ISDS Incident Response Policy

Definition and Purpose

An information system or data security incident is one that threatens or compromises confidentiality, integrity or availability of College information technology assets.  While such incidents may vary in severity and scope, the handling and response to such incidents must be managed appropriately in order to best preserve the College’s reputation as well as all personal or institutional information assets that reside under the College’s control.

Policy for College Students, Faculty, and Staff

Upon discovery or suspicion of a past, present or potential data security incident must present all relevant information about the incident or threat to Information Technology Services.  

Policy for Information Technology Services (ITS)

Information system and data security incidents require the full participation of relevant ITS technical personnel as well as leadership to properly manage the outcome.  All reported threats or incidents by members of the campus community to ITS personnel or discovered by ITS personnel must be brought to the attention of the Information Systems and Data Security (ISDS) working group, which will ensure that appropriate leadership and technical resources are employed to:

• Review the incident or threat and classify its severity
• Assess the extent of damage or potential for it
• Identify the existing and/or potential vulnerability created and the individuals and/or systems involved
• Communicate with relevant groups or personnel to arrive at and, if necessary, execute a mitigation plan
• Ensure that follow-up reporting occurs and any relevant steps (technical or policy changes) are taken to prevent future incidents

Incident Classification

An information security incident is defined as any adverse event that threatens the confidentiality, integrity or availability of College information assets, information systems, and the networks and equipment that transmit such information.  Adverse events may include, but are not limited to:

• Information system or network security compromise
• Denial-of-service attacks or malicious network or data traffic
• System account compromise, possible or attempted compromise
• Violations of ISDS policy resulting in a potential vulnerability or compromise
• Emerging threat or vulnerability

In reviewing an incident or threat, the ISDS group will make an assessment according to the following criteria:

• Critical
• • Any incident that has compromised the integrity of College information assets or critically disrupted the information infrastructure of the College.
• High Level
• • Any incident that has the potential to compromise College information assets at an institutional level or disrupt the information infrastructure of the College.
• Low Level
• • An incident that has the potential to compromise or disrupt College information assets at a localized or otherwise containable level.

Incident Communication and Follow-Up

If an incident requires additional attention following its initial report and classification, the ISDS working group will work with all relevant personnel within Information Technology Services to fully evaluate the incident and any mitigating factors as well as determine if the incident warrants a formal response from higher levels of the Administration.  Communication surrounding an incident should provide the following information to any and all relevant individuals or groups:

• Incident summary
• • Host(s) involved (systems and/or individuals)
  • Timeline of events (or best estimate)
  • Technical details (logs, timestamp, filename(s), etc)
• Assessment of potential for exposure of data, sensitive or otherwise
• • The nature and/or extent of sensitive data, if applicable
• Recommendations
• • Steps to re-secure the host(s) involved and return to service
  • Mitigation measures to prevent future incidents, such as system (server, service, network, firewall) changes or additional monitoring of network traffic
• Related policy or procedural changes or considerations

ITS and the ISDS working group will employ an internal tracking system to facilitate and archive communication, including the preceding elements, surrounding an incident.  Any  outages of IT services (including servers and networks) associated with an incident will be tracked in separate tickets as required by the ITS Outage and Event management procedures.

Incidents not requiring a formal response (such as low and some high level incidents) will be remanded by ISDS to the appropriate individuals or group(s) for follow-up.  If an incident requires a formal response, the ISDS working group will assist in coordinating the response with the Director of Information Technology Services and related members of the College administration.  Such coordination will at a minimum include an incident summary involving the aspects listed above.

Any mitigating factors surrounding or resulting from an incident will be tracked and monitored by the ISDS working group and relevant ITS personnel.