Incident Response Policy

Policy
Rationale
Standards & Procedures
Revisions
Approval Dates

(Summary of Changes/Additions/Deletions)

POLICY:

Information Security incidents occurring on the University network or attached devices will be managed centrally by the University Information Security Officer (ISO) and will include other campus resources as determined by the ISO.

Rationale:

Centralized notification and control of security incident investigation is necessary to ensure that immediate attention and appropriate resources are utilized to control, eliminate and determine the root cause of events that could potential disrupt the operation of the University or the compromise of University data or sensitive information. 

Standards & Procedures:

Standards:

Computer Security Incident Response Team (CSIRT).  The ISO with the advice and assistance of college and departmental IT representatives will have the capability to establish a CSIRT to respond to security incidents. 

 

Campus-wide Outage. A campus-wide outage is a fault, event, or other unforeseen issue causing failures to all or large portions of the campus communication and computing infrastructure, services, and devices or key communication and computing resources such as a DNS failure or a loss of campus Internet access.  This type of incident would be treated as a Critical Incident.

 

Incident Types.  An incident is defined an as adverse event in an information systems and/or network device or the threat of the occurrence of such an event.  Events may be characterized as unauthorized use of another’s user account, unauthorized use of system privileges, or execution of malicious code.  Events characterized as environmental (such as natural disasters, electrical outages, heat damage) are not within the scope of this policy. The most identifiable types of event are: 

Malicious code attacks—Attacks by programs such as viruses, Trojan Horse programs, worms, and scripts to gain privileges, capture passwords, and/or modify audit log to hide unauthorized activity.
 
Unauthorized access—Includes unauthorized users logging into a legitimate account, unauthorized access to files and directories, or operation of “sniffer” devices.

Disruption of services—Includes erasing of programs or data, mail spamming, denial of service attacks, or altering system functionality.

Misuse—Involves the utilization of computer resources for other than official purposes. 
 
Espionage—Stealing information to subvert the interests of a corporation or government entity.
 
Hoaxes—Generally an email warning of a non-existent virus.

Incident Severity. Incidents will be classified by the ISO based on the perceived impact on University resources:

CriticalSevere risk to the University network and/or external systems over the internet.  May be characterized by widespread risk of compromise of multiple systems or high risk of compromising sensitive information.  Criteria for determining if an incident is critical include but are not limited to: health and safety of personnel, legal issues, possible harm to the University’s reputation.
MediumMedium risk to the University network and low risk to external systems over the internet.  May be characterized by risk of compromising more than one system, no risk to sensitive data, or isolation to a single system.

LowLow risk to the University network and no risk to external systems over the internet. May be characterized by compromise of a system that does not host or process critical/sensitive information, does not pose a risk to other systems or types of devices.

 

Procedures:

Compromised System Procedure

Computer Security Incident Response Team Procedure

Revisions:

Approval Date(s):

Reviewed by IST
Reviewed by Information Security Subcommittee
Reviewed by ISAT Senate Committee
Approved by: University Administrative Council
Approved on: 3/8/06
Version number: 1.0.0
Effective Date: 3/8/06

 

SUMMARY OF CHANGES/ADDITIONS/DELETIONS