ITS Security Standard: Incident Response Program - Workflow 3
Workflow (Continued)
Documentation
The Incident Response Team will create and maintain a confidential written record for each incident in Cal Poly’s secure electronic trouble ticket system until the incident is finally resolved. At minimum, the record must include the incident date and time, incident type and severity and impact, who or what reported the incident, detailed description of what occurred, supporting evidence if available, source and target of the attack, affected campus resources, response actions taken and by whom, evidence collected, suspected cause(s), total hours spent and other costs (if applicable). Records will be used to report the number and type of incidents as needed and to identify incident response trends over time.
Individuals involved in any investigation or corrective measures are responsible for documenting their actions, communications and findings related to the incident. This information must be submitted to abuse@calpoly.edu so it can be incorporated into the confidential ticket.
Improvement
Individuals and units involved the incident response process may have recommendations to improve system/network configuration, security practices, business processes or the incident response process. Recommendations will be collected and documented by the Incident Response Team.
At the conclusion of major incidents, the Incident Response Team will hold a debriefing to review lessons learned and to recommend changes to this standard and related procedures if appropriate.
Communication
Communication with affected parties involved in the incident occurs at each stage in the incident response cycle. Specific communication responsibilities are identified in the Roles and Responsibilities section of this standard.
