Information Security Incident Management

1. Purpose
The purpose of this document is to outline procedures and guidelines for responding to �� information security incidents. This procedure allows for a coordinated response from Information Security, the Computer Security Incident Response Team (CSIRT), and others involved in investigation plus a follow-up of reported information security incidents.

2. Scope
This procedure applies to responses to all �� information security events reported to the IT information security team and covers both the �� and its auxiliary organizations.

3. Responsibilities
3.1. Information Security Officer (ISO)

Ensures that the campus incident response process for computing systems and data resources is followed.
Handles the primary incident response and assigns an incident severity level.
Ensures that system wide and campus notification procedures are followed.
Reviews incidents potentially involving the unauthorized release of confidential or sensitive information with the CSIRT.
Prepares an Incident Response Report as containing recommendations to the management staff of the campus unit for addressing the causes of the incident.

3.2. Campus Organizations and Data Stewards

Ensures compliance with CSU and campus information security policies, standards and guidelines related to the handling of protected information assets.
Ensures compliance with CSU and campus information security policies, standards and guidelines related to ensuring appropriate access to protected information assets.
Reports any information security breaches and files an initial report on the breach with the Information Security Office.

3.3. Computer Security Incident Response Team

Reviews any information security incident or information security breach that potentially involves the unauthorized access of confidential or sensitive information.
Determines whether an incident or information security breach resulted in the release of confidential or sensitive information to unauthorized individuals, based on findings by the Information Security Officer.
Recommends actions to the President, including notification of individuals whose confidential or sensitive information is reasonably believed to have been acquired by unauthorized individuals, based on discussions and findings of fact reported by the Information Security Officer.
Monitors the progress of the Data Steward and Campus Divisions in respect to notification and remedial action, and formally closes the review of an incident after all remedial actions have been taken.

4. Procedure
The ISO receives incident reports from many areas: Help Desk, Network Operations, Campus Divisions, and the public. The ISO will assign the incident severity level, based on the initial information received.
4.1. High Severity Incidents
Definition -A high severity incident is one which may have long-term or widespread effects on campus business operations or which may damage campus reputation or may indicate a violation of state or federal law. Examples of high severity incidents include but are not limited to:

Hacking of enterprise systems or applications
Cyberstalking or any use of campus technology to threaten
Patriot Act Violations
Loss or theft of Level 1 – Confidential Information
Violation of state or federal law
Conditions causing imminent danger of unauthorized access or disclosure of level 1 data.
Imminent danger of disruption of campus business operations.

4.1.1 Initial Activities - The ISO or designee will immediately contact the individual that has reported the incident to obtain an initial understanding of the scope of the incident. As needed, the ISO will call an emergency CSIRT meeting to determine appropriate next steps and the ISO or designee will prepare a CSIRT interim report, which will include a description of the incident , the number of individuals affected, and the remedial steps that will be taken to address the cause of the incident.
4.1.2 Payment Card Information Breach – The ISO or designee will determine if circumstances suggest that this incident has resulted or may result in loss off Payment Card Industry data. If so, the ISO or designee will convene a PCI incident response team to ensure compliance with PCI-DSS standards regarding the reporting of information.
4.1.3 Police – The ISO or designee will notify University Police and work with officers and investigators as appropriate. Where there appears to be a threat to the safety of persons, the ISO or designee shall make contact University Police Dispatch to ensure that the matter receives appropriate attention.
4.1.4 Legal Counsel - Legal counsel will be engaged in the event there is a violation of law or unauthorized disclosure of protected information.
4.1.5 CSU Notification - The ISO will inform the CIO. Either the ISO or the CIO will inform the campus President and the ISO at the Chancellor’s Office.
4.1.6 Victim Notification - If the situation requires notification of individuals under California law, the CIO will coordinate with the Office of Communications and other stakeholders as necessary. The notification letter will be mailed by return receipt having the receipt responses directed to the ISO. Notifications will be sent with certified mail return receipt requested for groups involving less than fifty (50) individuals being notified.

For groups larger than fifty (50) the most effective method of notification will be determined.
If notices are sent to more than 10,000 individuals, the following consumer credit reporting agencies shall be notified:
Experian
Equifax
TransUnion

4.1.7 Public Communications – The Office of Communication will prepare talking points to use if necessary in response to campus or media questions. Talking points should be shared with the following people:

President
Cabinet President’s Executive Council
CIO
CSIRT
Designated individuals responding to any phone calls, emails, letters, and/or walk-in traffic:

4.1.8 Final Report - The ISO or designee will prepare a final written report to share with the CSIRT team, including recommendations to the management staff of the campus unit for addressing the causes of the incident.

4.2 Medium Severity Incidents
Definition - The threat of a future attack or the detection of reconnaissance on the network systems of California State University San Marcos is considered medium severity. Any incident that has a strong possibility to impact a large portion of the campus is considered medium. Examples of medium severity incidents include but are not limited to:

Loss or theft of Level2 – Sensitive Information
Website Defacement
Misuse of campus resources
Unauthorized Excessive Resource Utilization
Unauthorized access to employee computer account

4.2.1 Initial steps - The ISO or designee will immediately contact the individual that has reported the information to obtain an initial understanding of the scope of the incident. The ISO will review the severity of the incident and determine if a CSIRT meeting needs to be called to determine appropriate next steps.
4.2.2 Notification - The stakeholders of the incident will be notified and depending upon the impact to the campus the notification process may also involve the CIO, the Vice President for University Advancement, the Provost and the President of the University.

4.3 Low Severity Incident
Definition - Low incidents have an impact on only one or a few individuals. Incidents that are considered Low Severity can be handled by IITS personnel and do not require escalation to other departments. Low severity incidents pose no imminent threat to campus systems or of exposure of protected information. Examples include but are not limited to:

Malware/ virus infected system connected to the campus network
Copyright infringement violations (examples: RIAA, MPAA, DMCA)
An email to Abuse regarding a Spam incident
Unauthorized access to a student computer account

5. Incident Investigation and Mitigation
5.1 All Information Security incidents will be recorded and investigated in a timely manner.
5.2 Upon completion, incidents will be reviewed by management.
5.3 All High and Medium Severity incidents shall be assigned a unique case number.
5.4 Coordination of the incident may include but is not limited to the following:

Perform a preliminary analysis of the incident identifying incident cause, personal and university information at risk, collection of evidence, remedial action, and recommendations.
Examine incident computers or systems.
Remove the incident computing system from the campus network as necessary.
Coordinate additional assistance to provide and to preserve incident evidence.
Notify or alert campus users if newly reported vulnerabilities are identified on operating systems, server or services, applications, or network devices.