Locked History Actions

Incident_Response_Process

HelpdeskDocsTemplate/logo.png HelpdeskDocsTemplate/UTS.png

Incident Response Process


Topic: Incident Response Process
Audience: Students, Faculty and Staff
Revision Date: August 13, 2014
Author: Theresa Rowe


Roles and Responsibilities in the Event of an Incident

Organizational leadership will be provided by the Chief Information Officer or designee. The CIO or designee are responsible for determining the scope and impact of an incident, and will trigger initiation of the IT Disaster Recovery Plan and may convene the Data Security Breach Review Panel defined in Policy #860 Information Security, as appropriate.

Per OU Policy #890, release of information to outside agencies, including any law enforcement groups, must be coordinated with the explicit permission of the Office of Legal Affairs.

If review indicates that a data breach has occurred, the Data Breach Security Review Panel defined under Policy #860 Information Security will be convened by the CIO or designee. Breach response guidelines from the insurance provider will be provided and reviewed by the panel.

If a data breach involving payment card data is discovered, immediately follow payment brand contact procedures before any action is taken:


Visa http://usa.visa.com/download/merchants/cisp_responding_to_a_data_breach.pdf


Master Card http://www.mastercard.com/us/merchant/pdf/SPME-Entire_Manual_public.pdf


Stage I: Notification of an Incident

An Information Technology Incident can be reported in several ways, including:

  • An email to the University’s abuse contact at abuse@oakland.edu .

  • An email to the University Technology Services contact at uts@oakland.edu or to any individual staff member in UTS.

  • An email to the general ticketing system at helpdesk@oakland.edu will be transferred to uts@oakland.edu UTS Projects.

  • A telephone call or in-person visit to any university helpdesk location will be transferred to uts@oakland.edu UTS Projects.

  • A request from the OU Police Department or authorized law enforcement agency.
  • A request from the Office of Legal Affairs.
  • An observation or analysis performed by a systems administrator, system engineer or other UTS professional.

In all cases, a ticket is created in the internal UTS ticketing system. This ticket is used for all tracking, analysis, and reporting functions. All incidents will proceed to the next stage.

Stage II: Initial Incident Evaluation

After the initial notification, UTS staff will engage the necessary resources to perform a cursory evaluation to identify the scope and impact of the incident. The following criteria are evaluated, in order of importance:

  1. Determine level of preservation required before any item is touched or reviewed. Do not turn a computer or other electronic device off; anything with an on/off switch should be left on. Note that even reviewing some files will corrupt the evidentiary quality of the material.
    1. Does active memory need to be imaged or captured?
    2. Does the system require immediate removal from the network?
    3. Are there accounts (user or system) that require immediate protection by disabling or password change?
  2. Determine severity and criticality. Assess the urgency of the event.
    1. Is it an active problem, a potential threat, or event-in-progress?
    2. Was the problem discovered after the fact?
    3. Is the intrusion or exposure dormant, active, or complete?
    4. Does this involve the safety or privacy of individuals, including personally identifiable information?
  3. Determine scope and impact.
    1. Is there data loss or damage of data?
    2. Is there evidence of data breach, probability of access by unauthorized parties, or unauthorized exposure of data?
    3. What data are involved and what data classification covers the exposed data? Are original intellectual property or externally funded grant research data involved? Data loss can be classified as one of the following, per IT Policy #860 Information Security definitions:

      1. Confidential Data, including Personal Health Information, Personally Identifiable Information, and Payment Cardholder Information.
      2. Operation Critical Data
      3. Unclassified Data
    4. Identify the method by which data loss or exposure occurred.
    5. Identify the time-frame of affected data loss or exposure.
    6. Approximate number of lost files or records.
    7. Assess probability that data were accessed by unauthorized parties.
    8. Is a single edge device (desktop computer, laptop computer, storage drive, smartphone) involved, or are multiple devices involved?
    9. Is a server with multiple files involved?
    10. Is a single user or account involved, or are multiple accounts involved?
    11. Are system-level accounts involved?
    12. Is there a loss or attempted loss of service?
    13. Is there a loss or failure of hardware?
    14. Is there a breach of University IT Policy?
    15. Was a device lost or stolen?

If none of the above conditions are met, then an incident did not take place. The tracking ticket is updated with all relevant information and analysis, and then closed.

Stage III: Response Activation

For any incident matching the criteria listed above:

  1. Notify the Data Security Breach Review Panel identified in University Policy #860 Information Security.

  2. For Confidential Data, identify the nature and extent of the data involved, the exposure to unauthorized individuals, the identity of unauthorized individuals, and whether Confidential Data were acquired, viewed, and utilized.
  3. If login credentials were compromised for an individual in the university community, initiate a Red Flags notice following the university Red Flags policy Policy #412 Detection of and Response to Identity Theft Red Flags. UTS will notify Student Business Services based on this policy.

  4. Involve necessary UTS personnel.
  5. Complete the Checklist for Lost, Stolen or Missing Computer, Table, Smartphone, or Other Media Storage Device found at the end of this document, if a device was involved.

Stage IV: Return of Service

Post an informational message on the status of service on the UTS homepage, to be updated every two hours (unless specifically noted), until service is returned. Preserve all material evidence as quickly as possible. Then return services to normal operations, unless under other orders from the Office of Legal Affairs. Document the extent of risk to Confidential Data, whether the risk has been mitigated, and note whether exposed data have been fully retrieved, destroyed, or reconfigured to be meaningless (i.e., changing identification numbers, changing passwords, closing accounts, etc.).

Stage V: Incident Response and Containment

Please proceed to each section that applies to the incident, based on the criteria identified from the previous stages.

  1. All incidents:

    1. Identify encryption strategies implemented and in use.
    2. Based on the identified data involved in the incident, create contact file for breach notification process, if applicable.
    3. Notifications will be created using the templates as a guideline, and distributed with the assistance of the Office of Risk Management.
    4. Gather and preserve all relevant information, disk images, access logs, system logs and any other material.
  2. Loss or Exposure of Data:

    1. Create an incident tracking record, with careful attention to incident handling and change-of-hands.
    2. Review the incident details with the Data Security Breach Review Panel, with counsel from the Office of Legal Affairs. These individuals will be kept informed during the Incident Review process.
    3. Determine the scope and impact of the data loss.
    4. Work with the Data Security Breach Review Panel on the appropriate notification plan for legal requirements, vendors, banks and other organizational entities.
  3. Loss of Service

    1. In the case of an attempted loss of service (such as a failed Denial of Service attack), take preventative measures to remove the issue attempting to cause the loss of service.
  4. Loss or failure of hardware

    1. If the hardware has been stolen, identify the data stored the stolen device. Handle incident as a loss of data incident. Complete the Checklist for Lost, Stolen, or Missing Computer, Smartphone, or Other Media Storage Device below.
    2. If there is a loss of service and data have been temporarily lost, but can be recovered from backup systems, place informational message on UTS homepage during the duration of the service loss when feasible.
    3. If data have been permanently lost, create and distribute a notification using the notification template.

_

CHECKLIST FOR LOST, STOLEN OR MISSING COMPUTER, TABLET, SMARTPHONE, OR OTHER MEDIA STORAGE DEVICE (“DEVICE”)


  • Name - Device Owner or Individual in possession of device at time of the incident:


  • Title or Position:


  • Phone Number: E-mail:


I. General Information


Describe the Device including the type of Device (e.g., desktop computer, laptop, mobile phone, thumb drive, etc.), name, manufacturer, model and year of purchase or acquisition:


Was the Device purchased by Oakland University or an Oakland University employee?


Was the Device purchased with Oakland University funds (directly or via reimbursement) or funds from a grant or contract administered by Oakland University?


When was the Device lost, stolen, or known to be missing?


Where was the Device last located before it was lost, stolen, or missing?


Did you report the lost, stolen, or missing Device to the Oakland University Police Department or any other police department? If so, when did you make the report? Please supply the case number.


Did you report the missing device to your service provider? When was the loss reported? Did the service provider disable cellular service and data plans immediately? Did the service provider immediately block the IMEI?


          Yes          No          Not Sure

  • If yes, please describe.


Did you report the lost, stolen, or missing Device to anyone else at Oakland University and, if so, when did you make the report and to whom did you make the report?


          Yes          No          Not Sure

  • If yes, please describe.


Was the Device used by more than one individual?           Yes          No          Not Sure

  • If yes, name of other user(s):


Was the device password or passcode protected?            Yes          No          Not Sure

  • If yes, describe the password protection (e.g., number of digits, etc.):


Have you been able to remotely lock down the Device and/or delete any information or data stored on the Device?            Yes          No          Not Sure

  • If yes, what was done and when was it done?


What was the Device primarily used for (e.g., personal, work, etc.)?


Was the Device used to check Oakland University e-mail?          Yes          No          Not Sure

  • If yes, was the Oakland University email accessed through a web browser (e.g., webmail.oakland.edu) or an application/app?


Was the Device used to access Oakland University’s network?          Yes          No          Not Sure


Was the device registered to use on the OU network?          Yes          No          Not Sure

  • If yes to either of the above questions, what software, data and/or information was accessed?


II. Data and Information Stored on the Device or Accessible Using the Device


What data or information was stored or maintained on the Device:


What data or information was accessible using the Device (e.g., data or information stored in a cloud account) and, if accessible, would a user need a username and/or password to access the information?


Was any of the data or information stored or maintained on the Device encrypted or otherwise protected?          Yes          No          Not Sure

  • If yes, please describe the encryption method:


Do you have any backups of the data or information stored on the Device (e.g., external hard drive, cloud account, etc.)?           Yes          No          Not Sure

  • If yes, where was the data or information stored?


Oakland University defines Confidential Data as data that is specifically restricted from open disclosure to the public by law (see OU Administrative Policy #860). Confidential Data requires a high level of protection against unauthorized disclosure, modification, transmission, destruction, and use. Please indicate whether any of the following categories of Confidential Data were stored on the Device and/or accessible using the Device:


Student Data, including without limitation Social Security Numbers, student numbers (e.g., Grizzly ID numbers), grades, e-mail addresses, education records, tests, papers, research.

           Yes          No          Not Sure

  • If yes, please identify each student whose student data was stored on or accessible using the Device and describe in detail all such information for each student:


Medical Data other than your own personal medical data, including without limitation any data relating in any way to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

           Yes          No          Not Sure

  • If yes, please identify each individual whose medical data was stored on or accessible using the Device and describe in detail all such medical information for each individual:


Information Access Security Data, including without limitation login passwords, personal identification numbers, user names, logs with personally identifiable data, digitized signatures, and encryption keys.

          Yes          No          Not Sure

  • If yes, describe in detail the Information Access Security Data and the data or information that is accessible using such Information Access Security Data:


Financial Data other than your own personal financial information, including without limitation primary account numbers, cardholder data, credit card numbers, payment card information, banking information, employer or taxpayer identification number, demand deposit account number, savings account number, financial transaction device account number, account password, stock or other security certificate or account number.

          Yes          No          Not Sure

  • If yes, please identify each individual whose financial data was stored on or accessible using the Device and describe in detail all such financial data for each individual:


Personnel/Employment Data other than your own personal personnel/employment information, including without limitation employment records, payroll records, leave records and disciplinary records.

          Yes          No          Not Sure

  • If yes, please identify each individual whose personnel/employment data was stored on or accessible using the Device and describe in detail all such personnel/employment data for each individual:


Library Data other than your own personal library data, including without limitation any data retained by a library that contains information that personally identifies a library patron, including the patron's name, address, or telephone number, or that identifies a person as having requested or obtained specific materials from a library.

           Yes          No          Not Sure

  • If yes, please identify each individual whose library data was stored on or accessible using the Device and describe in detail all such library data for each individual:


Identification Data other than your own personal identification data, including without limitation drivers’ license numbers, state personal identification card numbers, Social Security Numbers, employee identification numbers, government passport numbers, and other similar identification data.

           Yes          No          Not Sure

  • If yes, please identify each individual whose identification data was stored on or accessible using the Device and describe in detail all such identification data for each individual:


Research Data (please respond separately for each of the categories below):

  • Intellectual Property (yours or others’)           Yes          No          Not Sure

  • If yes, identify each individual whose intellectual property was stored on or accessible using the Device and describe in detail all such intellectual property for each person:


  • Unpublished Data (e.g., proposals, manuscripts, databases, research results)           Yes          No          Not Sure

  • If yes, identify each individual whose unpublished data was stored on or accessible using the Device and describe in detail all such unpublished data for each person:


  • Identifiable human subjects data (including medical data)           Yes          No          Not Sure

  • If yes, identify each individual whose human subjects data was stored on or accessible using the Device and describe in detail all such identifiable human subjects data for each person:


  • Other confidential or sensitive research data or documents           Yes          No          Not Sure

  • If yes, identify individual whose confidential or sensitive research data or documents was stored on or accessible using the Device and describe in detail all such confidential or sensitive research data or documents:


III. Other Technical, Confidential or Proprietary Data


Please indicate whether any of the following categories of technical, confidential or proprietary data were stored on the Device and/or accessible using the Device:


  • Research data or source code that was not already in the public domain (e.g. publication, internet)?

          Yes          No          Not Sure

  • If yes, describe in detail all such research data or source code and identify any passwords, encryption or other security measures that were applied to such data or source code:


  • Information or data that is or was subject to a confidentiality provision in a grant, sponsored research, non-disclosure or other contract or agreement  

          Yes          No          Not Sure

  • If yes, identify the parties to each such contract or agreement, describe all information or data that was covered by a confidentiality provision in the contract or agreement, and identify any passwords, encryption or other security measures that were applied to such data or source code:


  • Research or technical data protected by a Technology Control Plan?

          Yes          No          Not Sure

  • If yes, have you notified the other parties to each contract that their information or data was on a Device, or accessible using a Device, that has been lost or stolen or is missing? If so, please identify the person(s) you notified, the manner of the notification (written, verbal, etc.) and the date of the notification.


Research or technical data protected by a Technology Control Plan?

          Yes          No          Not Sure

  • If yes, describe all of the research or technical data covered by each Technology Control Plan and identify any passwords, encryption or other security measures that were applied to such research or technical data:


  • Research or technical data that resulted from work under a contract that prohibited publication?

          Yes          No          Not Sure

  • If yes, identify the parties to each such contract or agreement, describe all information or data that was covered by prohibition upon publication, and identify any passwords, encryption or other security measures that were applied to such data or source code:


  • For each of the following, consider any possible information or data access or exposure. Provide information or data regarding any of the following and, if yes, describe in detail the relevant information and data and identify any passwords, encryption or other security measures that were applied to such information or data:
    • Artillery Projectors
    • Ammunition
    • Launch vehicles, guided missiles, ballistic missiles, rockets, torpedoes, bombs or mines
    • Explosives, propellants, incendiary agents or their constituents
    • Vessels of war and special naval equipment
    • Tanks and military vehicles
    • Aircraft, spacecraft and associated equipment
    • Military training equipment
    • Protective personnel equipment
    • Military electronics
    • Fire control, range finder, optical and guidance or control equipment
    • Auxiliary military equipment
    • Toxicological agents and equipment and radiological equipment
    • Spacecraft systems and associated equipment
    • Nuclear weapons design and test equipment
    • Classified articles, technical data and defense services
    • Submersible vessels, oceanographic or associated equipment
    • Any other articles that have substantial military applicability and which have been specifically designed or modified for military purposes

          Yes          No          Not Sure

  • If yes, please explain.



Signature:                                                   Date:         





DOCUMENT: This document is authorized and maintained by the Office of the Chief Information Officer, University Technology Services.