Cyber Security Incident Response Policy (10.4) 1

Information  Technology  Security  Plan    Cyber  Security  Incident  Response  Policy  (10.4)          Responsible  executive:    CIO       Approval  date:  7/01/2016  Responsible  office:    ITS       Effective  date:    7/01/2016    

Related  policies:    IT  Security  Plan,  Information  Security  Awareness  Policy     1.0 Policy  Statement    The  Security  Incident  Response  Policy  defines  security  incident  response  methods  for  identifying,  mitigating,  responding  to  and  reporting  information  security  incidents.    Immediately  containing  and  limiting  the  exposure  is  our  first  priority.        2.0 Reason  for  Policy    The  purpose  of  this  policy  is  to  protect  the  confidentiality,  integrity  and  availability  of  personal,  sensitive  or  confidential  information  to  prevent  loss  of  service  and  to  comply  with  legal  requirements.    3.0 Applicability   This  policy  applies  to  all  employees,  students,  contractors  and  other  agents  using  university  computing  resources  regardless  of  the  ownership  of  the  device  used  to  connect  to  the  network.        4.0 Terms  and  Definitions    Incident  Management  is  the  process  of  detecting,  mitigating,  and  analyzing  threats  or  violations  of  security  policies  and  limiting  their  effect.    Computer  Security  Incident  is  a  violation  (breach)  or  imminent  threat  of  violation  of  security  policies  or  standard  computer  security  practices  which  may  include,  but  are  not  limited  to:  widespread  infections  from  viruses  or  other  malicious  code;  unauthorized  use  of  computer  accounts  and  systems;  unauthorized,  intentional  or  inadvertent  disclosure  or  modification  of  sensitive  data  or  the  intentional  disruption  of  critical  system  functionality.    Events  of  Interest  are  questionable  or  suspicious  activities  that  could  threaten  the  security  objectives  for  critical  or  sensitive  data  or  systems.  They  may  or  may  not  have  criminal  implications.    5.0 Policy  5.1 Incident  Management  and  Response    

Cyber Security Incident Response Policy (10.4) 2

Incident  management  and  response  involves  identifying,  mitigating,  responding  to  and  reporting  information  security  incidents.    The  objective  is  to  make  timely  notification  so  individuals  can  take  appropriate  action.    Safeguarding  all  personal,  sensitive  or  confidential  information,  no  matter  the  format,  is  essential  to  maintaining  trust  at  SSU.        The  incident  response  lifecycle  includes:      Preparation  –  limit  the  number  of  incidents  by  implementing  controls  such  as  security  awareness,  risk  assessment,  vulnerability  scanning  and  malware  prevention.    Detection  and  Analysis  –  aids  in  the  process  of  determining  an  incident’s  occurrence,  type,  extent  and  impact  through  the  use  of  intrusion  prevention,  log  correlation    and  network  and  system  profiling.    Documentation  and  Notification  –  documents  facts  regarding  the  incident  and  communicates  the  incident  to  the  appropriate  person(s)  and/or  agency.    Containment,  Eradication  and  Recovery  –  involves  decision-­‐making  (e.g.,  when  to  disable  an  affected  system  or  service)  to  contain  an  incident,  elimination  of  the  source  of  exposure  and  restoring  systems  to  a  clean  state.    Post-­‐Incident  Activity  –  reviews  lessons  learned  to  improve  future  incident  management  and  response  techniques.    5.2 Incident  Handling    

• The  incident  management  and  response  point  of  contact  is  the  Information  Security  Officer  (ISO).  

• Time  is  critical  In  the  event  of  a  security  incident.    Report  all  security  incidents  or  events  of  interest  involving  loss,  damage,  misuse  of  information  assets  or  improper  dissemination  of  information.      

• Do  not  attempt  to  login,  alter  the  compromised  system  or  power  it  off.    These  actions  will  delete  forensic  evidence  that  may  be  critical  to  documenting  the  incident.  

• When  an  incident  is  reported,  the  Incident  Response  Team  will  be  assembled  to  advise  and  assist  in  containing  and  limiting  the  exposure,  in  investigating  the  attack,  in  obtaining  the  appropriate  approvals,  and  in  handling  notification  to  the  affected  individuals  and  offices.  

• The  incident  escalation  path  is  ISO,  CIO,  Executive  Leadership,  University  System  of  Georgia,  Board  of  Regents.  

• To  report  an  incident,  complete  the  Cyber  Security  Incident  Form  or  contact  the  HelpDesk  at  912-­‐358-­‐4357  or  helpdesk@savannahstate.edu.