Information Security Incident Response Plan
Implements CSU ICSUAM 8075 Information Security Incident Management.
1.1 Information Security Incident Response Team Membership
The core Information Security Incident Response Team (ISIRT) consists of representatives from these organizations:
- Information Security Office
- Human Resources
- Information Technology Infrastructure
- Information Technology Endpoint Support
- Network Operations
- University Communications
- University Police
- Risk Management & Compliance
1.2 Types of Incidents
The Information Security Incident Response Team (ISIRT) will investigate and respond to Information Security incidents involving malware, fraud, harassment, inappropriate use, unauthorized data access, unauthorized physical access, unauthorized system access, unauthorized system use, lost or stolen equipment, other violations of applicable Information Security laws, policies, standards, procedures and contracts, and other violations of the confidentiality, integrity, or availability of information systems or assets for which California State University East Bay holds responsibility.
1.3 Incident Response Procedure
1.3.1 Detection of Incidents
Some possible ways of detecting events include:
- Unusual network activity
- Unusual server log entries
- A denial of service (workstation, network, or service)
- The University is contacted by other organizations
- The University is contacted by other law enforcement agencies
- The University is contacted by an end-user noticing strange behavior
- Alerts from security monitoring systems
Detection can often occur at:
- A network perimeter (network firewall or network Intrusion Detection System)
- A host perimeter (host based firewall)
- On the system-level (on the host itself)
Persons who suspect a security incident should contact the CSUEB IT Service Desk in one of the following ways:
- Send email to email@example.com
- Call 510-885-HELP (contact by email if there is no answer)
- Visit the IT Faculty & Staff lounge at the main entrance to IT, in the south wing of the Library Annex building.
Please inform the IT Service Desk of the nature of data stored and accessed on any system suspected of being compromised, to the extent that this can be done without using or accessing the system itself.
Callers should state, in particular, if CSU protected level 1 or 2 data violations are suspected such as Social Security Numbers, medical information, grades, or other CSU protected level 1 or 2 data as defined in The CSU Data Classification Standard.
1.3.3 Loss or Theft of Equipment or Media
When a computing device has been lost or stolen, an equipment loss report must be filed with Property Management.
When a computing device has been stolen, the theft must also be immediately reported to the University Police Department.
When a computing device or a piece of storage media containing protected level 1 data has been lost or stolen, it must also be immediately reported to the Information Security Office. The Information Security Office will then follow this document, the CSUEB Information Security Incident Response Plan. Storage media includes, but is not limited to, storage devices, USB drives, paper, and any other storage media.
1.3.4 Notification of CSU Chief Information Security Officer
If a reasonable suspicion exists that Level 1 data has been breached, the Information Security Officer, in consultation with the Chief Information Officer (CIO), must notify the CSU Chief Information Security Officer as soon as possible of the potential incident.
1.3.5 Preservation of Evidence
If a system is suspected of having been compromised, to avoid inadvertently destroying valuable evidence needed to protect other systems and to prove that protected information was not accessed, users and IT support staff must not:
- install or run any additional services, patches, upgrades, or other fixes
- run anti-malware scans or backup software
- use the machine further for any purpose
The Information Security Office has forensic software to preserve as much of the evidence as possible from a compromised computer.
1.3.6 Containment of Damage
If a compromised system is believed to be exfiltrating data or attacking other systems, the system must be immediately disconnected from the network.
If the presence of malicious software has been detected then the machine in question must immediately cease to be used and must be disconnected from the network. The Information Technology Service Desk must be notified. The machine must be examined for sensitive data and fully cleaned before use can continue.
1.3.7 Incident Investigation
The Information Security Office will, with assistance, as needed, from members of the Information Security Incident Response Team (ISIRT) and other campus community members, investigate and document the incident, and attempt to determine what information assets may have been involved, what damage may have been caused, what data may have been breached, and the identity and actions of the perpetrators. All campus community members must work with the Information Security Office, the Data Owner, the Data Steward, and/or other authorized individuals during the investigation and mitigation of information security incidents and breaches.
1.3.8 Recovery and Remediation
The Information Security Office will work with the affected parties to create and implement a plan to recover from the incident and remediate damage caused by the incident.
Where appropriate, violations of laws, policies, standards, procedures, contracts, or codes of conduct will be referred to other departments such as the Office of Student Conduct, Employee Relations and Compliance, Residential Life, or Faculty Affairs for further investigation or action.
1.3.9 Determining Notification Requirements
If confidential information is involved and if there is reasonable belief that it was compromised, the following actions are taken:
The Information Security Officer and/or the CIO will make a recommendation to the President about whether to make a formal breach notification. The Information Security Officer and/or the CIO will be advised by Senior Management as available and appropriate, including:
- Vice President of Administration and Finance
- Vice President of University Affairs
- University Communications representative
- IT Service Directors
- Director of Risk Management
The President or designee will decide whether the University is to make a formal breach notification. If a breach notification is to be made:
- The President or designee will decide whether to notify individually, through the media, or both, and assigns tasks
- A draft copy of the notification must be sent to the CSU Chief Information Security Officer for review
- The notification will be sent to the user and/or published, as decided by the President
Additional notifications are made according to The CSU Information Security Incident Management Policy and other contractual and legal requirements. These include but are not limited to:
- If a breach of level 1 data has occurred, the President notifies the Chancellor, the CIO notifies the Assistant Vice Chancellor for Information Technology Services, and the campus ISO notifies the CSU Chief Information Security Officer using the Chancellor’s Office Security Incident Response Form
- If a breach of PCI data has occurred, the affected payment brands are notified and the appropriate procedures are followed from the payment brand incident response procedures
- Breaches involving data exchanged with other entities are reported to those other entities as appropriate
Follow up meetings are held to monitor the status of the notification effort.
1.3.10 Handling Inquiries
In the event that notification of the incident is given to members of the public or the campus community, the Information Security Incident Response Team (ISIRT) will work with University Communications to determine what methods will be used for handling inquiries about the incident. Possible methods include but are not limited to the creation of a website dedicated to the incident and the temporary use of the campus information/emergency phone line message.
The Information Security Office will lead a follow-up conversation to identify and apply lessons learned, and to develop and implement corrective actions directed at preventing or mitigating the risk of similar occurrences.
1.3.12 Closing the Incident
When all outstanding action items have been completed, the Information Security Office will close the incident and notify the President and the Information Security Incident Response Team (ISIRT).
If you have any questions or concerns regarding this document, please contact the campus Information Security Office at firstname.lastname@example.org.