STANDARD FOR INCIDENT RESPONSE
The University of Texas at San Antonio
Office of Information Technology
Office of Information Security (OIS) Standards
OIS 45 – Standard for Incident Response
I. STANDARD STATEMENT
The Office of Information Security (OIS) staff should be notified immediately of any suspected or confirmed security incident involving a UTSA Information Technology Asset. UTSA faculty, staff and students must follow these procedures to report any potential security incidents.
This standard supports HOP Policy 8-12 Information Resources Use and Security Policy.
This standard applies to all UTSA faculty, staff, and students.
If you have any questions about OIS 45 – Standard for Incident Response contact the following office:
The Office of Information Security
V. GENERAL STANDARDS AND GUIDELINES
- When unauthorized system access is suspected or confirmed, UTSA personnel should take immediate action to terminate the access.
- If a virus is found on a computer that has no/a non-standard virus detection software package installed, the user should be disconnected from the network until the problem has been resolved.
- Whenever evidence clearly indicates that UTSA has been victimized by a computer or communications crime, a thorough investigation should be performed by the university police department. This investigation must provide sufficient information so that management can take steps to ensure that: (1) such incidents are not likely to recur, and (2) effective security measures have been reestablished.
- A stern cease-and-desist message should be sent to the source of the external attacks mounted against UTSA when the source or intermediate relay points can be identified.
- The ISO is ultimately responsible for determining what electronic evidence is to be gathered as part of the incident investigation. The ISO cooperates with the university police department in criminal cases by supplying electronic evidence.
- Examples of Reportable Security Incidents
a. Has a UTSA owned, leased or managed computer or computing device been lost or stolen?
b. Has unencrypted University data been lost, stolen, or maliciously corrupted?
c. Has there been unauthorized access to or disclosure of confidential data, personally identifying information, or Controlled research data?
d. Are effects of the incident likely to propagate or cause harm to systems or organizations beyond the control of UTSA?
e. Has a UTSA computer been used to conduct illegal activities requiring police involvement?
f. Was a UTSA website defaced or compromised?
7. Required Timeframe for Incident Assessment
a. The required timeframe for initial incident assessment is 48 hours.
8. Retention of Information related to Security Incidents
a. Information describing all reported security incidents shall be retained for a period of three years.
- Information Security Incident Monitoring
- The ISO will aggregate Information Security Incident data and share it on a regular basiswith the UTSA's Executive Compliance Committee, CIO, Data Owners and ISAs If criminal activity is suspected, the ISO will notify the UTSA Police Department. This data may include number and type(s) of security incidents and other information.
- Information Security Incident Reporting
- Any individual who knows or suspects that an Information Security Incident has occurred must notify the OIS immediately by contacting OITConnect at 210-458-5555 or email@example.com.
- Any attempt to interfere with, prevent, obstruct, retaliate for or dissuade the reporting of an Information Security Incident, critical security concern, policy violation, or information resource vulnerability is strictly prohibited and may be cause for disciplinary action.
- For Information Security Incidents involving criminal activity, the UTSA Police Department will notify other law enforcement agencies as required.
- Information Security Incident Investigation and Identification
- Upon notification of a potential Information Security Incident, the ISO shall promptly assess and gather information to determine the impacted data, systems and business processes. The IRT will determine whether an actual Information Security Incident has occurred. When applicable, the Data Owner will be required to complete and submit a statement describing the stored or processed data and submit it to the ISO. The ISO may also require copies of files.
- If a Security Incident is confirmed, the following individuals shall be notified: CIO, unit or department head, dean (if in an academic area) and UT System's Chief ISO. In addition, if the Information Security Incident involves extramurally funded research, the RIO also shall be notified.
- If investigation of a potential Information Security Incident will take more than the required timeframe for incident assessment, the ISO shall report the potential Information Security Incident to the CIO, unit or department head, dean (if in an academic area), vice president or associate vice president (if administrative area) and UT System's Chief Information Security Officer.
- The IRT will be contacted to provide input on whether the incident warrants notification to affected individuals.
- Information Security Incident Containment
- In some cases action will be necessary to limit the magnitude and scope of the Information Security Incident.
- Should any action be necessary which has a likelihood of having a substantial impact on business processes, the unit or department head or Data Owner, CIO and Data Custodians will be notified in advance.
- Reasonable efforts will be made by OIT to minimize the impact.
- In rare cases it may be necessary to take action without receiving input from individuals who manage the affected information resources. In those cases, authorization from the Provost or President will be required before action is taken.
- Information Security Incident Eradication
- The affected unit is responsible for taking action to identify and either eliminate or mitigate the vulnerabilities resulting in the Security Incident.
- The ISO will provide recommendations to the affected unit and coordinate any remaining efforts needed to eliminate or mitigate the vulnerabilities.
- Information Security Incident Follow-up
- The ISO will develop a Security Incident report summarizing the Information Security Incident and outlining recommended actions.
- The Security Incident report will be amended to include the responsible unit head's action plan and action plan progress and will be shared with the RPT.
- Security Incident Notification
- The ISO will notify the University of Texas System Information Security Office in a timely fashion of all confirmed Information Security Incidents and suspected Information Security Incidents if substantial time will be required to assess whether an Information Security Incident has occurred.
- The ISO will notify state and federal entities as required by law.
- If a decision has been made to notify individuals affected by the Information Security Incident, the RPT will develop and implement a data breach notification process.
- Individuals will be notified as expediently as possible without unreasonable delay. Note that the creation and dissemination of the communications may be assigned outside of the RPT.
- Any media inquiries regarding the Information Security Incident are to be directed to the Associate Vice President of Communications and Marketing.
Effective Date: September 11, 2014
Last Revised: October 10, 2016
Reviewed: August 11, 2017