ITS Security Standard: Incident Response Program - Workflow 2
Notification and Containment
Once an incident has been positively identified, the Incident Response Team will work with appropriate personnel to isolate the affected equipment in order to prevent secondary threats, attacks on other internal systems, and potential legal liability, including blocking network access.
A compromised system or account that is actively causing widespread problems or affecting non-Cal Poly networks or computers will be blocked from the network immediately following established practices. Other immediate actions may include removal from service and/or forensic analysis if appropriate using established protocols. The Incident Response Team may recommend additional containment measures in addition to those outlined in related procedures for this standard.
Depending on the nature of the incident, the Incident Response Team may be required to work with law enforcement. If served with a warrant or subpoena for information related to security incidents, the Incident Response Team will consult with University Legal Counsel to ensure compliance with federal and state regulations and applicable CSU policies and practices.
Some incidents require notification of affected parties or individuals under contractual commitments or in accordance with applicable laws and regulations. Notification may not be required in incidents in which the university can reasonably conclude that disclosure or misuse of the compromised information is unlikely, and appropriate measures are taken to safeguard the interests of affected parties.
Using established practices, Cal Poly will comply with federal and state requirements to notify any individual whose unencrypted personal information has been or is reasonably believed to have been disclosed by the university to an unauthorized person.
Copies of security breach notifications sent to affected individuals will be posted on the Information Security website. Beyond that, information shared with the media or general public regarding a security incident must be coordinated through Cal Poly’s Public Affairs Office.
On receiving notice of an incident, the party responsible for the affected information asset is responsible for resolving the issue. This includes but is not limited to changing passwords, reformatting media, updating or reinstalling software, running scans and taking appropriate remediation action, and/or taking other steps as needed to remove the threat and prevent similar compromises in the future.
Individuals are expected to follow any specific protocols or recommendations cited in the notice and to document any actions they take to resolve the problem. This includes following established protocols for proper evidence collection, handling and storage; problem identification, remediation and mitigation; incident reporting and documentation, etc. (See Related Procedures and Resources.)
Once a system is secured, the responsible party must notify email@example.com so the Incident
Response Team can take appropriate measures to document and resolve the incident.