Вы находитесь на странице: 1из 24

Information Security

Information Security Incident


Response Protocol
March 2006
Information Security Incident Response Protocol
I. The Information Security Incident Response Protocol
The purpose of the Information Security Incident Response Protocol is to establish
procedures in accordance with applicable legal and regulatory requirements and
University policy to address instances of unauthorized access to or disclosure of
University Information, to be nown as an Incident!
In addition to all the defenses that have been mounted in protection of the infrastructure
and the information processed within, conventional wisdom recommends a high level of
preparedness for a security incident! This protocol describes the response to such
events, the conditions whereby this process is invoed, the resources required, and the
course of recommended action! "entral to this process is the Incident Response Team
#IRT$, assembled with the purpose of addressing that particular circumstance where
there is credible evidence of an incident! See %Process &low ' (ppendi) (* for a
graphical representation of the information flow and decision process!
The primary emphasis of activities described within this protocol is the return to
a normalied !secure" state as #uic$ly as possible% while minimiin& the adverse
impact to the 'niversity. The capture and preservation of incident relevant data
!e.&.% networ$ flows% data on drives% access lo&s% etc." is performed primarily for
the purpose of problem determination and resolution% and methods currently
employed are suitable for that purpose. It is understood and accepted that strict
forensic measures are not used in the data capture and retention.
This document may reference other documentation, policies and procedures that
support this protocol but are not contained within the document, e!g!, policy that defines
sensitive data, scripts to be followed by the IT +elp ,es #+elp,es$ and IT -etwor
.perations "enter #-."$ personnel, or documented "IRT #"omputer Incident
Response Team$ procedures! /here this occurs, instructions to obtain these materials
will be specified!
"ircumstances may dictate the activation of other operational teams and e)ecution of
other protocols! The IRT must monitor and coordinate all activities occurring under
other operational teams and protocols, and communicate to all interested parties in a
timely manner to ensure accurate assessments and avoid efforts that may be duplicated
or at cross0purposes!
II. (efinitions
). Information Security Incident
(n Information Security Incident is generally defined as any nown or highly suspected
circumstance that results in an actual or possible unauthorized release of information
deemed sensitive by the University or sub1ect to regulation or legislation, beyond the
University2s sphere of control!
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 8 .& 89
Information Security Incident Response Protocol
4)amples of an Information Security Incident may include but are not limited to:
o the theft or physical loss of computer equipment nown to hold files containing SS-s
o an unencrypted list of alumni contributors emailed to an unauthorized recipient
o a server nown to hold sensitive data is accessed or otherwise compromised by an
unauthorized party
o printed copies of student loan applications are discovered in a publicly accessible
dumpster
o an outside entity is sub1ected to a ,,oS #,istributed ,enial of Service$ attac
originating from within the University networ
o a firewall is accessed by an unauthorized entity
o a networ outage is attributed to the activities of an unauthorized entity
"ategories
&or the purposes of this protocol, incidents are categorized as %Unauthorized (ccess* or
%Unauthorized (cquisition*, and can be recognized by associated characteristics!
Unauthorized Access
The unauthorized access to or disclosure of University information through networ
and;or computing related infrastructure, or misuse of such infrastructure, to include
access to related components #e!g!, networ, server, worstation, router, firewall,
system, application, data, etc!$
"haracteristics of security incidents where unauthorized access might have occurred
may include but are not limited to:
o 4vidence #e0mail, system log$ of disclosure of sensitive data
o (nomalous traffic to or from the suspected target
o System alerts #-US($
o Une)pected changes in resource usage
o Increased response time
o System slowdown or failure
o "hanges in default or user0defined settings
o Une)plained or une)pected use of system resources
o Unusual activities appearing in system or audit logs
o "hanges to or appearance of new system files
o -ew folders, files, programs or e)ecutables
o UserI, loc out
o (ppliance or equipment failure
o Une)pected enabling or activation of services or ports
o Protective mechanisms disabled #firewall, anti0virus$
Unauthorized Acquisition
The unauthorized physical access to, disclosure or acquisition of assets containing or
providing access to University information #e!g!, removable drives or media, hardcopy,
wiring closets, file or document storage, appliance hardware, etc!$
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 < .& 89
Information Security Incident Response Protocol
"haracteristics of security incidents where unauthorized acquisition might have
occurred may include but are not limited to:
o Theft of computer equipment where sensitive data is stored
o 6oss of storage media #removable drive, ",0Rom, ,=,, flash drive, magnetic tape$
o Printed materials containing University sensitive data mishandled or left unsecured
o Illegal entry #burglary$
o .ffice equipment in disarray or out of place
o Suspicious or foreign hardware is connected to the networ
o -ormally0secured storage areas found unsecured
o >roen or non0functioning locing mechanisms
o Presence of unauthorized personnel in secured areas
o ,isabled security cameras or devices
Severity
Incidents are further delineated by the actual and potential impact on the business of
the University! &or additional information on severity assignments and associated
symptoms, see %Incident Severity, (ppendi) ,*! The primary focus of this protocol is the
handling of Severity ? Incidents!
*. Information Security Incident Response Team
The Information Security Incident Response Team #IRT$ is comprised of individuals with
decision0maing authority from within the University and charged by the (dministration
with the responsibility of assisting in the process described within this document!
+. 'niversity Information
University Information is any information maintained by or on behalf of the University
that is used in the conduct of University business regardless of the manner in which
such information is maintained or transmitted! University Information formats include,
but are not limited to oral or written words, screen display, electronic transmission,
stored media, printed material, facsimile or any other medium!
(. Sensitive (ata
Sensitive ,ata is:
o any University Information declared to be "onfidential, or Restricted by University
policy, and
o any personally identifiable information as determined or governed by law or
regulation or University policy requiring protection from disclosure!
4)amples include but are not limited to:
o -etI, and Password
o -ame in combination with SS-
o "redit or ,ebit "ard -umber and (ccess "ode #e!g!, PI- or Password$
o Personal medical records
o Unpublished results of research or financial investment strategies
o Proprietary data #e!g!, protected formulas or patents$
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 9 .& 89
Information Security Incident Response Protocol
o %(nonymous ,onor* records
,. 'niversity +lient !+lient"
( University "lient #"lient$ is:
o any faculty, student, staff or alumni affiliated with the University, or
o any department or school of the University, or
o any employee #permanent, temporary and contract personnel$
-. .
rd
Party
( <
rd
party is:
o any entity having a relationship with the University not described as a "lient #e!g!,
business partner, research sub1ect, vendor$, or
o any e)ternal entity initiating contact with the University #e!g!, RI((, target of ,,oS
attac, student applicant, member of the general public$!
III. Information Security Incident Response Team !IRT"
). Incident Response Team +omposition
The IRT consists of a Primary Team and Secondary Team, if deemed necessary! 4ach
member of the Primary Team will designate an (lternate member to participate if the
Primary 3ember is unavailable! See %Primary and (lternate "ontact 6ist 0 (ppendi) >*
for a listing of individual members! The Primary Team will consist of representatives
from the following areas:
)/. Primary Team !Re#uired"
?! Information and System Security;"ompliance #ISS;"$ 0 Team 6ead
8! "omputing Services #"S$
<! Technology Support Services #TSS$
9! Telecommunications and -etwor Services #T-S$
@! 3anagement Systems
A! (uditing ,epartment
B! .ffice of 7eneral "ounsel
C! University Police
D! University Relations
?E! ,isaster Recovery;>usiness "ontinuity Planning
)2. Secondary Team !as needed"
The circumstances surrounding each incident may differ and require personnel with
e)pertise or sills beyond that of the Primary Team! 3embers of the Primary Team
will determine what, if any, additional resources are required and a Secondary Team
may be established with:
o Individuals with decision0maing authority identified to have a vested interest in
the resolution of the incident!
o Individuals identified as sub1ect matter e)perts or having sills required for
resolution of the incident!
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 @ .& 89
Information Security Incident Response Protocol
Information Security "oordinators representing an affected "lient or <
rd
Party, or
nown to have an established relationship with an affected "lient or <
rd
Party, may
be requested to serve on the Secondary Team!
*. Team 0b1ectives
6ed by the University2s Information and Systems Security;"ompliance office, the IRT2s
ob1ective is to:
?! "oordinate and oversee the response to Incidents in accordance with the
requirements of state and federal laws and University policyF
8! 3inimize the potential negative impact to the University, "lient and <
rd
Party as a
result of such IncidentsF
<! /here appropriate, inform the affected "lient and <
rd
Party of action that is
recommended or required on their behalfF
9! Restore services to a normalized and secure state of operation!
@! Provide clear and timely communication to all interested parties!
+. Responsibilities
To ensure an appropriate and timely e)ecution of this protocol, the IRT 6ead #or
designated IRT 3ember$ is required to:
?! "onfirm the occurrence of an Incident requiring the e)ecution of this protocol!
"onfirmation activities include but are not limited to:
o direct conversation with "lient, <
rd
Party, +elp,es, -." personnel, %on call*
engineer, IRT members or others having information about the event
o review of system logs or audit records
o e)amination or analysis of anomalies or untoward events
o collection of any evidence supportive of the event
8! Supervise and direct the consistent, timely, and appropriate response to an Incident!
<! Provide appropriate communication to parties having a vested interest in the
incident!
9! .ffer support to the "lient or <
rd
Party as appropriate until the Incident is resolved!
@! "onduct a post0Incident review!
A! 3aintain the procedures contained in this document!
(. )ccountability
Individual IRT members are accountable to the Team and University (dministration for
the timely and effective e)ecution of this protocol and associated activities!
,. Reportin& a Security Incident
(nyone with nowledge or a reasonable suspicion of an incident is instructed to mae
an immediate report to any of the following:
o The IT -etwor .perations "enter
o The IT +elp ,es
o The e0mail addresses of security2university.edu
-ote: These e0mail addresses may be used but are less effective than the direct
notification of the +elp ,es or -." via voice communication or voicemail!
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 A .& 89
Information Security Incident Response Protocol
+elp,es and -." personnel use scripts #e!g!, lists of predetermined questions$ to
assist in problem determination and resolution! These scripts assist support personnel
to identify those events that may be classified as an Information Security Incident!
(dditional information may be found in %7uidelines for +elp,es and -." Personnel '
(ppendi) +*!
)nyone receivin& notification of an Incident must contact the 30+ immediately.
30+ personnel will contact the Telecommunications and 3etwor$ Services 4on
call en&ineer5 in the li$elihood of an incident. The en&ineer will follow the T3S6
defined escalation procedures and immediately contact the IRT 7ead when an
Incident has or appears to have occurred.
-. )ctivation of Team
.nce the IRT 6ead has determined an Incident has occurred, the IRT 6ead will activate
this protocol within 89 hours after Incident determination! -otification of the Primary
Team member or (lternate should occur via a direct communication by telephone or
face0to0face contact! =oice0mail and e0mail are not considered direct notification!
Respective Primary and (lternate Team members should e)change information
frequently to ensure their nowledge of the incident is current!
"onsult the %-otification Tree ' (ppendi) "* for details and notification assignments!
I8. 9ey +omponents of Response Protocol
The Incident Response Protocol consists of five ey components: (ssessment,
-otification;"ommunication, "ontainment, "orrective 3easures and "losure!
). )ssessment
The IRT 6ead will determine the category and severity of the Incident and undertae
discussions and activities to best determine the ne)t best course of action, i!e!, decide if
protocol e)ecution is required! The %(ssessment "heclist 0 (ppendi) 4* is used in the
initial assessment process conducted by the IRT 6ead! .nce the IRT is assembled, the
(ssessment "heclist is e)ecuted and reviewed to ensure all pertinent facts are
established! (ll discussions, decisions and activities are to be documented!
*. 3otification:+ommunication
,esignated persons will tae action to notify the appropriate internal and e)ternal
parties, as necessary!
*/. Internal 3otification !within the 'niversity"
(ll Internal -otification and communication must be approved by the Primary IRT!
?! Primary Team members notify (lternate Team members #and vice0versa$! The
IRT will notify members of Secondary Team #if assembled$!
8! IRT 6ead will notify University (dministration, IT ,irectors and the Information
Security "oordinators of the Incident and provide ongoing status!
<! IRT 6ead will issue or direct all %sensitive* internal communications!
9! IT0Technology Support Services will issue all public internal communication!
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 B .& 89
Information Security Incident Response Protocol
*2. ,;ternal 3otification !outside the 'niversity"
(ll 4)ternal -otification and communication must be approved by the .ffice of
7eneral "ounsel!
?! <
rd
Party ' IRT 6ead #or designated representative$ and the .ffice of 7eneral
"ounsel will establish communication with any <
rd
Party, as appropriate for the
circumstance!
8! 6aw 4nforcement ' University Police notifies local, state, and;or federal law
enforcement agencies as appropriate!
<! Regulators 0 .ffice of 7eneral "ounsel notifies the appropriate regulatory
agencies!
9! IRT members will assist in determining if other parties should be notified #e!g!,
,ell2s Stolen "omputer ,ivision$!
@! -ews outlets ' IT0Technology Support Services and University Relations will
determine if, how and when news outlets should be notified, and respond to all
inquiries from news outlets!
A! School and Research administration determine if government notification #e!g!,
,.,, &,($ is required and tae appropriate action!
B! .ther affected parties ' The IRT will determine if there are other parties of
interest, with communications issued accordingly!
*.. +lient 3otification
?! "lient should be informed that the Incident has been reported, recorded and an
investigation underway!
8! "lient shall be ept abreast of the status of the Incident investigation in a timely
manner!
<! "lient shall be notified of results, closure of investigation, and recommendations!
*<. Status
?! IRT 6ead and IT0Technical Support Services assumes responsibility for preparing
and issuing timely communication to IRT members, (dministration and other
interested parties!
8! "ommunications may include meetings, video conferencing, teleconferencing, e0
mail, telephone;messaging, voice recordings or other means as deemed
appropriate!
<! &requency and timeliness of communications will be established and revised
throughout the life of the incident!
+. +ontainment
The IRT will determine and cause to be e)ecuted the appropriate activities and
processes required to quicly contain and minimize the immediate impact to the
University, "lient and <
rd
Party! Recommended activities addressing Unauthorized
(ccess and Unauthorized (cquisition are described in %Incident "ontainment (ctivities 0
(ppendi) &*!
"ontainment activities are designed with the primary ob1ectives of:
o "ounteract the immediate threat
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 C .& 89
Information Security Incident Response Protocol
o Prevent propagation or e)pansion of the incident
o 3inimize actual and potential damage
o Restrict nowledge of the incident to authorized personnel
o Preserve information relevant to the incident
(. +orrective Measures
The IRT will determine and cause to be e)ecuted the appropriate activities and
processes required to quicly restore circumstances to a normalized #secure$ state!
Recommended activities addressing Unauthorized (ccess and Unauthorized (cquisition
are described in %"orrective 3easures 0 (ppendi) 7*!
"orrective measures are designed with the primary ob1ectives of:
o Secure the processing environment
o Restore the processing environment to its normalized state
,. +losure
The IRT will stay actively engaged throughout the life of the Incident to assess the
progress;status of all containment and corrective measures and determine at what point
the incident can be considered resolved! Recommendations for improvements to
processes, policies, procedures, etc! will e)ist beyond the activities required for incident
resolution and should not delay closing the Incident!
8. Re#uired (ocumentation of Incident = IRT Meetin&s
(ll Incident activities, from receipt of the initial report through Post0Incident Review, are
to be documented! The IRT 6ead is responsible for ensuring all events are recorded,
assembling these records in preparation and performance of the post0incident review,
and ensuring all records are preserved for review! IRT members may be employed in
these efforts!

?! 7eneral overview of the Incident
Summary of the Incident providing a general description of events, appro)imate
timelines, parties involved, resolution of the incident, e)ternal notifications required,
and recommendations for prevention and remediation!
8! ,etailed review of the Incident!
,escription of Incident events, indicating specific timelines, personnel involved,
hours spent on various activities, impact to "lient, <
rd
Party and user communities
#e!g!, system not available, business continuity issues$, ensuing discussions,
decisions and assignments made, problems encountered, successful and
unsuccessful activities, notifications required or recommended, steps taen for
containment and remediation, recommendations for prevention and remediation
#short0term and long0term$, identification of policy and procedure gaps, results of
post0incident review!
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 D .& 89
Information Security Incident Response Protocol
<! Retention
(ll relevant documentation will be retained by IRT 6ead for archival in a central
repository! (ccess to the documentation and repository is typically restricted to IRT
membership and University (dministration!
8I. Post6Incident Review
( review of incident0related activities is a required element of this protocol! (ll members
of the IRT primary and secondary teams are recommended participants!

?! ,iscussion
The IRT 6ead will host a Post0Incident Review after each Incident has been
resolvedF this discussion should be scheduled within 80< wees of the Incident2s
remediation! The review is an e)amination of the Incident and all related activities
and events! (ll activities performed relevant to the Incident should be reviewed with
an eye towards improving the over0all incident response process!
8! Recommendations
The IRT2s recommendations on changes to policy, process, safeguards, etc! are
both an input to and by0product of this review! %&i) the problem, not the blame* is the
focus of this activity! (ll discussion, recommendations and assignments are to be
documented for distribution to the IRT and (dministration, and follow0up by IRT
6ead!
<! &ollow0up
The IRT 6ead will follow0up with the "lient and <
rd
Party or other parties, as required
and appropriate!
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 ?E .& 89
Information Security Incident Response Protocol
8II. )ppendices
( ' Process &low
> ' Primary and (lternate "ontact 6ist
" ' -otification Tree
, ' Incident Severity
4 ' Incident (ssessment "heclist
& ' Incident "ontainment (ctivities
7 ' "orrective 3easures
+ ' 7uidelines for +elp ,es and -." Personnel
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 ?? .& 89
Information Security Incident Response Protocol
Process -low )ppendi; )
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 ?8 .& 89
Information Security Incident Response Protocol
Primary and )lternate +ontact 7ist )ppendi; *
(epartment or
-unction
Primary +ontact )lternate +ontact
?! Information and
Systems Security
;"ompliance
8! "omputing Services
<! Technology Support
Services
9! Telecommunications
and -etwor
Services
@! 3anagement
Services
A! (uditing ,epartment
B! .ffice of 7eneral
"ounsel
C! University Police
D! University Relations
?E! ,isaster Recovery G
>usiness "ontinuity
Planning
I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 ?< .& 89
3otification Tree )ppendi; +
Information Security Incident Response Protocol
Incident Severity )ppendi; (
Severity Symptoms
? (! -etwor or system outage with significant impact to the
user population or operation of the University!
>! +igh probability of propagation!
"! Probable or actual release or compromise of sensitive data
#financial records, personal data, passwords, etc!$
,! Requires immediate remedial action to prevent further
compromise of data and adverse impact to networ or
other entities!
4! -otification of entities outside of the University is required!
8 (! Some adverse impact to the operation of the University!
>! (dverse effects are localized or contained, or minimal ris
of propagation!
"! -o apparent release or compromise of sensitive data!
,! Remedial but not immediate action is required!
4! -otification of entities within the University is required!

< (! 3inimal impact to small segment of user population or
operation of University!
>! "ompletely localized, with few individuals affected, and
presenting little or no ris to other entities!
"! -o loss or compromise of sensitive data!
,! Remedial action is required!
4! Individual notification is required!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 ?@ .& 89
Information Security Incident Response Protocol
Incident )ssessment +hec$list )ppendi; ,
The activities described in this checlist are designed to assist in the initial
assessment process performed and;or conducted by the IRT 6ead!
"ompletion of this checlist is essential for any incident that calls for the e)ecution of
the Information Security Incident Response Protocol! .nce the IRT is assembled,
the (ssessment "heclist is reviewed for completion to ensure all pertinent facts are
established!
). (escription of Incident 6 ,ata relevant to the Incident should be collected for
use in the process of Incident determination!
(?! Record the current date and time!
(8! Provide a brief description of the Incident!

(<! /ho discovered the IncidentH Provide name and contact information!
(9! Indicate when the incident occurred and when it was discovered!
(@! +ow was the Incident discoveredH
(A! ,escribe the evidence that substantiates or corroborates the Incident #e!g!,
eye0witness, time0stamped logs, screenshots, video footage, hardcopy, etc!$!
(B! Identify all nown parties with nowledge of the Incident as of current date and
time!
(C! +ave all parties with nowledge of the Incident been informed to treat
information about the Incident as %sensitive or confidential*H
*. Types of Information% Systems and Media 6 Provide information on the nature
of the data that is relevant to the Incident!
>?! Provide details on the nature of the data #e!g!, student information, research
data, credit card information, SS-s, etc!$!
>8! ,oes the information #if compromised$ constitute a violation of regulatory
requirements #e!g!, &4RP(, +IP((, PIP (ct$ or University policyH ,escribe what is
nown!
><! /as the compromised information maintained by a University "lient or a <
rd

PartyH Provide details!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 ?A .& 89
Information Security Incident Response Protocol
>9! +ow was the information heldH Identify the types of information systems and;or
the media on which the information was stored #e!g!, hardcopy, laptop, ",0Rom,
etc!$!
>@! If the information was held electronically, was the data encrypted or otherwise
disguised or protected #e!g!, redacted, partial strings, password required, etc!$H If
so, describe measures taen!

>A! If a "lient held the information:
0 4stablish the "lient point of contact!
0 (ssign responsibility to IRT member to contact the "lient!

>B! If a <
rd
Party held the information:
0 Identify the individual within the University who best represents the <
rd
Party! If
there is no suitable University contact, an IRT member will be assigned
responsibility for directly contacting the <
rd
Party!
0 (ssign responsibility to IRT member to contact that individual!
0 IRT member will wor with the University contact or <
rd
Party to obtain a copy of
any contract or confidentiality agreement and ascertain what nowledge of the
Incident the <
rd
Party might have and what action if any has been taen!

>C! /ho currently holds evidence of the IncidentH Provide name and contact
information!
>D! /hat steps are required or being taen to preserve evidence of the IncidentH
,escribe!

+. Ris$:,;posure 6 (ttempt to determine to what e)tent ris and;or e)posure is
presented by this Incident!
"?! "an we reasonably determine the ris or e)posureH

"8! To what degree are we certain that the data has or has not been releasedH

"<! ,o we have contact with someone who has %firsthand* nowledge of the
circumstance #e!g!, the owner of a stolen laptop$H Provide name and contact
information!

"9! /hat firsthand nowledge have we determinedH ,escribe what is nown!

"@! "an we identify and do we have contact with the party that received the data or
caused the compromiseH ,escribe what is nown!

IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 ?B .& 89
Information Security Incident Response Protocol
"A! Identify the impacted parties, if possible! (re they University "lients or <
rd

PartiesH Provide estimated number, if nown!
"B! /hat is the ris or e)posure to the UniversityH ,escribe!
"C! /hat is the ris or e)posure to the "lientH ,escribe!
"D! /hat is the ris or e)posure to the <
rd
PartyH ,escribe!
"?E! "an we determine to what e)tent news outlets may now of this IncidentH
,escribe!
(. 3e;t Steps 6 ,etermine what information or action is required to better assess
or address this Incident!
,?! ,o we have enough information to establish the category and severity of the
IncidentH
0 If %yes*, declare the Incident category and severity!
0 If %no*, describe what else might be required!
,8! If additional data collection data is required, assign responsibility to IRT
member for collection and reporting to IRT!
,<! Is there any deadline or reporting requirement #self0imposed or regulatory$ we
need to addressH Provide details!
,9! >ased on current nowledge, do we require resources of the Secondary
TeamH If so, determine the maeup and assign responsibility for contact to IRT
members!
,@! /hat communications need to be establishedH Provide details!
,A! (re there any immediate issues that have not been addressedH ,escribe!
,B! Recap all wor and responsibility assignments!
,C! /hen do we meet again to follow0upH Provide details!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 ?C .& 89
Information Security Incident Response Protocol
Incident +ontainment )ctivities )ppendi; -
The IRT will determine and e)ecute the appropriate activities and processes
required to quicly contain and minimize the immediate impact to the University,
"lient and <
rd
Party!
"ontainment activities are designed with the primary ob1ectives of:
o "ounteract the immediate threat
o Prevent propagation or e)pansion of the incident
o 3inimize actual and potential damage
o Restrict nowledge of the incident to authorized personnel
o Preserve information relevant to the incident
). +ontainment )ctivities 6 'nauthoried )ccess
(ctivities that may be required to contain the threat presented to systems where
unauthorized access may have occurred!
(?! ,isconnect the system or appliance from the networ or access to other
systems!

(8! Isolate the affected IP address from the networ!

(<! Power off the appliance#s$, if unable to otherwise isolate!

(9! ,isable the affected application#s$!
(@! ,iscontinue or disable remote access!

(A! Stop services or close ports that are contributing to the incident!
(B! Remove drives or media nown or suspected to be compromised!
(C! /here possible, capture and preserve system, appliance and application logs,
networ flows, drives and removable media for review!
(D! -otify IR Team of status and any action taen!

*. +ontainment )ctivities 6 'nauthoried )c#uisition
(ctivities that may be required to contain the threat presented to assets where
unauthorized acquisition may have occurred!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 ?D .& 89
Information Security Incident Response Protocol
>?! Identify missing or compromised assets!

>8! 7ather, remove, recover and secure sensitive materials to prevent further loss
or access!
><! Power down, recycle or remove equipment nown to be compromised!

>9! /here possible, secure the premises for possible analysis by local
management and law enforcement!

>@! 7ather and secure any evidence of illegal entry for review by local management
and law enforcement!
>A! /here possible, record identities of all parties who were a possible witness to
events!
>B! Preserve 3arloc, camera logs and sign0in logs for review by local
management and law enforcement!
>C! -otify IR Team of disposition of assets and any action taen!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 8E .& 89
Information Security Incident Response Protocol
+orrective Measures )ppendi; >
The IRT will determine and cause the e)ecution of the appropriate activities and
processes required to quicly restore circumstances to a normalized #secure$ state!
"orrective measures are designed with the primary ob1ectives of:
o Secure the processing environment
o Restore the processing environment to its normalized state
). +orrective Measures ? 'nauthoried )ccess
(ctivities that may be required to return conditions from unauthorized access to a
normalized and secure processing state!
(?! "hange passwords;passphrases on all local user and administrator accounts or
otherwise disable the accounts as appropriate!
(8! "hange passwords;passphrases for all administrator accounts where the
account uses the same password;passphrase across multiple appliances or
systems #servers, firewalls, routers$!
(<! Rebuild systems to a secure state!
(9! Restore systems with data nown to be of high integrity!
(@! (pply .S and application patches and updates!
(A! 3odify access control lists as deemed appropriate!
(B! Implement IP filtering as deemed appropriate!
(C! 3odify;implement firewall rulesets as deemed appropriate!
(D! 4nsure anti0virus is enabled and current!
(?E! 3ae all personnel %security aware*!
(??! 3onitor;scan systems to ensure problems have been resolved!
(?8! -otify IR Team of status and any action taen!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 8? .& 89
Information Security Incident Response Protocol
*. +orrective Measures ? 'nauthoried )c#uisition
(ctivities that may be required to return conditions from an unauthorized acquisition
to a normalized and secure processing state!
>?! Retrieve or restore assets where possible!

>8! Store all sensitive materials in a secure manner #e!g!, locable cabinets or
storage areas;container$!
><! Install;replace locs and issue eys only to authorized personnel!
>9! Restore security devices and;or apparatus to woring condition!
>@! Remove and retain unauthorized equipment from networ;area!
>A! Implement physical security devices and improvements #e!g!, equipment
cables, alarms$ as deemed appropriate!
>B! 3ae all personnel %security aware*!
>C! -otify IR Team of status and any action taen!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 88 .& 89
Information Security Incident Response Protocol
>uidelines for )ppendi; @
@elp(es$ and 30+ Personnel
Primary 0b1ective
The primary ob1ective is to determine if the problem being reported is a security
incident! In most instances, the problem being reported will not constitute an
incident as defined within the protocol #see ,efinitions ' Information Security
Incident 0 "ategories$!
-o set of questions will address every circumstanceF previous e)perience with an
individual and intuition may be relied upon to help determine if an incident has
occurred! Support personnel are accountable for asing the questions about an
incident, maing a reasonable attempt at determining if an incident has occurred,
recording facts and responses to questions, and forwarding pertinent information to
the responsible parties!
Problem Reportin&
&amiliarity with this protocol2s definitions will assist support personnel in maing a
determination if a security incident has occurred! Individuals reporting problems
and;or incidents should be informed as to the reason for the questions #i!e!, the
University is attempting to determine if sensitive data is at ris or compromised$ and
all individuals should be encouraged to openly discuss the problem being reported!
(ny information provided by an individual that helps in the determination is of
considerable valueF the individual2s cooperation is critical, greatly appreciated and
should be recognized!
In#uiries
&or those individuals who may be reporting a security incident, questions that might
be ased include but are not limited to:
o /ere -etI,s and;or passwords accessed or releasedH
o /ere Social Security -umbers stored or processedH
o /ere medical records of individuals present or accessedH
o /ere credit card numbers or financial information disclosedH
o ,id physical theft of computer equipment occurH
o /as %foreign* or unauthorized equipment connected to the networH

(iscovery and Reportin&
If the answers to the inquiries indicate that an incident may have occurred, support
personnel should assume that an incident has actually occurred and perform the
following activities:
o .btain and record the contact information for the individual reporting the problem
#name, telephone numbers, e0mail address$
o Record relevant information about the incident #e!g!, time;date of suspected
occurrence, type of information compromised, location of the compromise$
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 8< .& 89
Information Security Incident Response Protocol
o Inform the individual to e)pect contact from a member of the Incident Response
Team
o Request the individual to treat the incident as a confidential matter
o "ontact the Telecommunications and -etwor Services #T-S$ %on call* engineer
for further assistance!
,scalation
The T-S %on call* engineer is responsible for maing an early determination if an
incident has occurred or might be indicated! If the engineer believes an incident has
occurred, might be indicated, or unsure, the IRT 6ead or (lternate should be
contacted immediately, using the department2s notification procedures!
IT 0 I-&.R3(TI.- S4"URIT5 R4SP.-S4 PR.T.".6 P(74 89 .& 89