Santa Clara University

Information Security Office

Incident Response Standard

Revised

August 27, 2013

Purpose

The purpose of this document is to define general requirements for responding to an information security incident.

Guiding Principles

The Information Security Incident Response Program and subordinate procedures define standard methods for identifying, containing, eradicating and documenting response to computer-based information security incidents.  Information Security incidents occurring on the University network or attached devices will be managed centrally by the Information Security Office (ISO) and will include other campus resources as determined by the ISO.  Centralized notification and control of security incident investigation is necessary to ensure that immediate attention and appropriate resources are used to respond to events that could potentially disrupt the operation of the University or compromise University data.

Incident Types

An incident is defined an as adverse event in an information system and/or network device or the threat of the occurrence of such an event.  Events may be characterized as unauthorized use of another’s user account, unauthorized use of system privileges, or execution of malicious code.  Events characterized as environmental (such as natural disasters, electrical outages, heat damage) are not within the scope of this document. The most identifiable types of event are:


  • Malicious code attacks—Attacks by programs such as viruses, Trojan Horse programs, worms, and scripts to gain privileges, capture passwords, and/or modify audit logs to hide unauthorized activity.
  • Unauthorized access—Includes unauthorized users logging into a legitimate account, unauthorized access to files and directories, or operation of “sniffer” devices.
  • Disruption of services—Includes erasing of programs or data, mail spamming, denial of service attacks, or altering system functionality.
  • Misuse—Involves the use of computer resources for purposes other than those defined in the End User Security Standard.
  • Espionage—Stealing information to subvert the interests of a corporation or government entity.
  • Hoaxes—Generally an email warning of a non-existent virus.
  • Campus-wide Outage–A campus-wide outage is a fault, event, or other unforeseen issue causing failures to all or large portions of the campus communication and computing infrastructure, services, and devices or key communication and computing resources such as a DNS failure or a loss of campus Internet access.

Incident Severity


Incidents will be classified by the ISO based on the perceived impact on University resources:


Critical—Severe risk to the University network and/or external systems over the Internet.  May be characterized by widespread risk of compromise of multiple systems or high risk of compromising sensitive information.  Criteria for determining if an incident is critical include but are not limited to: health and safety of personnel, legal issues, possible harm to the University’s reputation, a campus-wide outage.

Medium—Medium risk to the University network and low risk to external systems over the Internet.  May be characterized by risk of compromising more than one system, no risk to sensitive data, or isolation to a single system.

Low—Low risk to the University network and no risk to external systems over the Internet. May be characterized by compromise of a system that does not host or process critical/sensitive information, does not pose a risk to other systems or types of devices.


Information Security Incident Response Team (ISIRT)

The ISO with the advice and assistance of college and departmental IT representatives will have the capability to establish a ISIRT to respond to security incidents.

Incident Reporting

Any individual or organization internal or external to Santa Clara University can notify the ISO of an activity or concern.

Scope

This policy applies to all Santa Clara University employees, contractors, vendors and agents.

Responsibility

All users of Santa Clara University IT resources are responsible for compliance with this policy.

Procedures

Incident Response Procedure:  The ISO maintains internal procedures for Incident logging, tracking, and reporting.  The current incident response procedure can be found here.

Non-Compliance with this Standard:  Any employee found to have violated this standard may be subject to disciplinary action, up to and including termination of employment.


Adapted with permission from Georgia State University and Yale University 

Information Security Office, 1-408-554-5554, iso@scu.edu