Policies + Procedures — Information Technology — Incident Response

5.6 Incident Response

I. Purpose

The primary purpose of this policy is to establish the baseline approach and appropriate response to any Information Technology (IT) Security Incidents that may threaten the confidentiality, integrity, and availability of college Information Technology Resources. The secondary purpose of the policy is to establish the responsibility and accountability for all steps in the process of addressing and remediating any IT Security Incident.

II. Scope

This policy applies to all employees, agents, students, representatives, and authorized individuals of the college who access and use college Information Technology Resources.

III. General

Definitions

Information Technology Resource(s) – includes but is not limited to the following: computer and networking equipment, workstations, laptops, software, operating systems, storage devices and media, network accounts, email services and email accounts, Internet browsing and related services, voice mail, applications, scanning and fax systems, tablets, and smartphones.

Systems – same as Information Technology Resources.

User – faculty member, staff member, employee, agent, authorized representative, or student that has access to college Information Technology Resources.

Institutional Data - all data that is necessary to the management and operation of the college that exists in electronic, digital, printed, or other forms. This information is an asset of the college, is owned by the college, and is intended to be used solely for the operation of the college in carrying out its mission.

Identity Theft - fraud committed or attempted using the identifying information of another person without authority.

Personally Identifiable Information (PII) – any information about an individual including but not limited to education, financial transactions, medical history, criminal or employment history, and information which can be used to distinguish or trace an individual’s identity such as their first and last name, social security number, email address, date and place of birth, mother’s maiden name, biometric records, etc. including any other personal information which is linked or linkable to an individual. PII Data is classified as restricted data by the college.

IT Security Incident - the successful unauthorized access, use, disclosure, modification or destruction of data or interference with system operations in an information technology resource. Included in the definition is the loss of data through theft or device misplacement, loss or misplacement of hardcopy documents or the compromise of physical security.

IT Reportable Incident - the unauthorized acquisition, access, use, or disclosure of unencrypted PII or other data that is classified by the college as restricted in a manner not suitable for public release, or permitted under existing law or college policy.

Table Top Exercise – an exercise in which realistic scenarios are presented in a low-stress environment where plans are developed for responding to an unfolding situation.

General Policy Statements

This policy outlines the guidelines to be followed for the protection of college Information Technology Resources, the applicable laws to which the college adheres in the event that an IT Reportable Incident occurs and the responsibilities of each member of the Incident Response Team.

In order to facilitate the accurate and productive response to IT Incidents, all IT Incidents will be classified for severity when initially reported. As an IT Incident progresses, its classification may be reevaluated and changed as necessary to ensure proper handling and remediation.

Unsolicited PII from a student or parent transmitted through an unsecured manner is not considered an IT Reportable Incident.

Required Policy Actions

All Users are required to report immediately to the college Information Technology Security Officer any suspected or actual IT Security Incident. This includes:

any unauthorized access to college Information Technology Resources, or,
any attempt to compromise, alter, negatively impact, or destroy college Institutional Data or
Information Technology Resources, or,
any unauthorized interception, monitoring or disabling of electronic communications, or,
any suspected or actual weaknesses in the existing safeguards protecting the college Information Technology Resources or Institutional Data.

Any User who becomes aware of an Information Security Incident should disconnect the compromised system and equipment from the college network or can contact the ITS Help Desk to have it disconnected or communications disabled. The compromised system cannot be reconnected to the college computing infrastructure until such time that the Incident Response Team has concluded its investigation and authorizes the activity.

The Incident Response Team:

is responsible for investigating suspected or actual IT Security Incidents or IT Reportable Incidents in a timely, cost-effective manner, and documenting and reporting the findings to college leadership.
will invoke the process and procedures as defined in the IT Incident Response Procedures when an IT Security Incident or IT Reportable Incident is reported.
Is authorized to take any appropriate steps deemed necessary to contain, mitigate or resolve any suspected IT Security Incident or IT Reportable Incident is reported.
will conduct periodic table top exercises and the results of the exercises will be documented.

Any device not owned and/or authorized by the college which is using the college Information Technology Resources and is found to be the target, source or participant to an IT Incident may be subject to immediate suspension of services without notice until the threat has been remediated or the device in no longer deemed a threat.

During the course of the investigation of an IT Incident if it is determined that unencrypted PII or restricted data may have been compromised or leaked or that unauthorized access was obtained to any college Information Technology Resources, law enforcement officials and regulatory authorities will be notified.

Regulatory Notifications and Internal Reporting Requirements

The required regulatory and legal requirements will be adhered to for any IT Reportable Incident. The reporting requirements are detailed in the Information Technology Incident Response Procedures.

The Incident Response Team will invoke the internal escalated paths as defined in the Information Technology Incident Response Procedures.

Incident Response Team Responsibility Matrix

Team Member	Role
IT Security Officer	Primary contact for all IT Security Incidents and responsible for invoking IT Incident Response Procedures. Prioritizes actions during the detection, analysis, containment, and documentation of an incident. Logs and track the progress of the incident until fully resolved
Director – Systems	Works with the appropriate parties to determine the extent of the potential breach, identify data stored and compromised on all systems, and the number of individuals type of personal information at risk. Reviews event logs for correlating evidence of unauthorized access. Preserves all audit logs, forensic evidence, and chain of custody for law enforcement and potential investigations
Director – Network and Infrastructure Services	Analyzes network traffic for signs of denial of service, distributed denial of service, or other external attacks. Implements appropriate counter measures to block network access and penetration from suspected intruder. Contacts Internet Service Provider’s (ISP) for any required assistance. Reviews event logs for correlating evidence of unauthorized access. Preserves all audit logs, forensic evidence, and chain of custody for law enforcement and potential investigations
Registrar	Primary contact for any incident that may negatively impact the confidentiality, integrity, and availability of student data.
Provost	Determines if any disciplinary action needs to occur if the root cause of an IT Security Incident was directly attributable to the actions of a student or faculty member.
Director – Financial Aid	Primary contact for any incident that may negatively impact the confidentiality, integrity, and availability of student financial aid data.
Executive Director – Human Resources	Primary contact for any incident that may negatively impact the confidentiality, integrity, and availability of faculty and staff data. Determines if any disciplinary action needs to occur if the root cause of any incident was directly attributable to the actions of a staff member.
Executive Director – Marketing and Public Relations	Primary contact for any communication and interaction with the students, alumni, public, and all media outlets.
Controller	Primary contact for any incident that may negatively impact the confidentiality, integrity, and availability of the college’s financial data and/or systems.
Executive Director – Security and Safety	Primary contact for communication and escalation path with local and federal law enforcement officials.

Risk Classification Matrix

Level	Classification (derived from FIPS 199 Standard)	Characteristics	Incident Response Team Activation
Critical	The unauthorized disclosure, modification, destruction, or access to information could be expected to have a severe or catastrophic adverse effect on operations, assets, or individuals.	Any unexpected or unauthorized change, disclosure or interruption to information assets that could be damaging to the campus community or the college’s reputation The event creates an adverse impact to the delivery of core enterprise systems, service delivery, or operations. Confirmed unauthorized access to mission critical systems or applications. Confirmed unauthorized access, loss, alteration, or destruction of unencrypted restricted data. Significant financial risk, legal liability, and negative impact to the college’s reputation is highly probable.	Immediate
High	The unauthorized disclosure, modification, destruction, or access to information could be expected to have a serious or adverse effect on operations, assets, or individuals.	A successful attack that is difficult to control or counteract because no countermeasures, resolution procedures or bypass exist. A confirmed and successful IT Security Incident has occurred. The leakage of unencrypted restricted data from the environment has not occurred but is possible without containment. Accounts have been compromised with elevated privileges to enterprise resources, ERP or LMS systems, or restricted data. Significant financial risk, legal liability, and negative impact to the college’s reputation is possible.	Immediate
Medium	The unauthorized disclosure, modification, destruction, or access to information could be expected to have limited adverse effect on operations, assets, or individuals.	The threat impact is limited in scope, easy to control and counteract. Compromise of an account with no elevated privileges. Compromise of a device due to malware infection. Intrusion attempt is attempted and alerts generated. Financial risk, legal liability, and negative impact to the college’s reputation is highly unlikely.	None
Low	Occurrences of minor focus that are deemed inconsequential with no negative effect on system operations.	There is no impact or negative impact on operations. Penetration or denial of service attacks attempted with no impact. Solutions or countermeasures are readily available to resolve the event. Malware is detected on a system but is quarantined.	None

IV. Procedures

none

V. Approval

President – May 3, 2019

VI. Responsibility

IT Security Office & Associate Vice President, Technology & Innovation