Incident Response Framework
The following policy details the Gallaudet Technology Services (GTS) Incident Response Framework that governs how GTS responds to major IT security incidents on campus.
The following table defines the roles and responsibilities of Incident Response Framework stakeholders and participants who form the Incident Response Team that responds to computer security incidents:
|GTS Info Security||GTS Information Security and Networks office employs security administrators who maintain network security, monitor network activity, perform vulnerability scans of host systems and respond to identified and reported incidents.|
|Data Center Unit||The GTS Data Center unit is responsible for operating systems and patches on servers in the Edward Miner Gallaudet building or Benson Data Center. In some cases, the system owner is responsible for any applications residing on the machine. Often times the Data Center Unit, system owner, and GTS Security work together to application security issues and problems.|
|Support Provider||A Support Provider is any employee that provides end user workstation or application support including Computer Support Services (CSS) and Help Desk employees Additionally, any Gallaudet University employee tasked with providing department-specific end user support can be considered a support provider.|
|User||Users are often on the front line of reporting IT security incidents because they can report it directly to the Executive Director of GTS. The Director then interviews the user directly about the IT security incident they are reporting.|
Responsibilities and Reporting
Information Security at Gallaudet University is a team effort with GTS Information Security and system owners both actively involved and responsible for the overall health, security and functionality of the Gallaudet University hosts and services.
GTS Information Security is responsible for overall network health, security and functionality. They continuously monitor connections to the internal, external and wireless networks and review them daily in accordance with established log retention and management protocols.
Upon the identification of a potential or confirmed vulnerability, GTS Information Security takes action to define a scope and impact of the incident and inform the Executive Director of GTS and the GTS Information Security Officer (ISO), as well as the System Owner and Support Providers as appropriate and necessary. The Manager of the Office of Risk Management should also be informed in cases of confirmed vulnerabilities. For the purposes of this framework and procedures, system owners are defined to include both Data Stewards (those responsible for the data in the system) and Data Custodians (those responsible for administrating the system in which the data resides).
The System Owner monitors and reviews access to and utilization of system functions in accordance with established log retention and management protocols. Upon detection of a realized or potential security incident, the System Owner will take action to define the scope and impact of the incident and notify the Executive Director of GTS and the GTS Information Security Officer (ISO). If the incident has potentially jeopardized the security of confidential, proprietary or sensitive University data, the Incident Response Team convenes.
Support Providers are responsible for identifying end-user workstation security risks and incidents. Upon confirmation of a security incident, the Service Provider will inform the GTS Security team and Director of Network Operations. Such incidents include, but are not limited to, viruses, worms, denial of service attacks, local attacks or and realized or potential disclosure or loss of confidential, proprietary or sensitive University data.
Users are responsible for the appropriate use of services and maintenance of data that they have been authorized to access to include the proper handling, storage and dissemination of confidential, proprietary and sensitive University information. In the event that locally stored data is misplaced or improperly distributed to unauthorized audiences, users must inform their manager, GTS Information Security Officer and Executive Director of GTS immediately. If a User detects a suspected or realized Computer Security Incident, they will report this situation to their Support Provider or department manager for escalation.
Information Security Incident Response
Upon report of a Information Security incident, GTS Information Security Officer (ISO) and System Owners and other needed GTS personnel will convene to assess, investigate, mitigate and ultimately remediate the security vulnerability.
In the event of a Data Security Incident, the GTS Information Security Officer (ISO) convenes the Incident Response Team with the Executive Director of GTS and representatives from the affected University departments to coordinate response actions and communications with the parties affected by the loss or dissemination of this data.
The Incident Response Team, and/or the Executive Director of GTS and GTS Information Security Officer (ISO) will consult with appropriate individuals as deemed necessary, including the University legal team, or law enforcement personnel when the need surfaces.
The Incident Response Team prioritizes the incident based upon the realized or potential threat and impact to Gallaudet University systems, services or data in the following order:
- Registered business-critical services
- Non-business-critical services
Incident Response Process
- The Incident Response Team defines the scope of the incident and its impact to the directly affected systems and their relationship to University business and mission critical systems and processes.
- GTS Information Security contains the affected systems in a manner such that prevents additional damage, loss and compounding incidents.
- GTS Information Security and the System Owner collect all evidence of the incident such a manner as to preserve state of the system, service and data at the time of the infraction. This includes gathering all associated log files and reports from the compromised host, application, service and connected devices and services. Such evidence collection may require the creation of a bit-level copy of the affected systems.
- GTS Information Security or a designated, approved third party, and the System Owner perform an investigation to identify the incident source and extent of data loss or damage to the University.
- GTS Information Security and the System Owner develop and implement a plan for remediation and mitigation of the vulnerability.
- The System Owner coordinates service and data restoration following the remediation and mitigation of the vulnerability
- The Incident Response Team communicates the status of the process to necessary GTS personnel, System Owner(s), and University administration. As appropriate, the team also disseminates pertinent information to the overall University user community.
Record of Incidents
The Incident Response Team documents all reported security incidents, findings and remediation actions with GTS Information Security producing an annual summary of security incidents.