Information Technology Standard 05.1.0

IT Security Incident Handling Standard


Date of Current Revision or Creation: October 1, 2021


The purpose of an Information Technology Standard is to specify requirements for compliance with 圖朸厙 Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to provide guidance on the management, notification, and investigation of IT security incidents at 圖朸厙.

Definitions

Information Security Officer (ISO) - The 圖朸厙 employee, appointed by the President or designee, who is responsible for developing and managing 圖朸厙's information technology (IT) security program.

Security Incident Handling Requirements identify the steps necessary to respond to suspected or known breaches to IT security safeguards.

Security Incident Response Team is a designated group of information technology professionals with the responsibility and authority for responding to information security incident reports.

Standards Statement

圖朸厙's Security Incident Response Team has the overall responsibility and authority for managing all reported security incidents.

The ISO should be notified of all computer and network security incidents that may affect the confidentiality, availability and/or integrity of the information technology resources at 圖朸厙.

Incident Classification

Security incidents will be classified according to incident categories and severity of incident in order to determine the appropriate response. A security incident classification scheme will be maintained by the Information Security Officer or designee to describe security events and support incident tracking over time.

Incident Reporting and Detection

All members of the University community are responsible for promptly reporting suspected or known security incidents, including an observed or suspected security weakness in university systems.

In addition to reports from the University community, irregular events may be detected that indicate potential security incidents. Detection is a collaborative effort among university and departmental operational staff, IT support, and information security personnel. Controls to deter and defend against cyber-attacks should be identified to best minimize loss or theft of information and disruption of services. Proactive measures based on cyber-attack history and industry data should be used to defend against new forms of cyber-attacks.

When receiving a report of a suspected or confirmed security incident, the ISO or Security Incident Response Team will gather as much of the following information as possible:

  • Name, affiliation, e-mail address, and phone number of people reporting the incident
  • Description of the suspected security incident
  • Information to help identify the source of the suspicious activity, like an IP address or an e-mail message with full headers
  • Date(s) and time(s) of the suspicious activity
  • Evidence of suspicious activity

In addition to documenting the initial report, the ISO or Security Incident Response Team will document the incident, initiate appropriate incident handling procedures, communicate with and provide feedback about the results to appropriate stakeholder once the incident has been handled and closed.

圖朸厙 has established procedures for IT security incident investigation, preservation of evidence, and forensic analysis. When a security incident involves legal action against a person or organization, or a personnel action against an employee, evidence must be collected, preserved, and presented to conform to the rules for evidence specified in the relevant jurisdiction(s).

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

October 2008

ITAC/CIO

Created

October 2009

ITAC/CIO

Reaffirmed

October 2010

ITAC/CIO

Reaffirmed

October 2011

ITAC/CIO

Reaffirmed

March 2012

ITAC/CIO

Rewritten

December 2012

IT Policy Office

Link updated

August 2013

IT Policy Office

Departmental name updated

August 2015 IT Policy Office/ISO Three year review; updated links and definitions.
December 2018 IT Policy Office Definitions and links checked
October 2021 CISO Minor edits for clarification