Incident Handling

Overview

Incident response procedures vary depending on specific organization of business functions, information technology, public information, law enforcement, etc.   This document outlines steps that should be included in those processes to ensure appropriate responses to security-related incidents.

The security incident response process may start with an explicit report of a security breach, but it is more likely to start as the result of a routine investigation into some anomalous system or network behavior.  For example, a server may be operating slowly, or the printing service may stop working.  Because of the potential for unauthorized release or modification of data, in addition to service disruption, it is important to assess the possibility that strange behavior may be the result of some security problem before taking steps to correct a “normal” problem.

When it is determined that an incident may be security related, then the nature of the recovery effort must be modified and appropriate personnel need to be involved to ensure that appropriate information is collected and documented to determine the nature and scope of the security breach and, if appropriate, to facilitate an investigation by law enforcement.  Depending on the nature and scope of a breach, it may be necessary to make public disclosures; this will require the involvement of campus executive management and others while business managers and IT professionals resolve the technology and process issues.

See the UC Privacy and Data Security Incident Response Plan (pdf) for an example of the process for responding to a security-related incident.  While following this process, it is important to keep the following in mind:

• Document

It is crucial to keep a log of the steps taken by the members of the Security Incident Response Team.  Someone should be delegated to be responsible for maintenance of the log to assure that it is updated consistently and is available to all members of the team.

• Share information within the response team

It is important that all members of the Security Incident Response Team are up to date as events unfold.  Much of the information, however, may be confidential, so care should be taken protect confidentiality of the discussion.

• Ensure that the right people are involved.

At a minimum, the Security Incident Response Team includes the affected system's proprietor and custodian, and the campus IT security and policy officers, as well as the original response team. There also may be a need to involve other systems' proprietors, for example when those other systems are the sources of restricted information.

The campus Executive Notification Team must be invoked.in the event that notification may be required.   This team will include, at the least, executive management, legal counsel, public affairs, and executive IT leadership.  In some circumstances, other campus experts may need to be consulted, e.g. Chancellor’s office, campus police, risk management, internal audit, the campus credit card coordinator, or the campus HIPAA security or privacy officer.  Depending on the circumstances of the incident, it may be necessary to notify national and international IT security organizations, such as UC- CERT, the United States Computer Emergency Readiness Team. http://www.us-cert.gov/.

The Associate Vice President – Information Resources and Communications, UCOP must also be notified when it is determined that notification may be necessary, and again when it is decided that a public disclosure will take place.

 

Preparation

Campuses and the organizational units that operate information resources must be prepared to respond to security incidents.  The following should be components of overall incident response preparations.

• The incident response plan must be in place.  Affected personnel must be aware of their roles when a security incident occurs.
• The Security Incident Response Teams must be established.
• The Executive Notification Team must be established.
• Appropriate tools and resources must be available to the teams.  These may include:
• a “war” room that can be allocated to the team for the duration of an incident
• electronic mail lists, telephone numbers, web sites, collaboration tools, etc. to facilitate the teams internal communication
• software tools for discovering and capturing forensic information

 

References and Resources

For University policy, see University of California Business and Finance Bulletin IS-3, Electronic Information Security, Section IV.E, Notification in Instances of Security Breaches Involving personal Information Data.

More links to information are at Security Breach Notification, including UC Guidelines for Determining Notification in the Event of a Security Breach.

Further information about incident response can be obtained from Educause's Incident Handling / Incident Response site at http://www.educause.edu/Browse/645?PARENT_ID=660.