Security incident response program

Consider the following requirements from SOC 2 and ISO as you learn more about designing an incident response program:. SOC 2 Common Criteria 7. ISO Annex A. Designing an incident response program begins with the collection of security events. According to the ISO standard, an event is:. An identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that can be security relevant.

Thus, the program should start long before an incident is identified. Events can be collected from many different sources, including server logs, SaaS apps, and virus scanning tools. These events should be stored, and alarms should be set for significant events. The incident response policy should list all sources of security events. Once a security event has been identified, the security team must analyze it.

The incident response policy should define the criteria for analysis. These criteria may include downtime, probability of account compromise, and possible financial loss.

If a security event meets the criteria, it is classified as a security incident. According to the ISO standard, a security incident is:. To ensure that security incidents and policy violations are promptly reported, investigated, documented, and resolved in a manner that promptly restores operations while ensuring that evidence is maintained. This standard outlines the workflow, roles and responsibilities, and escalation provisions with respect to identifying and handling information technology IT policy violations and information security incidents at Cal Poly.

An accurate, complete, and consistent response is essential to ensure the protection of university information assets while complying with applicable policies and laws.

Timely and relevant communication with appropriate parties is necessary to ensure the quality of the response, support legal action if necessary, and maintain public confidence. Complete, accurate documentation and subsequent debriefing are important to prevent the recurrence of similar incidents. As preparation happens outside the official incident process, process improvements from prior incidents should form the basis for continuous improvement at this stage.

Detection is the identification of an event or incident whether through automated means with security tools or notification by an inside or outside source about a suspected incident. Containment of an incident includes the identification of affected hosts or systems and their isolation or mitigation of the immediate threat.

Communication with affected parties is established at this phase of incident response. Remediation includes the repair of affected systems and services, addressing residual attack vectors against other systems, communication and instructions to affected parties and an analysis that confirms the threat has been contained. Recovery is the analysis of the incident for possible procedural and policy implications. The Executive Response Team is responsible for actions such as communication, information sharing, and minimizing impact from an exposure of regulated data.

As university responses to each incident may vary, this section provides an overview of those actions that the Executive Response Team may take in responding to an incident in which regulatory data has been exposed. Each incident presents a unique set of challenges and problems. This section provides some common guidelines for preferred actions in these types of events.

In incidents where a member of the incident response team, their leadership or the leadership of the university is being investigated, appropriate resources will be selected to remove any conflicts of interest at the direction of or in conjunction with either General Counsel or the Board of Trustees.

All communications with external law enforcement agencies are made after consulting with the Office of General Counsel. All public communications about an incident or incident response to external parties outside of the University of Connecticut are made in consultation with the Office of General Counsel and University Communications.

Private communications with other affected or interested parties should contain the minimum information necessary as determined by the Incident Coordinator or Chief Information Security Officer. The University respects the privacy of all individuals, and wherever possible the incident response process should be executed without knowledge of any individual identities until necessary.

All incident response activities will be documented to include artifacts obtained during any investigation. As any incident could require proper documentation for law enforcement action, all actions should be documented, and data handled in an appropriate manner to provide a consistent chain of custody for the validity of the data gathered. At any time during the incident response process, the Incident Response Commander or the Chief Information Security Officer may be called upon to escalate any issue regarding the process or incident.

The Chief Information Security Officer in consultation with the Office of General Counsel will determine if and when an incident should be escalated to external authorities. PHI is considered individually identifiable if it contains one or more of the following identifiers:.

While protecting these records are important, they do not fall under the regulatory protection required for PHI. The Family Educational Rights and Privacy Act FERPA defines education records as those records that are: 1 directly related to the student; and maintained by an educational agency or institution or by a party acting from the agency or institution.

Access, use and disclosure of personally identifiable information contained in education records generally requires the prior written consent of the student, with limited exceptions.

Student treatment records are protected under Connecticut State Law. For more information, visit hipaa. UConn A-Z. Introduction Purpose This document outlines the plan for responding to information security incidents at the University of Connecticut, including defining the roles and responsibilities of participants, the overall characterization of incident response, relationships to other policies and procedures and guidelines for reporting requirements.

Anyone suspecting an exposure of university data or systems should immediately contact : Technology Support Center - or techsupport uconn.

Definitions Event An event is an exception to the normal operation of IT infrastructure, systems or services. Regulated Data Classification Regulated Data may have additional reporting and regulatory requirements when dealing with incidents. Evidence Preservation The primary goals of incident response are to contain the scope of an incident and reduce the risk to institutional systems and data and to return affected systems and data back to an operational state as quickly as possible.