3.2.17 IT Incident Response

Purpose

The purpose of this policy is to clearly define IT roles and responsibilities for the investigation and response of computer security incidents and Data Breaches. 
 

Applicability 

This policy applies to information systems, regardless of ownership or location, used to store, process, transmit or access Data as well as all personnel including employees, students, temporary workers, contractors, those employed by contracted entities and others authorized to access enterprise assets and information resources. 

Definitions Computer Security Incident Response Team (CSIRT): 

A function of the Information Security Office responsible for receiving, reviewing and coordinating the response to computer security incident reports and activity involving Piedmont University Data and/or Information Systems.
 
Data Breach: 

Unauthorized access, acquisition, use or disclosure of Restricted Data. Data breach notifications are subject to regulatory requirements following a privacy investigation and risk assessment.
 
Incident: 

An event, whether electronic, physical or social that adversely impacts the confidentiality, integrity or availability of Piedmont University data or information systems; or a real or suspected action, inconsistent with Privacy or Acceptable Use policies.
 
Information System: 

An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, SIS, the ERP, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.
 
Piedmont University Data: 

Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.

Policy Statement

1. The Computer Security Incident Response Team (CSIRT) detects and investigates security events to determine whether an incident has occurred, and the extent, cause and damage of incidents.
2. The CSIRT directs the recovery, containment and remediation of security incidents and may authorize and expedite changes to information systems necessary to do so. The CSIRT coordinates response with external parties when existing agreements place responsibility for incident investigations on the external party.
3. During the conduct of security incident investigations, the CSIRT is authorized to monitor relevant OITS resources and retrieve communications and other relevant records of specific users of IT resources, including login session data and the content of individual communications without notice or further approval.
   1. Any external disclosure of information regarding information security incidents must be reviewed and approved by the CIO in consultation with the Office of General Counsel, University Communications, and other university stakeholders as appropriate.
   2. The CSIRT coordinates with law enforcement, government agencies, peer CSIRTs and relevant Information Sharing and Analysis Centers (ISACs) in the identification and investigation of security incidents. The CSIRT is authorized to share external threat and incident information with these organizations that does not identify any member of the Piedmont University Constituency. 

Incident Response Procedures

1. High Severity Incidents – IT security incidents which involve a confirmed or suspected restricted data breach or have more than a minor impact on operations. High severity incidents require the activation of IT ISO-CSIRT’s Incident Response procedures.
2. Evaluate severity level. Any security incident involving an information system used to store, transmit or process Restricted Data or a security incident that results in degraded performance of an IT asset, which represents more than a minor impact on operations, is considered a high-severity incident. High-severity incidents should be reported immediately.
3. Report high-severity incidents to the Information Security Office by sending email to ithelpdesk@piedmont.edu or calling 706.894.4205. Include a brief description of the incident and who should be contacted for more information. See “How to Report a Security Incident” below for specific contact details.
4. Protect the evidence
   • Do not access (logon) or alter the affected IT asset
   • Do not power off or logoff the affected IT asset
   • Unplug the network cable from the affected IT asset, network port or wall-jack
   • Physically label the IT asset, directing others to not touch or use the IT asset
   • Document the following, provide as much specificity as possible:
     • When and how the incident was detected?
     • What actions have been taken so far? Include the date/time, location, person(s) involved and actions taken for each step.
     • The type of data the affected IT asset is used to store, transmit or process
     • Anticipate that the Computer Security Incident Response Team (CSIRT) will collect all related system or service logs and ancillary electronic evidence
     • Be prepared to assist the CSIRT as they investigate the incident
5. All reported high-severity security events and/or incidents shall be promptly investigated and documented by the Computer Security Incident Response Team (CSIRT) in accordance with Information Security Incident Response Plan. The CSIRT is authorized to direct all incident response activities including, when necessary, containment, and remediation tasks necessary to protect  IT resources.
6. Restricted Data – Restricted Data is formally defined in Data Classification, Retention, Handling and Destruction Policy. For the purpose of this Incident Response Plan, Restricted Data is data that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, driver licenses, non -directory student records and export controlled technical data.

Incident Response Team

• The Computer Security Incident Response Team (CSIRT), is established and managed under the direction of the Chief Information Officer (CIO). The mission of CSIRT is to provide an immediate, effective, and skillful response to any unexpected incident with information security implications.
• The CSIRT is expected to follow the Incident Response Plan and is authorized to take appropriate action necessary to contain, investigate and remediate a security incident.
• The Computer Security Incident Response Team (CSIRT) will be convened as necessary by the CSIRT Coordinator, based on the incident scope and severity.

CSIRT membership includes:

• CSIRT Coordinator – the individual, versed in the Incident Response Plan, who is designated as responsible for implementing the plan, activating team members as necessary, coordinating communications, and keeping leadership informed of developments as necessary and appropriate.
• Privacy Officer –during an active incident response, the functional role of the Privacy Officer is to make the determination whether data protected by regulation, may be involved. If protected information is not involved the Privacy Officer has no further responsibilities to the CSIRT. If protected information is involved, then the Privacy Officer is also responsible for any applicable post-incident data breach notifications.
• General Counsel – should be consulted in cases involving alleged criminal activity or investigations focusing on an individual or any incident requiring legal interpretation. Is responsible to determine whether a security incident meets the threshold of a reportable cyber liability insurance incident.
• Marketing – will coordinate all public communication and information sharing about a specific incident with the community and public as needed. Marketing may further delegate responsibility to specific individuals or CSIRT members for specific media inquiries or statements.
• Human Resources – assists in coordinating investigations of employees who may be affected by a security incident either as victims or having alleged involvement in the incident.
• Computing Help Desk – in many cases, serves as the initial point of contact for faculty, staff or students for information about the effect a security incident may have on IT related services.
• University Police Department – should be involved with incidents that may have criminal consequences, only after consultation with the Office of General Counsel
• Other Law Enforcement Agencies – when an incident involves criminal activity by malicious actors outside the university’s domain, it may be necessary to include law enforcement (i.e. FBI, others) in the incident response, only after consultation with the Office of General Counsel.
• Subject Matter Experts (SME) – individuals with specific needed skillsets or those familiar with the applicable computing environment, who have the knowledge and access necessary to make any required changes to the systems or network.
• Self-Insurance Program (SIP) – upon General Counsel’s determination that a security incident meets the threshold of a reportable cyber liability insurance incident, the SIP facilitates incident reporting to the carrier’s designated breach response contacts and manages the filing a claim with the carrier if it becomes necessary. Coordinates the response actions between insurance carrier’s breach response team and CSIRT Incident Manager.
• Third-Party Assistance – sources of help, such as external security experts, ISACs, etc. may be utilized as desired or appropriate. At the discretion of the CIO, and with input from the CISO and CSIRT Coordinator, third-party computer security incident response teams may be engaged in response to a security incident.

Reporting an Incident

The IT Information Security Office responds to and investigates information security incidents related to misuse or abuse of university information and information technology resources. An information security incident is defined as an event, whether electronic, physical or social that adversely impacts the confidentiality, integrity or availability of University of Florida data or information systems; or a real or suspected action, inconsistent with Piedmont University Privacy or Acceptable Use policies.

Information security incidents can be reported to the IT Information Security Office by sending an email to ithelpdesk@piedmont.edu or calling 706.894.4205

Please be sure to follow the Incident Response Procedures – First Steps when responding to incidents.

For more information about security incident management at Piedmont University see IT Security Incident Response Policy and Procedures.

HIPAA violations or the potential unauthorized exposure of Restricted Data such as Protected Health Information (PHI) or Personal Identification Information (PII) must be reported to the privacy@piedmont.edu. 

• Phishing scams targeting University of Florida faculty, staff or students should be reported to ithelpdesk@piedmont.edu.
• Email abuse should be reported to ithelpdesk@piedmont.edu.

Appendix A – Revision Table