO)
- General Counsel
- Risk Management
- Public Affairs
- Human Resources
- Student Services
- Campus Police
- University Compliance or Privacy Officials (i.e., FERPA, HIPAA, Finance/GLBA, Research, PCI, Disability Services)
- Information Technology personnel or teams (i.e., Network, Systems and Applications Administrators)
- Others as deemed necessary