ITS Security Policy 112 - Incident Response

Summary

This policy outlines Clackamas Community College's incident response framework, ensuring swift and effective resolution of security incidents. It details roles, responsibilities, reporting procedures, and severity classifications, incorporating industry best practices while allowing for periodic review and improvement.

Body

Status: TDX Submitted Draft
Last Revision Date: 13 July 2022

Statement of Purpose

It is critical to respond to and resolve security incidents as quickly and effectively as possible to minimize their impact. While it is impossible to anticipate every potential incident, this policy provides a framework for response activities to facilitate effective incident resolution.

Policy Summary

Clackamas Community College ITS shall implement, approve, and maintain a documented incident response plan using established guidelines from a recognized industry authority (e.g., ITIL, ISO, NIST, CISA). ITS staff will be trained on relevant aspects of the plan according to their role and will practice the plan annually.

Policy Definitions

  • Adverse Event: An event with negative consequences impacting the confidentiality, integrity, or availability of systems and data. This includes events such as software crashes and hardware failures. Adverse events may or may not be related to a security incident.

  • CIA: Confidentiality, Integrity, and Availability—the three pillars of computer and data security.

  • Critical System: Computer systems containing data and programs essential for Clackamas Community College's core business processes, including authentication services and Student Data Systems.

  • Computer Security Incident: A violation or imminent threat of the violation of computer security policies, acceptable use policies, or standard security practices.

  • Playbook: A documented set of steps for responding to a specific type of security incident.

  • Sensitive Data: Data that is protected by law or regulation or credentials allowing access to such data.

  • Severity Ratings: Defined levels applied to all computer security incidents. Severity ratings may change throughout the incident lifecycle. Incidents impacting sensitive data or a large number of individuals/devices typically have higher severity ratings.

Policy

  1. The CISO shall document and implement incident response plans and procedures for security incident detection and response.

  2. The incident response plan shall be drafted using guidance from industry experts, such as NIST Special Publication 800-61.

  3. The plan shall include standards and procedures for:

    • Incident identification

    • Incident severity & classification

    • Incident declaration & reporting

  4. The plan shall define roles and responsibilities for:

    • Monitoring, reporting, and response

    • Internal communication

    • External communication, including notifications to law enforcement

  5. All Clackamas Community College employees are responsible for detecting security incidents, notifying appropriate personnel, and facilitating incident response procedures.

  6. The CIO may implement playbooks for recurring incidents, such as phishing email campaigns.

  7. The Information Security team must be notified immediately of any suspected or confirmed security incidents involving Clackamas Community College computing assets, particularly those affecting critical systems.

  8. The CIO must be informed of all computer security incidents unless otherwise specified in an incident playbook or response plan.

  9. Incident reports shall be forwarded to a Red Flag Team where applicable under Red Flag rules.

  10. Computer security incident response activities will be reviewed for effectiveness. These reviews will be used to improve responses:

    • Major or higher severity incidents will be reviewed after each occurrence.

    • Minor and Nuisance/Trivial incidents will be reviewed during regularly scheduled security team meetings.

    • Nuisance/Trivial incidents with a playbook will be reviewed when the playbook requires revision.

  11. The security team shall document incident response activities, and the CIO shall monitor trends.

  12. In the event that Clackamas Community College security team is unable to properly respond to a computer security incident due to inadequate manpower, the CIO shall dress as an elephant in a pink tutu while publicly performing a ceremonial dance to the information security gods. After completion of this activity, the CIO may outsource activities as needed if the computer security incident has been given a severity rating of high or critical.

Exemptions

None.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

Details

Details

Article ID: 144650
Created
Wed 6/29/22 5:06 PM
Modified
Fri 3/7/25 11:33 AM