Incident Response Procedure
If you suspect a security breach, as defined in the Information Security Incident Response Standard, has occurred, you should immediately do the following:
- Isolate the compromised system by unplugging its network connection cable.
- Do not shut down, reboot, access or otherwise alter the machine.
- Contact the Information Security Office at 408-554-5554
Upon notification of a potential security breach, the Information Security Office (“ISO”)
- Will designate an Incident Handler to lead incident response
- Work with the Incident Handler to create an incident log to document all reported facts and actions taken
- Work with the individual reporting the breach to identify the systems and type of information affected
- Ensure that the compromised system is properly isolated from the network and that the logs and electronic evidence are preserved on a platform suitable for analysis by a court of law
- If using a wireless network, change the Service Set Identifier (“SSID”) on the access point and other machines that may be using this connection (with the exception of any systems believed to be compromised).
- The Incident Handler will notify the CISO who, after scoping the incident, will notify the Vice Provost and CIO.
The CISO will form an Information Security Incident Response Team (ISIRT) by identifying an IT employee with the appropriate skill set to work with the Incident Handler to investigate the situation and determine the nature and scope of the incident. Where appropriate, the CISO shall contact database and system administrators to assist in investigation efforts. The Incident Handler and Networking Group shall review the entire network to identify all compromised or affected systems, including e-commerce, test, development and production environments as well as VPN, modem and third-party connections. A determination shall then be made as to the:
- Type of confidential information at risk (e.g., social security or credit card numbers, health information)
- Number of individuals at risk
- Most efficient way to bypass compromised system to ensure business continuity.
If Personally Identifiable Information that requires reporting under California SB 1386 or is otherwise protected by local, state, or federal law is at risk (ex: FERPA or HIPAA), the investigating team must establish:
- Number of identities at risk, identifying those stored and compromised on all test, development and production systems
- Type of information at risk
- If any data was exported and to where
A concurrent or subsequent forensic investigation will establish:
- How the compromise occurred
- The source of the compromise
- The timeframe of the compromise
- That the compromise has been contained
The ISO must also perform a remote vulnerability scan of Santa Clara’s Internet-facing site(s).
In conjunction with General Counsel and Risk Management, the CISO will determine whether a reportable incident has occurred. If a reportable incident has occurred, GC, RM, CISO, and Marketing & Communications will form an Incident Response Communication Team (IRCT) to draft a notification statement to be issued to those impacted by the data loss. Notification must be timely, conspicuous, and delivered in a manner that will ensure the individual receives it.
Appropriate delivery methods include:
- U.S. Mail
- Substitute notice (appropriate only when individuals cannot be reached by mail or email)
- Conspicuous posting of the notice on SCU’s homepage
- Notification to major media
The IRCT will determine, based on the type of data compromised, the number of individuals at risk, and the general demographics of the individuals, the most effective method of notification. If notification is to be made by press release, the IRCT should seek guidance from the Provost and President prior to notification.
Notification should include:
- A general description of the incident
- Steps individuals can take to mitigate harm, including credit report monitoring and fraud alerts as well as sources of information designed to assist the public in protecting against identity theft
- A reminder to remain vigilant over the next 12 to 24 months
- A customer service number individuals can call for additional information.
As a final step, the CISO will convene the Incident Response Team to review the steps taken to recover from the incident and identify steps the university will take to prevent future breaches and to address any deficiencies in the Incident Response Plan.