...
Introduction
Pursuant to the University at Albany Information Security Policy, and SUNY Procedure 6608: Information Security Guidelines, Part 1, this protocol is established as part of the Incident Response Security Domain.
Security Domain
The Incident Response Security Domain establishes procedures and assigns responsibilities for detecting, reporting, and responding to suspected and known information security incidents that result in unauthorized access or alteration of University business records, or attempts to deny or impede legitimate access to those records.
...
- Suspected criminal use of systems or services, including:
- Identity theft
- Disclosure, destruction, or alteration of University or affiliate - managed systems or data
- Loss or theft of devices that contain or enable access to University records
- Compromise of a web page
- Compromised credentials
- Attempts (either failed or successful) to gain unauthorized access to a system or its data
- Unwanted disruption or denial of service (DoS)
- Unauthorized use of a system for the transmission, processing or storage of data
- Changes to system hardware, firmware or software characteristics without the University’s or affiliate’s knowledge, instruction or consent
- Execution of malicious code, often referred to as malware, such as viruses, Trojans, worms or botnets
- Unauthorized changes to system configurations
- Attempts (either failed or successful) to cause failures in critical infrastructure services, loss of critical supervisory control and data acquisition (SCADA) systems
Objectives
This protocol defines specific roles and responsibilities to assure that information security incidents are properly reported and personnel respond effectively to these reports. The effectiveness of the University response is measured by the following:
- The ability to identify an incident, i.e., the operation of a robust and up-to-date intrusion detection infrastructure
- The speed and accuracy with which an incident is detected
- How quickly the incident is contained
- Remediation of the underlying vulnerability that was exploited
- Mean time to restoration of the affected system or service
- Documentation and review for the purpose of measurement and prevention
- The establishment and preservation of a chain of custody to assure the admissibility of evidence related to an investigation
Scope
This is a University-wide protocol that applies to all University personnel and the employees of those entities and affiliates that rely on the University’s IT infrastructure, data, or applications for their operations.
Roles and Responsibilities
Chief Information Security Officer- The Chief Information Security Officer (CISO) has primary responsibility for defining the standards and procedures of the University’s Information Security Incident Response plan. The plan will be developed in consultation with the University’s Office of Legal Counsel, the Office of Human Resources Management, Facilities Management, the University Police Department., and IT technical staff.
University Personnel and Employees of University Affiliates -- All staff are required to comply with the standards and procedures of the University’s Information Security Incident Response plan.
Compliance
- What Types of Incidents Must Be Reported
...
- Scans and probes that precede or are related to the incidents listed above should be reported as part of that incident.
- Any other scans and probes should be reported only if they are persistent or significant.
Review
This protocol and all related published documents will be reviewed no less than once every three years.
Related Documents
SUNY Procedure #6608: Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality
NYS Information Security Breach & Notification Law
NYS Governmental Accountability, Audit & Internal Control Act
NYS Cyber Security Policy P03-002: Information Security Policy
NYS Cyber Security Policy P03-001: Cyber Incident Reporting Policy
SUNY Policies of the Board of Trustees
...