Information Security Incident Response Plan

Introduction

All faculty and staff of the College of Natural Sciences & Mathematics (NSM) are responsible for protecting the confidentiality, integrity, and availability of data created, received, stored, transmitted, or otherwise used by the college, regardless of the medium on which the data is stored. Moreover, with NSMIT’s assistance, departments are responsible for implementing operational, physical, and technical controls for access, use, transmission, and disposal of NSM data in compliance with all University of Houston privacy and security policies, procedures, and guidelines. The University of Houston expects its employees and stakeholders to use all University information technology assets and data in a manner that is legal, ethical, and consistent with the mission of the University.

The NSM Information Security Incident Response comprises the following phases from inception to completion:

  1. Incident Identification and Investigation
  2. Incident Response
    • Initial Report
    • Action Logs
    • Containment Plan
    • Remediation Plan
  3. Affected-Party Notification
  4. Confirmation of Elimination of Threat and Resumption of Operations
  5. Post-Action Review Process

This incident response plan is reviewed annually in December and updated as warranted based on University policy, industry best practices, and response to new threats.

Incident Identification and Investigation

Incident identification is the process of analyzing an event and determining if it negatively affects the confidentiality, integrity, or availability of a NSM information technology resource. The NSM ISO is responsible for identification of an incident.

An incident is any observable, measureable, abnormal, and adverse event involving a NSM information resource. An incident may also be a threat of such an event. Examples include, but are not limited to:

  • Unauthorized activity on NSM systems (servers or workstation), including denial-of-service.
  • Malicious code discovered on a NSM system.
  • Hardware containing sensitive information has been reported stolen or missing.
  • Unauthorized use or deliberate misuse of NSM systems has been positively identified.
  • Data stored on NSM servers or workstations has been exposed to unauthorized users.
  • Hardware or application failures resulting in widespread system unavailability.

Incidents may arise from any of the following:

  • Intentional or unintentional acts of University employees, students, or third-party individuals.
  • Natural disasters that cause power, system, or network disruptions.
  • Potential or realized violations of federal, state, or University regulations, including compliance laws.
  • Corruption of data
  • Malicious code, including viruses, malware, spyware, SQL injections, and XSS attacks.

Information about a potential information security incident can arrive by a number of channels, including but not limited to:

  • Direct report by a faculty, staff, or student.
  • Anomalous activity on the University’s intrusion detection system, relayed to the NSM information security officer by UIT Security personnel.
  • Anomalous activity detected by NSMIT personnel on NSM servers
  • A report relayed to the NSM information security officer by UIT Security from mysafecampus.com
  • A report relayed to the NSM information security officer by UIT Security from law enforcement

Anyone suspecting any of the above mentioned activities is directed to inform NSMIT, who will bring it to the attention of the College’s information security officer.

UIT Security has ultimate ownership and accountability for investigating the potential security incident. Along with the College’ Information security officer they are responsible for:

  • Manages the incident response from start to finish
  • Adhering to this document and establish University of Houston policies, procedures, and guidelines.
  • Responsible for providing appropriate and timely updates to College administration and UIT Security
  • At all times the ISO will operate to protect the data, operations, and reputation of the College of Natural Sciences & Mathematics and the University of Houston.

It is imperative that the ISO act quickly to assess the event and it is critical to prevent the situation from becoming more severe. In gathering data, especially in a widespread event, the ISO will take care to consider:

  • The type of incident that has occurred (e.g. PII exposure, system failure, data corruption)
  • The participants involved.
  • The extent and scope of the incident.
  • Any mitigating circumstances, such as the use of encryption.
  • The state of the affected resources (e.g. data, storage media, other physical hardware)
  • The urgency of the incident in terms of personnel and systems.
  • The impact, both current and projected, to College operations.
  • The actions taken in regard to the incident thus far.

Response Plan

Once a security incident has been identified, the ISO will write up an initial report that will be supplied to UIT Security, the NSM Information Resource Manager, and the NSM Technology Manager.

The initial report will contain the following items:

  1. Incident description
  2. Date and time of declaration
  3. Physical Assets/Resources involved
  4. Data involved
  5. Personnel involved

As the investigation proceeds, action log files will be generated by anyone acting with the ISO in regards to the incident. An action is defined as a concrete activity related to the incident and may include forensic and communication activities.

An action log entry will include:

  1. Incident reference
  2. Actions taken
  3. Communications made
  4. Data/Assets/Personnel involved in the action
  5. Pertinent information discovered that aids the investigation

The NSM ISO is responsible for leading efforts to preserve evidence. Should additional expertise be required, the ISO will enlist the aid of UIT Security. The ISO will follow the following general forensic guidelines:

  1. Keep accurate records of observations and actions taken
  2. Make reliable images of involved systems and store them in a secure place
  3. Establish chain of custody for physical resources involved in the investigation

Often a security incident will require the involvement of internal or external entities. UIT Security will handle and advise on appropriate communication with external entities such as the Office of General Counsel, Human Resources, the Provost’s Office, or the Dean of Student’s office.

All communication, when possible and prudent, should occur through secure and private channels. Individuals involved in the security incident should take care not to increase the exposure by attaching sensitive data to e-mail or discussing details in voice mail.

At no time will any member of NSMIT communicate with members of the media. All media communication, if applicable, will occur under the direction of University management.

Once an incident has been identified and detailed, the ISO will draw up a containment plan, which delineates the steps NSM will take to stop the threat until the remediation plan can be developed. The containment plan may include such steps as powering down a system or removing its access to the UH network. In the event that total containment is not possible (e.g. College management determines that the business needs of the College outweigh removing systems from the network) the ISO will consult with UIT Security as to the best way to contain the threat.

The containment plan will include:

  1. Incident reference
  2. Actions taken and by whom
  3. Systems taken offline, length of outage, and impact to College activities

After the threat has been satisfactorily contained, the ISO will draw up with the remediation plan in conjunction with review and advisement from UIT Security. The goal of this plan is to eliminate the threat, restore operations, and mitigate or reverse the damage caused in the incident.

As with the containment plan, the sections of the remediation plan will include:

  1. Incident reference
  2. Actions taken and by whom
  3. Systems taken offline, length of outage, and impact to College activities

In small-scale incidents, the containment plan and remediation plan may be merged.

Affected-Party Notification

Should the incident affect students or other external entities, notification activities will be coordinated among College management, UIT Security, and the Office of the General Counsel.

Confirmation of Elimination of Threat and Resumption of Operations

After the remediation plan has been executed, the ISO will work with data owners to confirm the mitigation of all relevant threats and verify that new threats have not emerged as a result of the remediation activities. With College management input, the ISO and data owners will jointly decide when to resume operations.

After-Action Review Process

No later than two weeks after the closure of the incident, the ISO will lead a post-action review. The primary purpose of the review process is to give participants an opportunity to share and document details about the incident and to identify and make use of lessons learned.

No later than four weeks after the closure of the incident, the ISO will provide College Management and UIT Security a Post-Action Report containing the following:

  1. Executive summary of the incident
  2. Summary of forensics performed
  3. Summary of containment activities
  4. Summary of compliance consequences, if any
  5. Summary of notification activities, if any
  6. Summary of remediation actions
  7. Analysis detailing the determination of the root cause of the incident
  8. Detailed list of recommendations
  9. Changes to technical or business processes as a result of the incident
  10. Education/outreach effort plans as a result of the incident

Finally, the IRM plan risk analysis will be updated based on incident findings.