Information Security Incident Response Protocol
Introduction
Pursuant to the University at Albany Information Security Policy, and SUNY Procedure 6608: Information Security Guidelines, Part 1, this protocol is established as part of the Incident Response Security Domain.
Security Domain
The Incident Response Security Domain establishes procedures and assigns responsibilities for detecting, reporting, and responding to suspected and known information security incidents that result in unauthorized access or alteration of University business records, or attempts to deny or impede legitimate access to those records.
What is an Information Security Incident?
An information security incident is considered to be any adverse event that threatens the confidentiality, integrity or availability of University or affiliate information resources. These events include, but are not limited to, the following activities:
Suspected criminal use of systems or services, including:
Identity theft
Disclosure, destruction, or alteration of University or affiliate - managed systems or data
Loss or theft of devices that contain or enable access to University records
Compromise of a web page
Compromised credentials
Attempts (either failed or successful) to gain unauthorized access to a system or its data
Unwanted disruption or denial of service (DoS)
Unauthorized use of a system for the transmission, processing or storage of data
Changes to system hardware, firmware or software characteristics without the University’s or affiliate’s knowledge, instruction or consent
Execution of malicious code, often referred to as malware, such as viruses, Trojans, worms or botnets
Unauthorized changes to system configurations
Attempts (either failed or successful) to cause failures in critical infrastructure services, loss of critical supervisory control and data acquisition (SCADA) systems
Objectives
This protocol defines specific roles and responsibilities to assure that information security incidents are properly reported and personnel respond effectively to these reports. The effectiveness of the University response is measured by the following:
The ability to identify an incident, i.e., the operation of a robust and up-to-date intrusion detection infrastructure
The speed and accuracy with which an incident is detected
How quickly the incident is contained
Remediation of the underlying vulnerability that was exploited
Mean time to restoration of the affected system or service
Documentation and review for the purpose of measurement and prevention
The establishment and preservation of a chain of custody to assure the admissibility of evidence related to an investigation
Scope
This is a University-wide protocol that applies to all University personnel and the employees of those entities and affiliates that rely on the University’s IT infrastructure, data, or applications for their operations.
Roles and Responsibilities
Chief Information Security Officer- The Chief Information Security Officer (CISO) has primary responsibility for defining the standards and procedures of the University’s Information Security Incident Response plan. The plan will be developed in consultation with the University’s Office of Legal Counsel, the Office of Human Resources Management, Facilities Management, the University Police Department., and IT technical staff.
University Personnel and Employees of University Affiliates -- All staff are required to comply with the standards and procedures of the University’s Information Security Incident Response plan.
Compliance
What Types of Incidents Must Be Reported
A. Unauthorized Access
Report successful, unauthorized access to systems (e.g., web site defacements, unauthorized root or administrator access).
Report unsuccessful attempts only if they are considered to be persistent (e.g., someone from the same source keeps locking out accounts trying to brute force passwords, an automated script keeps probing a web server causing response problems).
Report suspected unauthorized access if you have evidence that suggests anomalies in routine access activity (e.g., access by authorized users outside of normal business hours, or from non-US locations).
B. Malicious Code
Report instances of viruses, Trojans, worms, botnets or other forms of malicious code that have infected University or affiliate-owned systems.
Report sources of persistent attempts to install or inject malware on University or affiliate-owned machines or processes, regardless of whether or not they are successful (e.g., large spam runs with malicious attachments or links).
C. Denial of Service (DoS)
Report all denial of service attacks that adversely affect or degrade access to critical services.
Report all other attempted denial of service attacks only if they are persistent or significant (e.g., attempted DoS attacks aimed specifically at DNS servers or routers would be significant.)
D. Reconnaissance Scans and Probes
Scans and probes that precede or are related to the incidents listed above should be reported as part of that incident.
Any other scans and probes should be reported only if they are persistent or significant.
Review
This protocol and all related published documents will be reviewed no less than once every three years.
Related Documents
SUNY Procedure #6608: Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality
NYS Information Security Breach & Notification Law
NYS Governmental Accountability, Audit & Internal Control Act
NYS Cyber Security Policy P03-002: Information Security Policy
NYS Cyber Security Policy P03-001: Cyber Incident Reporting Policy
SUNY Policies of the Board of Trustees
Updated: September 2011