ITS Security Standard: Incident Response Program
Brief Description:
To ensure that security incidents and policy violations are promptly reported, investigated, documented, and resolved in a manner that promptly restores operations while ensuring that evidence is maintained.
Related Policy:
- Cal Poly’s Information Security Program (ISP)
- Cal Poly’s Information Technology Resources Responsible Use Policy (RUP)
- CSU Information Security Policy - ISO Domain 16: Incident Management Policy
Introduction:
This standard outlines the workflow, roles and responsibilities, and escalation provisions with respect to identifying and handling information technology (IT) policy violations and information security incidents at Cal Poly. An accurate, complete, and consistent response is essential to ensure the protection of university information assets while complying with applicable policies and laws. Timely and relevant communication with appropriate parties is necessary to ensure the quality of the response, support legal action if necessary, and maintain public confidence. Complete, accurate documentation and subsequent debriefing are important to prevent the recurrence of similar incidents.
Scope:
All information security incidents are to be handled according to this standard and in a manner consistent with applicable laws and regulations. This standard applies to any information security incident or policy violation involving IT resources at Cal Poly, whether initiated from on- or off-campus. It applies to all university IT resources, whether centrally administered or locally administered; to all users, auxiliary organizations, third parties, visitors, or else anyone with access to Cal Poly information assets; and to personally-owned computers with access to university networks. While mainly intended to address violations of Cal Poly’s Information Security Program and Responsible Use Policy, this standard applies to any information security-related incident involving the university.
Incident Response Program:
Workflow
The incident response process consists of the following steps which are described further in this section:
- Identification
- Assessment and Classification
- Notification and Containment
- Eradication
- Documentation
- Improvement
- Communication
Escalation
Definitions
Roles and Responsibilities
- Incident Response Team, Information Security Management Team, Campus Compliance Officers (FERPA, HIPAA, PCI, ADA, etc.),Technical Staff (Network, System and Application Administrators, LAN Coordinators), Users
- Information Authority/Owner, Information Security Coordinators, Management, Employment Equity/Human Resources/Academic Personnel/Office of Student Rights and Responsibilities, University Legal Counsel, University Police, Public Affairs, Executive Management
Related Procedures and Resources:
- Incident investigation protocols and containment strategies (evidence collection, handling and storage; problem ID, remediation and mitigation strategies) [Pending]
- Policies, Standards, Guidelines and Procedures
- Federal and State Laws
- RUP Implementation and Practices, including Security Breach Notification Process
- Spam and Phishing Reporting
- Virus Reporting and Response Procedures
- DMCA Procedures: Cal Poly’s Response to Copyright Infringement Claims
- Procedures for Removing Networked Devices [pdf]
- Litigation Holds Guidelines [pdf]
Implementation
EFFECTIVE DATE: | 11/1/2011 |
---|---|
REVIEW FREQUENCY: | Annual |
RESPONSIBLE OFFICER: | Vice Provost/Chief Information Officer |
Revision History
DATE | ACTION | PAGES |
---|---|---|
5/2/2014 |
Updated links and reformatted as HTML pages |
All |
11/1/2011 | Release of initial document by ITS | All |
8/1/2011 | Drafted by Mary Shaffer based on incident response standards, plans and protocols from other universities |