ITS Security Standard: Incident Response Program - Escalation
Escalation
While isolated incidents may be resolved with minimal involvement outside the initial response team, some incidents may require escalation to notify appropriate entities, to obtain investigative information or assistance, and/or to ensure an appropriate public response by the university. Four escalation levels are outlined in this standard:
- Initial
- Unit Level
- University Level
- External
Initial and unit level escalation may be undertaken by the Incident Response Team as the case indicates; university level and external escalation are at the discretion and delegation of the Information Security Management Team.
Escalation - Initial
Initial escalation may be necessary when an incident has the potential to affect network services or other conditions on a limited but not isolated scale. Entities involved in the initial escalation may include, but are not limited to
- ITS Service Desk
- Affected ITS group(s), e.g., Network Administration, Collaboration Support, Central Systems, etc.
- Affected group(s) outside ITS, e.g., ResNET, ANTS, etc.
- System Administrator, and/or Application Manager
- User
Escalation - Unit Level
Unit level escalation may be necessary when an incident has the potential to affect network services, high risk and/or confidential data, university business services or other conditions university-wide. Unit level escalation may also be necessary in the event of a refusal or official non-compliance with recommended eradication methods.
Entities involved in unit level escalation may include, but are not limited to:
- Information Authority/Owner
- Campus Compliance Officer
- Information Security Management Team
- Information Security Coordinator
- Other management within the affected units
Escalation - University Level
University level escalation is at the discretion or delegation of the Information Security Management Team. Entities involved in unit level escalation may include, but are not limited to:
- University Legal Counsel
- before contacting law enforcement
- if a breach of contract has occurred
- if a warrant or other valid legal request has been received
- to authorize a litigation hold or other investigation
- Public Affairs
- if a security breach notification is required
- if a case is likely to affect public confidence
- before responding to media-initiated contact
- University Police
- if physical safety is threatened
- if university property has been stolen
- if investigation reveals evidence of a crime
- if external law enforcement needs to be contacted
- if investigators need information or record retention that requires a warrant to obtain
- Executive Management
- if a case is likely to affect public safety, enterprise services, and/or public confidence
- if a security breach notification is required
- CSU Chancellor’s Office
- if a security breach notification is required
- if a breach of Level 1 or Level 2 data has occurred
Escalation - External
External escalation is at the discretion or delegation of the Information Security Management Team. External entities which may be involved and examples of when those entities may be contacted include but are not limited to:
- Internet Service Providers
- to report abuses and provide evidence (e.g., logs) for incidents originating off-campus
- to obtain transaction records or other evidence
- Telecommunication Carriers
- to obtain call records or other evidence
- Third party providers or contractors
- to report, verify and coordinate incident response activities
- to obtain transaction records or other evidence
- Local, state of federal law enforcement agencies
- to report criminal activity
- to obtain search warrants or other assistance
- to obtain other assistance
