IT Incident Response Standard
This incident response document discusses how information is passed to the appropriate personnel and how the assessment of an incident is performed. This document explains our response strategy, incident documentation, and identifies the methodology of the preservation of evidence. It defines areas of responsibility and establishes procedures for handing various security incidents.
- Verify that an incident occurred.
- Determine how the attack was performed, i.e. how the incident happened.
- Maintain or restore business continuity quickly to reduce the incident impact.
- Improve security and incident response to prevent future incidents.
- Prosecute illegal activity.
- Keep management informed of the situation and response.
This policy covers all network, computing, and data devices attached to the WPI network and/or storing WPI data. It covers violations to the Acceptable Use Policy, Network Security Policy, and all portions of the Data Security Policy. All Information Security incidents are administered according to this standard and consistent with governing laws and regulations.
Potential security incidents are identified by the Information Security Office using information from a variety of sources including but not limited to:
- Contact from victims
- Contact from system owners
- Contact from external parties
- Non-security trouble reports
- Monitoring of the WPI network and connected systems for security intrusions and policy violations
Once a potential problem has been identified, the Information Security Office staff will analyze and attempt to confirm that it actually is the result of a security incident. During this step, the Information Security Office will also determine the severity of the incident. If a situation warrants immediate action, the systems will be removed from the network or taken out of service to contain the problem and perform the appropriate level of forensic investigation. In any case, the system owners and affected parties will be notified as quickly as possible.
Incident severity is based on whether an incident may pose a threat to university resources, stakeholders, and/or services and is based on but is not limited to the following factors:
- Does the incident involve unauthorized disclosure of sensitive information?
- Does the incident involve serious legal issues?
- Does the incident cause serious disruption to critical services?
- Does the incident involve active threats?
- How widespread is the incident?
Once a security incident has been positively identified, the Information Security Office will act to isolate the affected machines or systems. Compromised hosts often cause secondary threats and are used as platforms to attack other internal systems. Compromised hosts also potentially open the university to legal liability. Consequently, the Information Security Office must act to remedy security problems immediately including taking systems offline.
Depending on the nature of the incident, the Information Security Office may be required to work with law enforcement.
In the case of a compromised computer that is actively causing wide-spread problems or affecting non-WPI networks or computers, the Information Security Office staff will block the computer from the network then notify the contacts.
The Information Security Office staff will notify all system owners about the incident, the steps taken concerning the incident and will issue required steps to remediate the problem. The Information Security Office will create a log entry for the violation. In those rare instances when a group feels that the system should not be removed from the network, other options may be presented to the Information Security Office for review.
If subpoenaed for information about security incidents, the Information Security Office will comply per federal and state regulations.
WPI complies with federal and state regulations to notify people when their financial or information has been compromised.
If such notification is required, the Information Security Office will contact the Chief Information Officer, the General Counsel, the Chief Financial Officer, and the VP of Communications and Marketing.
Once the computer has been handled by the Information Security Office and cleared to be restored to normal service, it is then the owner's responsibility to reformat disks, and/or reinstall software on the machine, and/or take any other steps necessary to secure it from future attacks. Guidelines for securing systems can be found at Network Security Information.
Once the computer is secured, the owner should contact the Information Security Office, who will then allow it to be reconnected to the network and verify the system is secure. Refusal or official non-compliance by the system's owner will be dealt with on a case-by-case basis.
Please email any concerns or comments to firstname.lastname@example.org.
In order to stay current with the changing security environment, the University Computer Security Incident Response Procedure is subject to revision. Before any such changes take effect, a request for comments will be made to the relevant information technology groups.
- The Information Technology Division endorsed this standard in September 2006.
- After a minor revision, the faculty Committee on IT Policy endorsed this standard on February 19, 2008.
Please visit the Data Security site for references and information on other Data Security standards.Maintained by itweb
Last modified: May 13, 2008, 13:19 EDT