ITS Security Standard: Incident Response Program - Roles and Responsibilities

Incident Response Team

• Membership will vary depending on the nature of the incident but at minimum will include members of the IT Policy/Abuse Team and the Information Security Office as needed
• Coordinates incident response activities, involving others as needed
• Receives complaints sent to abuse@calpoly.edu
• Creates, updates, maintains and resolves confidential tickets to document each incident
• Requests additional information if necessary
• Determines the nature, scope and severity of the incident
• Blocks and restores network access or authorizes others to do so as appropriate
• Identifies the potential source of the problem and the responsible university entity or user
• Notifies the responsible entity or user and consults with them on actions to be taken
• Monitors progress of the investigation
• Escalates incidents as appropriate
• Facilitates communications
• Creates summary reports for management
• Conducts lessons learned to determine if any changes are required
• Provides training to campus staff involved in incident response

Information Security Management Team

• Coordinates Incident Response Team assignment and ensures it has the necessary resources
• Coordinates investigation, assessment, tracking, resolution and reporting of security incidents classified as Critical or High, including evidence collection and preservation
• Determines if a reportable security breach occurred and enacts security breach protocol
• Determines if a university production service should be taken offline until incident resolution after consultation with appropriate campus entities if possible
• Determines if an incident may result in media inquiries or legal action and escalates to Public Affairs, University Legal Counsel and/or University Police if appropriate
• Keeps executive management informed as appropriate
• Reviews and analyzes summary reports to identify trends and lessons learned

Campus Compliance Officers (FERPA, HIPAA, PCI, ADA, etc.)

• Participates in the Incident Response Team for incidents involving a compliance issue
• Investigates, documents and reports violations in accordance with established practices
• Coordinates required notifications in accordance with established practices
• Makes recommendations to prevent similar incidents and/or improve the response process
• Advises management on applicable policies and procedures, including potential sanctions
• Participates in lessons learned as requested

Technical Staff (Network, System and Application Administrators, LAN Coordinators)

• Monitors networks, systems and/or applications for anomalies, intrusions, and/or unexpected events or unusual behavior that could reasonably raise suspicious of potential compromise
• Reports potential violations to abuse@calpoly.edu
• Assists in investigating incidents involving networks, systems and applications under their control
• Collects and preserves evidence and provide support as needed throughout the investigation
• Documents any breaches, especially those involving high-risk or confidential data
• Conducts forensic investigations as required or appropriate
• Works to contain, remediate, resolve and document security incidents
• Identifies root cause, including responsible individual, if possible
• Documents findings and actions taken and reports back to the Incident Response Team
• Participates in lessons learned as requested
• Makes recommendations to prevent similar incidents and/or improve the response process

Users

• Reports suspected violations to abuse@calpoly.edu
• Follows instructions from the Incident Response Team to preserve evidence, prevent further damage, and/or to otherwise aid the investigation as directed
• Users whose actions result in an incident may be subject to disciplinary action and may be required to review policies or undergo training

It is the responsibility of all Cal Poly faculty, staff, students and affiliates to report potential incidents, IT policy violations and breaches of university information security to abuse@calpoly.edu.

Continue to Roles and Responsibilties 2 | Return to Table of Contents