ITS Security Standard: Incident Response Program - Workflow 1
Potential incidents are identified using information from various sources, including but not limited to:
- Contact from affected or impacted parties
- Contact from network, system and/or application administrators
- Contact from external third parties
- User alerts and/or Service Desk requests
- Monitoring of university networks, systems and/or applications for anomalies, intrusions, and/or unusual behavior that could reasonably raise suspicious of potential compromise
Examples of incidents covered by this standard include but are not limited to:
- Breach or improper disclosure of university information
- Compromise of information integrity, e.g., damage or unauthorized modification of data
- Compromise of information availability, e.g., denial of service attack
- Theft of or damage to physical information assets
- Denial of service attack that impacts university business or services or external parties
- Misuse or abuse of university services, information or assets
- Infection of systems by unauthorized or malicious software
- Unauthorized access attempts that impact university business or services or external parties
- Unauthorized changes to university information assets
- Trigger of intrusion detection alarms beyond “normal” levels
Once identified, incidents are reported to email@example.com or other appropriate reporting methods, which triggers the incident response plan.
Assessment and Classification
Once a potential problem has been identified, the Incident Response Team will analyze the situation and attempt to confirm whether it is the result of a security incident. If yes, then the team will determine the severity of the incident and classify the incident as Critical, High, Medium or Low. Incident severity and classification is based on whether an incident poses a threat to university or external resources, stakeholders, and/or services. The determination may include, but is not limited to, the following factors:
- Does the incident involve unauthorized disclosure of high-risk or confidential information?
- Does the incident involve serious legal issues?
- Does the incident cause serious disruption to critical services?
- Does the incident involve active threats?
- How widespread is the incident?
Incidents classified as critical or of high severity are referred to the Information Security Management Team. All other incidents are handled by the Incident Response Team in accordance with established practices. Further assessment may effect a reassignment to a different level of severity by the team.
Critical: Any unexpected or unauthorized change, disclosure or interruption to information assets that could be damaging to the campus community or university reputation. Examples: A major attack against the university’s IT infrastructure; an incident with major impact on operational activities; significant loss of confidential data and/or mission-critical systems or applications.
High: Campus-wide and potentially public impact. A successful breach has occurred and/or a threat has manifested itself. There is significant risk of negative financial or public relations impact. A large number of systems or accounts are affected. A very successful attack that is difficult to control or counteract because no countermeasures, resolution procedures or bypass exist. Level 1 data may be involved.
Medium: The threat and impact is limited in scope, e.g., department-wide not campus-wide. Early indications of a possible attack or intrusion detected with minimal risk of negative financial or public relations impact. A small number of systems or accounts are affected. A nominally successful attack that is easy to control or counteract, although countermeasures may be weak. Level 2 data may be involved.
Low: An incident with no effect on system operations. Intelligence received concerning threats to which systems may be vulnerable. Penetration or denial of service attacks attempted with no impact. No critical infrastructure is affected. Solutions or countermeasures are readily available. Procedures are available and well-defined to resolve the problem. No protected information is involved.