Purpose - This document describes the requirements for dealing with computer security incidents. Security incidents include, but are not limited to: the discovery of viruses, worms and Trojan horses; detection of unauthorized use of computer accounts and computer systems; and the receipt of complaints of improper use of information resources as outlined in the E-mail Policy and the Acceptable Use Policy.

Audience - The UTSA Incident Management Standard applies equally to all individuals who use any university information resources.

1. When a security incident is suspected or confirmed, the appropriate incident management procedures must be followed. Security incidents include occurrences such as the receipt of a virus/worm/hoax e-mail, or the discovery of hacking tools or altered data.

2. When unauthorized system access is suspected or confirmed, UTSA personnel must take immediate action to terminate the access. If a virus is found on a computer that has a non-standard virus detection software package installed, the user will be disconnected from the network until the problem has been resolved. UTSA Computer Incident Response Team (CIRT) members have pre-defined roles and responsibilities which can take priority over normal duties.

3. Any attempt to interfere with, prevent, obstruct, retaliate for or dissuade the reporting of a security problem, violation, or vulnerability is strictly prohibited and is cause for disciplinary action.

4. Whenever evidence clearly indicates that UTSA has been victimized by a computer or communications crime, a thorough investigation must be performed by the university police department. This investigation must provide sufficient information so that management can take steps to ensure that: (1) such incidents are not likely to recur, and (2) effective security measures have been reestablished.

5. A stern cease-and-desist message must be sent to the source of the external attacks mounted against UTSA when the source or intermediate relay points can be identified.

6. The Information Security Officer (ISO) is responsible for notifying the Information Resources Manager (IRM) and the CIRT, and for initiating the appropriate incident management action.

7. The ISO is responsible for determining what electronic evidence is to be gathered as part of the incident investigation. The ISO cooperates with the university police department in criminal cases by supplying electronic evidence.

8. The CIRT is responsible for coordinating activities to ensure that any damage from a security incident is repaired or mitigated and that the vulnerability is eliminated or minimized where possible.

9. The ISO, working with the IRM, will determine if a widespread UTSA communication is required, the content of the message and the method of dissemination.

10. The appropriate technical resources from the CIRT are responsible for communicating new issues or vulnerabilities to the system vendor and working with the vendor to eliminate or mitigate the vulnerability.

11. The ISO is responsible for initiating, completing and documenting the incident investigation with assistance from the CIRT.

12. The UTSA ISO is responsible for reporting the incident to the:

    1. IRM

    2. System owner

    3. Texas Department of Information Resources as outlined in TAC 202.

    4. Local, state or federal officials as required by applicable statutes and/or regulations

    5. UTSA Compliance Office

13. The ISO is responsible for coordinating communications with outside organizations and law enforcement, when appropriate.

14. If law enforcement personnel are not involved, the ISO will recommend disciplinary paths, if appropriate, to the IRM.

15. If university law enforcement is involved, the ISO will act as the liaison between the university police department and UTSA.

16. Information describing all reported security incidents must be retained for a period of three years.