When does incident response occur?
In accordance with University IT Policy 3.00, the University Information Security Office is responsible for coordinating and investigating information security incidents. A security incident has occurred anytime there has been unwanted activity that may affect the confidentiality, integrity, or availability of an IT system, including unauthorized access to systems.
During the incident response process, the university follows the industry standard processes of preparation, identification, containment, eradication, recovery, and lessons learned.
The Incident Response Procedure
The purpose of the Incident Response Procedure is to establish necessary guidance for the initial evaluation, escalation, and remediation of a significant security event. A typical "significant" event is where there is a threat to a person, a mission-critical system, or university owned sensitive data as defined by the data classification section of UNIV 1.51 .
In accordance with University IT Policy 3.00 , the University Information Security Office (UISO) is responsible for coordinating and investigating information security incidents.
The intended audience is anyone outside the UISO who will participate in incident response at the USC. This will be Security liaisons in most cases.
A flowchart showing the process can be found here.
For clarity, an asset could be a physical device, a cloud-based system, a user account, or SaaS subscription, or any other technology that the USC owns, pays for, or stores data belonging to the USC.
IMPORTANT: If you are the IT manager, user, or administrator of suspected compromised IT asset(s), do not access or alter the asset(s) in any way until the UISO clears you to do so. Any access or alteration to the asset(s) could impact a potential investigation if the security event is classified as significant.
The UISO will begin investigating the event by classifying associated risks. This is accomplished by determining the following:
- Was there a personal threat to an individual?
- Was the department the event occurred in known to handle or generate sensitive data?
- Did the user(s) involved in the event have access to sensitive data?
- Was there a significant risk of business disruption caused by this event (this would be ransomware or DDoS)
- Was a particular person or group targeted? This would indicate intelligent, intentional malicious actions.
If any of the above are true, the UISO may initiate it's Incident Response plan. There are two primary components to this plan:
- The incident managers checklist - This is a checklist of items that applies to most significant breaches in security.
- The incident playbooks - The UISO maintains a set of incident response procedures referred to in the event of a significant security breach.
In the event your area is involved in a "significant" breach of security and the IR Plan is initiated, the UISO will provide directions on what actions should be performed. Please be advised that the UISO coordinates with various other departments such asa General Counsel, Public Relations, and various other subject matter experts during security breaches. The UISO will keep the effected IT managers, department heads, and end users as up-to-date with current happenings as quickly as is practical.
Coordination of events will be completed by the UISO's Security Operations Center.
In the event of a security issue that doesn't require execution of the IR Plan, the UISO will notify the relevant security liaisons with recommendations on remediating the event and provide assistance when appropriate.