Level3Public

InformationTechnologyStandard
OperatingProcedure

Page1of 8

SOP#:
InformationSecurityIncidenceResponse
9008004
Procedures
Preparedby:HilaryBaker,VPforIT
Date:August27,2008

Approvedby:CSIRT
Date:August29,2008

Lastrevisedby:CSIRT
Date:April13,2009

Lastapprovedby: HilaryBaker,VPforIT
Date:April24,2009

1.0

Revision#:
Version 6

PURPOSE
Thepurpose ofthisdocumentistooutlineproceduresandguidelinesforrespondingto
CSUNinformationsecurityincidents.Thisprocedureallowsforacoordinatedresponse
fromInformationSecurity,theComputerSecurityIncidentResponseTeam(CSIRT),and
othersinvolvedininvestigationplusafollowupofreportedinformationsecurityincidents.

2.0

SCOPE
ThisprocedureappliestoresponsestoallCSUNinformationsecurityeventsreportedtothe
ITinformationsecurityteamandcoversboththeCSUNanditsauxiliaryorganizations.

3.0

RESPONSIBILITY
Role(Title)

InformationSecurity
Officer(ISO)

CampusAuthorizers
andManagersare
responsiblefordata
oversightofthe
campusdivisions

Responsibility
Ensuresthatthecampusincidentresponseprocessforcomputing
systemsanddataresourcesisfollowed.
Handlestheprimaryincidentresponseandassignsanincident
severitylevel.
Ensuresthatsystemwideandcampusnotificationproceduresare
followed.
Reviewsincidentspotentiallyinvolvingtheunauthorizedrelease
ofconfidentialorsensitive informationwiththeCSIRT.
Trainstheindividualsresponsibleforincidentresponseinquiries.
PrepareaCSIRTInterimReportaswellaspreparefinalwritten
reportcontainingrecommendationstothemanagementstaffof
thecampusunitforaddressingthecausesoftheincident.
Developsandmaintainsanadequateinformationsecurityplanfor
paperbasedorcomputingsystemswithintheircontrol.
Developsandmaintainsadequateguidelinesandproceduresfor
grantingandmonitoringaccessto confidentialandsensitive
information.
Collectsandmaintainscontrolrecordsforthosesystemsthat
contain confidentialorsensitiveinformation.
Reportsanyinformationsecuritybreachesandfilesaninitial
reportonthebreachwiththeInformationSecurityOfficer.
Ensuresthattheinitialincidentinvestigationandreportingare
CaliforniaStateUniversity,Northridge
PublicUseStandardOperatingProcedure

Level3Public
InformationTechnologyStandard
OperatingProcedure

Page2of 8

SOP#:
InformationSecurityIncidenceResponse
9008004
Procedures

Revision#:
Version 6

conductedinatimelybasis.

Informsuserswhohaveaccessto confidentialandsensitive
informationoftheirresponsibilitiestosecuresuchdatafrom
unauthorizedrelease.
Developsandmaintainsdataaccesscontrolrecordsin asecure
environment.
Establishesmonitoringprocedurestoidentifyunauthorizedaccess
andabnormalactivity.
Reportssuspectedunauthorizedacquisitionofconfidentialor
sensitiveinformationtotheDataStewardandtheInformation
SecurityOfficer.
RecommendsactionsbythePresident,includingnotificationof
individualswhose confidentialorsensitive informationis
reasonablybelievedtohavebeenacquiredbyunauthorized
individuals,basedondiscussionsandfindingsoffactreportedby
theInformationSecurityOfficer.
MonitorstheprogressoftheDataStewardandCampusDivisions
inrespecttonotificationandremedialactionauthorizedbythe
President,andformallyclosesthereviewofanincidentafterall
remedialactionshavebeentaken.

Campusdivisions

ComputerSecurity
IncidentResponseTeam
(CSIRT)

Reviewsanyinformationsecurityincidentorinformationsecurity
breachthatpotentiallyinvolvestheunauthorizedaccessof
confidentialorsensitiveinformation.Theteamwilltreatthese
incidentsorbreachesassuspectedmisusesofUniversity
resources.
Determineswhetheranincidentorinformationsecuritybreach
resultedinthereleaseofconfidentialorsensitiveinformationto
unauthorizedindividuals,basedonfindingsbytheInformation
Security Officer.
RecommendsactionsbythePresident,includingnotificationof
individualswhose confidentialorsensitive informationis
reasonablybelievedtohavebeenacquiredbyunauthorized
individuals,basedondiscussionsandfindingsoffactreported by
theInformationSecurityOfficer.
MonitorstheprogressoftheDataStewardandCampusDivisions
inrespecttonotificationandremedialactionauthorizedbythe
President,andformallyclosesthereviewofanincidentafterall
remedialactionshavebeentaken.

CaliforniaStateUniversity,Northridge
PublicUseStandardOperatingProcedure

Level3Public
InformationTechnologyStandard
OperatingProcedure

Page3of 8

SOP#:
InformationSecurityIncidenceResponse
9008004
Procedures

Revision#:
Version 6

4.0

PROCEDURE

4.1

ITISOwillreceiveanincidentfrommanyareas:HelpDesk,NetworkOperations,Campus
Divisions,andthepublic.TheITISOwillassigntheincidentseveritylevel,orassessthe
incidentseveritylevelassignedbytheHelpDeskoramemberoftheOfficeofInformation
Security.

4.2

HighSeverityLevelIncidents
Anincidentthatcouldhavelongtermeffectsonbusinessoraffectscriticalsystemsorhas
campuswideimpactorcoulddamagecampusreputation,orisaviolationofstateand/or
federallaw.Examplesinclude:
a. Hackingof enterprisesystemsorapplications
b. Cyberstalking
c. PatriotActViolations
d. Lossortheftof Level1ConfidentialInformation
e. International,Federal,StateorLocalLawViolationlikethefollowing:
i.HIPAA
ii.FERPA
iii.ChildPornography
f. Ifthereisimminentdanger(theactisinprogress) thatconfidentialinformationcan
beread,modified,ordestroyedbyanunauthorizedentityorthedisclosureoraccess
hasalreadyoccurred,thenassigntheincidentseveritylevelHigh.
g. Ifthereisimminentdangerofdisruptionofbusinessduetoinformationsecurity
issuesormaliciousactsorthedisruptionisinprogress,thenassigntheincident
severityHigh.
h. ForseverityHighIncidentstheowner(s)or/operator(s)oftheaffectedhostsshould
bedirectedtodisconnectthedevice/systemfromthenetwork andnottouseor
modifythedevice/systeminanywayuntilInformationSecurityhascontactedthem
andprovidedinstructions.

4.3

TheISO ordesigneewillimmediatelycontacttheindividualthathasreportedtheincidentto
obtainaninitialunderstandingofthescopeoftheincident.Asneeded,theISOwill callan
emergencyCSIRTmeetingtodetermineappropriatenextstepsandtheISO ordesigneewill
prepareaCSIRTinterimreport,whichwillincludeadescriptionoftheincident,thenumber
ofindividualsaffected,andtheremedialstepsthat willbetakentoaddressthecauseofthe
incident.Legalcounselwillbeengagedifnecessary.

4.4

TheISOwillinformtheCIO.EithertheISOortheCIOwillinformthecampusPresident
andtheISOattheChancellorsOffice.

CaliforniaStateUniversity,Northridge
PublicUseStandardOperatingProcedure

Level3Public
InformationTechnologyStandard
OperatingProcedure

Page4of 8

SOP#:
InformationSecurityIncidenceResponse
9008004
Procedures

Revision#:
Version 6

4.5

If the decision is made to notify impacted individuals, the notification process must be
approvedbyUniversityAdvancementandotherstakeholdersasnecessary.Thenotification
letter will be mailed by return receipt having the receipt responses directed to the ISO.
Notifications will be sent with certified mail return receipt requested for groups involving
less than fifty (50) individuals being notified. For groups larger than fifty (50) the most
effectivemethodofnotificationwillbedetermined.

4.6

Theliabilityforthecostsassociatedwithproductionanddisseminationofthenotification
letteraretheresponsibilityofthedepartment(s)responsibleforcontrollingaccesstoand
securityofthesystem(s).

4.7

Ifnoticesaresenttomorethan10,000individuals,thefollowingconsumercreditreporting
agenciesshallbenotified:
a. Experian:EmailtoBusinessRecordsVictimAssistance@experian.com
b. Equifax:Emailtolanette.fullwood@equifax.com
c. TransUnion:Emailtofvad@transunion.com withDatabaseCompromiseasthe
subjectCSIRT

4.8

UniversityAdvancementwillpreparetalkingpointstouseifnecessaryinresponseto
campusormediaquestions.Talkingpointsshouldbesharedwiththefollowingpeople:
President
Cabinet
ISO
CSIRT
Designatedindividualsrespondingtoanyphonecalls,emails,letters,and/or
walkintraffic:
a. Ingeneraltalkingpointswilldirectfacultyandstaffasfollows:
i. Donottoofferunsolicitedinformationorcommentstothemedia
ii. Advisetheinquirerthattheincidentisunderinvestigation(ifthis
isthecase)
iii. Directtheinquirertoawebsiteforincidentinformation
iv. DirectinquirersfromexternallawenforcementtoCSUN
UniversityPolice
v. DirectinquirersfromthemediatothePublicRelationsDirector

4.9

TheISO ordesigneewillprepareafinalwrittenreporttosharewiththeCSIRTteam,
includingrecommendationstothemanagementstaffofthecampusunitforaddressingthe
causesoftheincident.
CaliforniaStateUniversity,Northridge
PublicUseStandardOperatingProcedure

Level3Public
InformationTechnologyStandard
OperatingProcedure

Page5of 8

SOP#:
InformationSecurityIncidenceResponse
9008004
Procedures

Revision#:
Version 6

4.10 MediumSeverityLevelIncident
Thethreatofafutureattack orthedetectionofreconnaissanceonthenetworksystemsof
CaliforniaStateUniversity,Northridgeisconsideredmediumseverity. .Anyincidentthat
hasastrongpossibilitytoimpactalargeportionofthecampusisconsideredmedium.
Examplesinclude:
a.
b.
c.
d.
e.
f.
g.

LossortheftofLevel 2SensitiveInformation
WebsiteDefacement
PersonalBusinessoperationsusinguniversityresources
Sendingspam thatdegradesenterprisesystemperformance
UnauthorizedExcessiveResourceUtilization
AccountCompromisedFacultyorStaff
Ifthereisimminentdangerofmodificationofthepublicsperceptionofthe
Universityduetoinformationsecurityreasonsotherthandisclosureofpersonal
andsensitiveinformationordisruptionofservice(i.e.mainwebpagehasbeen
modifiedinanunauthorizedmanner,butorderscan stillbeprocessed),then
assigntheincidentseverity Medium.

4.11 ForseverityMediumIncidentstheowner(s)or/operator(s)oftheaffectedhostsshouldbe
directedtodisconnectthedevice/systemfromthenetworkbutnottouse,modifyorupdate
thedevice/systeminanywayuntilInformationSecurityhascontactedthem toprovide
furtherinstructions.
4.12 TheISO ordesigneewillimmediatelycontacttheindividualthathasreportedthe
informationtoobtainaninitialunderstandingofthescopeof theincident.TheISOwill
reviewtheseverityoftheincidentanddetermineifaCSIRTmeetingneedstobecalledto
determineappropriatenextsteps.
4.13 Thestakeholdersoftheincidentwillbenotifiedanddependingupontheimpacttothe
campusthenotificationprocessmayalsoinvolvetheVicePresidentforInformation
Technology/CIO, theVicePresidentforUniversity Advancement,andthePresidentofthe
University.
4.14 TheISOmaybeaprimaryincidenthandlertocompletetheappropriateactionsforamedium
incident.
4.15 LowSeverityLevelIncident
Lowincidentshaveanimpactononlyoneorafewindividuals.Incidentsthatareconsidered
CaliforniaStateUniversity,Northridge
PublicUseStandardOperatingProcedure

Level3Public
InformationTechnologyStandard
OperatingProcedure

Page6of 8

SOP#:
InformationSecurityIncidenceResponse
9008004
Procedures

Revision#:
Version 6

LowSeveritycanbehandledwithinITanddonotrequireescalationoutsideofIT. Examples
include:
Malware/virusinfectedsystem connectedtothecampusnetwork
Copyrightinfringementviolations(examples:RIAA,MPAA,DMCA)
UnauthorizedChat/Game/Fileservers
Illegalsharingofcopyrightmaterialsuchasmusic,movies,andsoftware
AnemailtoAbuseregardingaSpam incident
AccountCompromisedStudent
IfthereisnoimminentthreattoCaliforniaStateUniversity,Northridgesystems,or
university confidential andsensitivedata,thenassigntheincidentseverity Low.

4.16 TheISO or designeewillimmediatelycontacttheindividualthathasreportedthe

informationtoobtainaninitialunderstandingofthescopeoftheincident.
4.17 TheISOmayassignaprimaryincidenthandlertocompletetheappropriateactionsforalow
incident.
4.18 Processforallincidents
AllInformationSecurityincidentswill berecordedandinvestigatedinatimelymanner.
Uponcompletion,incidentswillbereviewedbymanagement. .
a. Coordinationoftheincidentmayincludebutisnotlimitedtothefollowing:

Performapreliminaryanalysisoftheincidentidentifyingincident
cause,personal anduniversity informationatrisk,collectionof
evidence,remedialaction,andrecommendations.

Examineincidentcomputersorsystems.

Removetheincidentcomputingsystemfromthecampusnetworkif
necessary.

Coordinateadditionalassistancetoprovideandtopreserveincident
evidence.

Investigateinformationonwebsitedefacement.

Notifyoralertcampususersifnewlyreportedvulnerabilitiesare
identifiedonoperatingsystems,serverorservices,applications,or
networkdevices.

CaliforniaStateUniversity,Northridge
PublicUseStandardOperatingProcedure

Level3Public
InformationTechnologyStandard
OperatingProcedure

Page7of 8

SOP#:
InformationSecurityIncidenceResponse
9008004
Procedures

Revision#:
Version 6

b. Iftheprimaryincidenthandlercannotbereachedordoesnotconfirmthattheyare
respondingtotheincidentinthenecessarytime,thantheincidentshouldbeescalatedto
theISOandthentotheVPforInformationTechnology/CIOordesignee.
c. Afinalreportonthefindings,causes,futureconcerns,andcountermeasureswillbe
completeduponclosureof highandmediumlevel incidents.
4.19 IncidentNumbering
IncidentswillbeassignedaCasenumber.ThisnumbershallbeusedforInformation
Securityincidenttrackingpurposes.

5.0

DEFINITIONS:

ComputerSecurityIncidentResponseTeam(CSIRT) Theteamresponsibleforthecoordination
andmanagementofallHighandsomeMediumincidentresponses.CSIRTisateammadeupwith
membersfromthefollowingCampusareas,InternalAudit,RiskManagement,CSUNUniversity
Police,UniversityCounsel,PublicRelations,InformationSecurityandtheCIO.
DigitalMillenniumCopyrightAct(DMCA)A UnitedStatescopyrightlawwhichimplementstwo
1996WorldIntellectualPropertyOrganization(WIPO)treaties.Itcriminalizesproductionand
disseminationoftechnology,devices,orservicesthatareusedtocircumventmeasuresthatcontrol
accesstocopyrightedworkscommonlyknownasDigitalRightsManagement(DRM)and
criminalizestheactofcircumventinganaccesscontrol,evenwhenthereisnoinfringementof
copyrightitself.
Event Anobservableoccurrenceanaspectofaninvestigationthatcanbedocumented,verified,
andanalyzed.
EvidenceDataonwhichtobaseproofortoestablishtruthorfalsehood.
FamilyEducationRightsandPrivacy(FERPA) ThisprivacyActalsogovernshowstateagencies
transmittestingdatatofederalagencies.Theregulationscoverviolationssuchschoolemployees
divulginginformationtosomeoneotherthanthechild'sparentsaboutachild'shomelife,gradesor
behaviors,andschoolworkpostedonabulletinboardwithagrade.
ForensicAnalysisExaminationofmaterialand/ordatatodeterminetheiressentialfeaturesand
theirrelationshipinanefforttodiscoverevidenceinamannerthatisadmissibleinacourtoflaw
postmortemexamination.
GrammLeachBlileyAct(GLBA)Thisactprovidesforenhancedprotectionofnonpublic
personalinformation,includinghealthinformation,andforotherpurposes.
HealthInsurancePortabilityandAccountabilityAct(HIPAA)Thisacthasadministrative
safeguardsthataremeanttoimprovetheefficiencyandeffectivenessofthenation'shealthcare
systembyencouragingthewidespreaduseof electronicdatainterchangeintheUShealthcare
system.Theadministrativesafeguardprovisionsalsoaddresstheinformationsecurity andprivacy
ofhealthdataandrelatetoanyprivatepersonalinformation.
CaliforniaStateUniversity,Northridge
PublicUseStandardOperatingProcedure

Level3Public
InformationTechnologyStandard
OperatingProcedure

Page8of 8

SOP#:
InformationSecurityIncidenceResponse
9008004
Procedures

Revision#:
Version 6

Incident Anadverseeventorseriesofeventsthataffectinformationsecurityortheabilityof
CaliforniaStateUniversity,Northridgeoritsaffiliatestodobusiness.
IncidentResponseManagementACSUNleadershipteamcomprisingof theProvost,Vice
PresidentforAdministration/Finance,theVPofStudentAffairs,Legal,andPublicRelations.
IncidentResponseTeam Acrossfunctionalteamoftechnicalandinformationsecurityanalysts
thatareresponsibleforinvestigationofinformationsecurityincidents.
IncidentSeverityLevelsLevelratingsforinformationsecuritythreatlevelsdefinedhereinasHigh,
Medium,andLow.
MotionPictureAssociationofAmerica(MPAA) TheMotionPictureAssociationofAmericaand
itsinternationalcounterpart,theMotionPictureAssociation(MPA)serveasthevoiceandadvocate
oftheAmericanmotionpicture,homevideoandtelevisionindustries,domesticallythroughthe
MPAAandinternationallythroughtheMPA.
RecordingIndustryAssociationofAmerica(RIAA)TheRecordingIndustryAssociationof
AmericaisthetradegroupthatrepresentstheU.S.recordingindustry.
SarbanesOxleyAct(SOX) Thisactcoversissuessuchasauditor independence,corporate
governance,internalcontrol assessment,andenhancedfinancialdisclosure.

6.0

REFERENCES:
CaliforniaCivilCode1798.29and1798.82to1798.84
Policy50013SecurityBreachof PersonalInformationPolicy

7.0

FURTHERINFORMATION:

CaliforniaStateUniversity,Northridge
PublicUseStandardOperatingProcedure