Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
Chapter 11 - Information Technology
Previous Publication Date: December 12, 2014
Publication Date: August 2, 2022
Policy Reviewed Date: November 18, 2021
Policy Owner: VP for Information Technology


11.04 Information Security Incident Response


I. POLICY STATEMENT


The UTSA Office of Information Security (OIS) is committed to addressing all attempted, suspected and confirmed information security incidents with a swift and effective response to protect Data and minimize any potential harm to UTSA’s Information Technology Resources.


II. RATIONALE


A proper and successful Security Incident Response allows for the use of appropriate resources and personnel in an efficient manner to prevent, detect, analyze, contain, and eradicate Security Incidents and implement best practices before, during and after Security Incidents. 


III. SCOPE


This policy applies to all who are granted access to UTSA Information Technology Resources, including, but not limited to, all Data Users, which includes UTSA employees and third-party authorized users.


IV. WEBSITE ADDRESS FOR THIS POLICY


http://www.utsa.edu/hop/chapter11/11.04.html


V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS


  1. University of Texas System Policies or the Board of Regents' Rules & Regulation
    1. UT System HOP 4.1.1 Information Technology Resources Acceptable Use and Security Policy.
    2. UT System Policy UTS 165, UT System Information Technology Resources Use, and Security Policy.
    3. UT System Policy UTS 178, Required Reporting of Significant Events.
    4. UTSA HOP Policy 11.03, Acceptable Use Policy.
  2. Other Policies and Standards
    1. Title 1 Texas Administrative Code, Part 10, Chapter 202, Subchapter C.
    2. Texas Computer Crimes Act, Title 7, Chapter 33 Computer Crimes.
    3. UTSA Security Standards

VI. CONTACTS


If you have any questions about Handbook of Operating Procedures policy 11.04, Information Security Incident Response, contact one of the following offices:

  1. Office of Information Security
    210-458-7974
    informationsecurity@utsa.edu
  2. UTSA Tech Solutions
    210-458-4555
    TechCafe@utsa.edu  

VII. DEFINITIONS


  1. Chief Information Security Officer (CISO)
    1. The lead UTSA employee responsible for providing and administering the overall security program for UTSA Information Technology Resources for all centrally maintained and distributed systems and computer equipment.  The CISO assesses Information Technology Resources security risks and engages in a transparent discussion of risks with internal stakeholders.  The CISO is also responsible for the continuous development of this Policy and related.  The CISO tests for compliance and promotes compliance through training, awareness programs, and risk assessments. The CISO responds to the misuse of Information Technology Resources and any unauthorized access of Information Technology Resources by external or internal parties.
  2. Data Custodian
    1. The Data Custodian is responsible for the day-to-day maintenance of UTSA Information Technology Resources. In some instances, this responsibility is assigned to a Department, Vice President Unit, College employee, a third-party vendor, or University Technology Solutions.
  3. Data Owner
    1. The manager or agent responsible for the business function supported by the Information Technology Resource or the individual upon whom responsibility rests for carrying out the program using the Information Technology Resources.
  4. Data User
    1. An individual who is authorized by the Data Owner to access the Information Technology Resource, in accordance with the Data Owner's procedures and rules, whether done individually or through facilitation or responsibility for an automated application or process.
  5. Incident Response Team
    1. The group of individuals who respond to a Security Incident and determine if a Security Incident is reportable to state or federal authorities. The members include the CISO, Senior Information Security Analyst; Chief Privacy Officer, the Vice President of Information Management & Technology, the Chief Technology Officer, Information Security Administrators, Director of Support Services & Operations Support; and Director of Digital Customer Experience. Third-party cyber security and/or forensics vendors may be retained to respond. Others will be included by the CISO as needed.
  6. Indicators of Compromise (IOC)
    1. Technical details of a security incident rising to the level of a Significant Attack which includes, but are not limited to, hash values; Internet Protocol addresses; and malware types and/or signatures, domains used by an attacker.
  7. Information Technology Resources
    1. The procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. This may include but is not limited to any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices, pagers, distributed processing systems, network-attached and computer-controlled medical and laboratory equipment (e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services.
  8. Information Security Administrator
    1. A designated staff member or Data Custodian for each Department who, in close cooperation with the OIS, is assigned to implement and administer information security initiatives and assist other Data Custodians and/or Data Owners within the respective Department with any security needs.
  9. Information Security Incident
    1. An event that may result in unauthorized access, loss, disclosure, modification, disruption, or destruction of Data and/or Information Technology Resources, whether accidental or deliberate. 
  10. Key Stakeholders Team
    1. The group that may provide high-level oversight for the internal and external response to Security Incidents. Members may include the President; Director of the Office of Risk & Emergency Management; the Vice President of Information Management and Technology; Chief Technology Officer; Data Owner; Research Integrity Officer; members of The University of Texas System Offices of Information Security, Risk Management, and/or Privacy; insurance company; third-party forensic vendors.
  11. Response Communication Team
    1. The group that plans and implements notification to affected individuals when an Information Security Incident occurs. Members include the Associate Vice President of Communications and Marketing, Director of Digital Customer Experience, Chief Privacy Officer; Director and Coordinator of Business Continuity Emergency Management and other individual(s) the Response Communication Team deems necessary.
  12. Significant Attack
    1. An unauthorized activity within UTSA’s Information Technology Resources, and includes, but is not limited to malware that is spreading; ransomware; nation-state activity inside UTSA’s Information Technology Resources; an extortion demand; or any equivalent activity of similar severity.
  13. Significant Security Incident
    1. Technical details of a security incident that do not rise to the level of a Significant Attack which includes, but are not limited to, disruption to business operations (partial or total service disruption in one or more lines of business for more than 1 day; suspension or termination of a network connection to a third party in order to avoid potential contagion; unauthorized disclosure of Confidential Data; theft of intellectual property by internal or external actors; loss of an unencrypted device thought to have Confidential Data; a crime that triggers external reporting or disclosure obligations, or that create regulatory consequences; potential coverage by media, including any online media; or likely reputational harm to UTSA.
  14. Tactics, Techniques, and Procedures (TTP)
    1. Technical details of a security incident rising to the level of a Significant Attack which includes, but are not limited to, methods of obtaining credentials with escalated privileges; establishing back doors; exfiltrating Data; other means of persistence within Information Technology Resources; and attack vectors such as brute force, web, email/phishing, external removable media, impersonation spoofing, improper usage, and loss or theft of equipment.

VIII. RESPONSIBILITIES


  1. Incident Response Team
    1. Investigates Security Incidents.
    2. Determines whether a breach has occurred.
    3. Categorizes the level of risk and scope of harm resulting from the Security Incident.
    4. Notifies the Data Owners, Response Communication Team, and/or members of the Key Stakeholders Team of the Security Incident and status updates.
    5. The CISO must notify the UT System CISO and UT System Chief Privacy Officer (CPO) no later than 12 hours after detecting a Significant Attack.
    6. During a Significant Attack, the CISO must provide Indicators of Compromise and Tactics, Techniques, and Procedures to the UT System CISO within six hours of indication of the information.
    7. For Significant Security Incidents, the CISO must notify UT System through the UT System Incident Reporting System within seven days of the onset or discovery of the incident.
    8. Assigns a person responsible for documenting response to Security Incident.
    9. Contains the affected Data and Information Technology Resources.
    10. Eradicates the Security Incident and mitigates the harm from Security Incident.
    11. Provides input on whether the Security Incident warrants notification to affected individuals.
    12. A team member may assign a designee to serve on the Response Communication Team.
  2. Response Communication Team
    1. Plans and implements notification to affected individuals and/or federal or state authorities.
    2. Determines the best mode of communication for internal and/or external notice.
    3. Drafts and sends any pertinent communications to affected individuals.
    4. Notifies the Data Owners, Incident Response Team, and/or members of the Key Stakeholders Team of the Security Incident and status updates.
    5. After the Security Incident has been mitigated, designates a department or staff member to respond to questions from affected individuals regarding the Security Incident.
    6. In some instances, all members of a team may not be able to be present to perform their responsibilities. The CISO, in consultation with other team members, may choose to re-assign or perform the required duties depending on factors such as the need to address critical vulnerabilities.

IX. PROCEDURES


  1. Information Security Incident Monitoring
    1. The CISO will aggregate Information Security Incident data and share it with the Key Stakeholders Team, Response Communication Team, Data Owners, and Information Security Administrators, as needed.
    2. This Data may include the number and type(s) of Information Security Incidents and other information.
  2. Information Security Incident Reporting
    1. Any individual who knows or suspects that an Information Security Incident has occurred or is occurring must notify the OIS immediately by contacting UTSA Tech Solutions at 210-458-5555 or TechCafe@utsa.edu.
    2. Any attempt to interfere with, prevent, obstruct, retaliate for, or dissuade the reporting of an Information Security Incident, critical security concern, policy violation, or Information Technology Resource vulnerability is strictly prohibited.
    3. For Information Security Incidents involving criminal activity, the Response Communication Team will notify law enforcement agencies as required and recommended.
  3. Information Security Incident Investigation and Identification
    1. Upon notification of a potential Information Security Incident, the Incident Response Team shall promptly assess and gather information to determine the impacted Data, Information Technology Resources, and/or business processes. The Incident Response Team will determine whether an actual Information Security Incident has occurred. If a Security Incident is confirmed, OIS will notify the Incident Response Team. If the incident involves research, then the Research Integrity Officer shall also be notified.
    2. When applicable, the Data Owner will be required to complete and submit a statement describing the stored or processed Data and submit it to the Incident Response Team. The Incident Response Team may also require copies of files.
    3. The Incident Response Team will also provide input on whether the Information Security Incident warrants notification to affected individuals and/or other authorities.
  4. Information Security Incident Containment
    1. OIS will determine the magnitude and scope of the Information Security Incident and respond accordingly.
    2. Should any action be necessary which has a likelihood of having a substantial impact on business processes, the Incident Response Team will notify the Key Stakeholders Team.
    3. Reasonable efforts will be made by the Incident Response Team to minimize the impact.
    4. In rare cases, it may be necessary to take action without receiving input from individuals who manage the affected Data and/or Information Technology Resources.
  5. Information Security Incident Eradication
    1. The Incident Response Team is responsible for either eliminating or mitigating the vulnerabilities resulting in the Security Incident.
    2. The Incident Response Team will provide recommendations to the affected unit and coordinate any remaining efforts needed to eliminate or mitigate the vulnerabilities.
  6. Information Security Incident Follow-up
    1. The Incident Response Team will develop a Security Incident report summarizing the Information Security Incident and outlining recommended actions.
    2. The Security Incident report will be amended to include the responsible unit head's action plan and action plan progress and will be shared with the Response Communication Team.
  7. Security Incident Notification
    1. The Incident Response Team will notify The University of Texas System CISO in a timely fashion of all confirmed Information Security Incidents and suspected Information Security Incidents.
    2. The CISO must notify the UT System CISO and UT System CPO no later than 12 hours after detecting a Significant Attack.
    3. During a Significant Attack, the CISO must provide Indicators of Compromise and Tactics, Techniques, and Procedures to the UT System CISO within six hours of indication of the information.
    4. For Significant Security Incidents, the CISO must notify UT System through the UT System Incident Reporting System within seven days of the onset or discovery of the incident.
    5. The Response Communication Team will notify state and federal authorities as required by law.
    6. If a decision has been made to notify individuals affected by the Information Security Incident, Then the Response Communication Team will develop and implement a data breach notification process for the particular Security Incident.
    7. Individuals will be notified as expediently as possible without unreasonable delay. Any media inquiries regarding the Information Security Incident are to be directed to the Associate Vice President of Communications and Marketing.

X. SPECIAL INSTRUCTIONS FOR IMPLEMENTATION


None


XI. FORMS AND TOOLS/ONLINE PROCESSES


  1. Classifying your data: Data Classification Standards.
  2. Examples of Reportable Security Incidents.

XII. APPENDIX


None


XIII. Dates Approved/Amended


08-02-2022
12-12-2014