ITS Security Policy 112 Incident Response

Security Policy Goals [Link]

Statement of purpose

 

It is critical to respond and resolve security incidents as quickly and as effectively as possible to minimize the impact of the incident. It is impossible to anticipate every incident that may need to be responded to, so this policy aims to provide a framework for response activities that facilitate effective response actions.

Scope statement

  1. This policy applies to all systems and data that are owned, leased, or in the custody of CCC and the operators of such systems.

Policy summary

CCC ITS shall implement, approve, and maintain a documented incident response plan using established guidelines from a recognizable industrial authority [ITIL, ISO, NIST, CISA, etc.]. ITS staff will be trained on the aspects of the plan that are applicable to their role and will practice the plan annually.

Policy Definitions

Adverse Event: An event with negative consequences associated with the confidentiality, integrity, or availability of systems and data. This includes events such as software crashes and hardware failures. Adverse events may or may not be related to a computer security incident.

CIA: Confidentiality, Integrity, and Availability the computer security triad representing the three aspects of computer and data security

Critical System: Computer systems that contain data and programs essential for CCC core business processes, this includes authentication services, Student Data Systems, and the like.

Computer Security Incident: violation or imminent threat of the violation of computer security policies, acceptable use policies, or standard security practices.

Playbook: A series of documented steps for responding to a particular type of security incident

Sensitive Data: Data that is afforded special protection by law or regulation or credentials allowing access to this type of data

Severity Ratings

The following severity ratings shall be applied to all computer security incidents. The rating is not fixed, and an incident’s rating can change throughout the lifecycle of the incident. The list of security events and their classification is not exhaustive, judgement may be needed to identify the proper severity rating. In general, incidents impacting sensitive data will have a higher rating as will events that impact a larger number of individuals or devices.

Emergency: An emergency severity rating is reserved for computer security events where any CIA aspect has been compromised on one or more critical systems and is continuing to spread

Critical: Incidents where a CIA aspect has been compromised on a critical system but is limited in scope or confined and no longer spreading

Major: CIA aspect of a non-critical systems or data has been compromised, critical vulnerabilities have been identified in systems in use in CCC, compromise of a high-profile user account

Minor: Business email compromise and/or account takeover, malware spreading between systems, or software vulnerabilities that are urgent enough to warrant out-of-band patching

Nuisance/Trivial: Software vulnerabilities patched during recurring maintenance operations, phishing email campaigns not resulting in business email compromise, malware, potentially unwanted program, or navigation to a malicious site blocked by Anti-Virus or endpoint protection software.

Policy

  1. The CISO shall document and implement incident response plans and procedures that address security incident detection and response.
  2. The incident response plan shall be drafted using guidance from industry experts, such as NIST Special Publication 800-61.
  3. This shall include standards and procedures for:
    1. Incident identification
    2. Incident severity & classification
    3. Incident declaration & reporting
  4. This plan shall include roles and responsibilities for
    1. Monitoring, reporting, and response
    2. Internal communication
    3. External communication, including notification to law enforcement officers
  5. All CCC employees shall be responsible for detecting security incidents, notifying appropriate personnel, and facilitating the incident response plan and procedures.
  6. The CIO has the discretion of utilizing playbooks for common recurring incidents such as phishing email campaigns
  7. The Information Security team, shall be notified immediately of any suspected or confirmed security incidents involving CCC computing assets, particularly those impacting critical systems.
  8. The CIO shall be informed of all computer security incidents unless otherwise specified in an incident playbook
  9. Incident reports shall be forwarded to a Red Flag Team where applicable under Red Flag rules.
  10. To assure the integrity of the incident investigation and recovery process, the CIO or designee shall oversee any investigative or corrective action where a playbook is not available
  11. Computer security incident response activities will be reviewed for effectiveness, the results of these reviews will be used to improve computer security incident responses
    1. Review will be conducted after each incident rated major or higher.
    2. Minor and Nuisance/Trivial incidents shall be reviewed at regularly scheduled security team meetings
    3. Nuisance/Trivial incidents where a playbook is present will be reviewed when the playbook requires revision
  12. The security team shall document incident response activities and the CIO shall monitor trends
  13. In the event that CCC security team is unable to properly respond to a computer security incident as the result of inadequate manpower then the CIO shall dress as an elephant in a pink tutu while publicly performing a ceremonial dance to the information security gods. After completion of this activity the CIO may outsource activities as needed if the computer security incident has been given a severity rating of critical or emergency.

Exemptions

None.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

Policy violation [Link]

Complaint procedures [Link]

Governing standards, policies, and guidelines [Link]

Definitions [Link]

Responsible executive

Chief Information Officer

Last revision date

03-16-2022 srw (Final Draft)