Information Security Incident Response Plan

Overview

This document establishes the procedures for identifying, reporting, and responding to information security events. It provides a process for handing these events from the time an event is detected to the conclusion and reporting as deemed necessary.

Identification of Information Security Incidents

Information security incidents are events that have the potential to compromise the confidentiality, integrity, or availability of university information and/or information technology resources.

Examples of Information Security Incidents

  • Lost or stolen laptop, tablet computer, or smartphone
  • Physical breach of Information Technology (IT) communication closets
  • Compromise of credentials because of malware, phishing attack, or disclosure of password(s) to an unauthorized person
  • Disclosure of protected data to an unauthorized person(s)
  • Notification of publicly posted University credentials
  • Notification of compromised Personally Identifiable Information (PII)
  • Device(s) infected with ransomware
  • Unauthorized access of user account(s)

📌
If it is not clear whether a specific situation is an information security incident, report it.

Goals for Information Security Incidents Response

Timely and thorough actions are essential to managing information security incidents and minimizing potential damage. The goals of information security incidents response include:

  • Protecting the integrity, availability, and confidentiality of University data, systems, and networks.
  • Developing a communications plan for initial reporting and ongoing communications throughout the incident.
  • Recovery and restoration of systems and data
  • Assisting with the recovery of business processes after an incident

Reporting an Information Security Incident

Any member of the University community can report an information security concern to the Malbon Center for Technology. It is important that security incidents are reported immediately.

To report an Information Security Incident:

  1. Click on the following link to complete the Information Security Incident Report Form: (Information Security Incident Report Form)
  2. It is important that the Incident Report Form be completed with as much detail regarding the incident as possible. Once the completed form has been submitted, it will generate a notification to The Malbon Center for Technology Incident Response Team.

  1. Contact The Malbon Center for Technology Help Desk
    • The Malbon Center Help Desk phone number is 757-524-5900.
    • The Malbon Center Help Desk business hours are Monday-Friday, 8:30a-4:30p.
    • 📌
      If there is no answer at the Help Desk, leave a message stating that you are reporting an Information Security Incident and that you have completed the Information Security Incident Report. A staff member will contact you to follow-up if necessary.

Incident Response

Once an incident has been reported, The Malbon Center for Technology will serve as the primary point of contact and coordination for the duration of the incident.

If it is determined to be a legitimate incident, a ticket in The Malbon Center ticketing system will be generated and an Incident Coordinator will be assigned from The Malbon Center security team.

The Malbon Center security team is comprised of:

  • The Chief Information Officer
  • The Manager of System Administration
  • The Information Security Officer

Investigate the Incident

The Malbon Center will determine if the incident is active with ongoing impact or an inactive incident that has been contained.

Active Incident

If it is determined to be an active incident, strategies for mitigating additional loss, damage, and exposure are implemented. The specifics of the incident will determine mitigation actions.

Inactive Incident

If it is determined that the incident is not an active incident, or steps have been taken to prevent further loss/damage and/or to mitigate the impact of the incident, The Malbon Center will investigate the incident.

During the investigation, The Malbon Center will determine the following, wherever possible:

  • How the incident occurred
  • Whether or not the incident resulted in the exposure or potential exposure of restricted data
  • If there are other systems, data, or services that might have been impacted or that may be at risk because of the incident
  • If the incident involved criminal activity
  • What steps need to be taken to recover from the incident

Define and Implement Remediation Plan

During the investigation phase, remediation and/or mitigation steps will be identified and included in a Remediation Plan. Remediation steps will be determined based upon the type and scale of the incident and may include:

  • Performing vulnerability patching and system updates
  • Securing compromised user accounts
  • Restoring affected systems from pre-incident backups
  • Implementing additional security controls to prevent future incidents
  • Improve business process to reduce risk of recurrence
  • Increase cyber security awareness training
  • Determine need for an Incident Summary Report

Incident Conclusion and Summary Reporting

If an Incident Summary Report was needed, the report will be finalized and stored internally within Malbon Center for Technology along with the generated service ticket and any supporting documentation developed during the incident.