Incident Response Policy

February 28, 2022

Purpose

The purpose of the Incident Response Policy is to mandate Incident Response activities within St. George’s University and University Support Services (collectively the Enterprise). Incident Response (IR) activities at the Enterprise must be driven by a framework to respond quickly, decisively, and appropriately to an incident.

Scope

This policy applies to any response to an IT security incident that originates from, is directed toward, or otherwise impacts the Enterprise.

Definitions

  • Event: An event is any observable occurrence in an Information System and/or Network. Not all events are adverse events.
  • Adverse Event: An adverse event is an event that is an exception to the normal operation of Information Systems and/or Networks. Generally, adverse events are events with a negative consequence, such as; system crashes, packet floods, unauthorized use of a system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.  Not all adverse events become incidents.
  • Incident: An incident is an adverse event that, as assessed by IT Security staff, violates Enterprise Computing Policies; other Enterprise policy, standard, or code of conduct; or threatens the confidentiality, integrity, or availability of IT Information Systems or Enterprise Data.

Roles and Responsibilities

  • Incident Response Team(IRT): manages incidents pursuant to the Incident Response Plan. It is the responsibility of the Incident Response Team to detect and respond to any incidents.
  • Incident Response Lead: A single employee, with one or more designated alternates, should oversee incident response.
  • Incident Response Coordinator: Employee who is responsible for assembling all the data pertinent to an incident, communication with appropriate parties, ensure that the information is complete, and reporting on incident status both during and after the investigation.
  • Incident Response Handler: Employees who gather, reserve, and analyze evidence so that an incident can be progressed and brought to conclusion.
  • IT Leadership: IT Leadership is accountable for policy writing, review, testing, and training of this policy.
  • IT Operations: IT Staff responsible for administering IT Systems, who can be called upon during an incident to complete various actions.
  • Other Employees: Can include any or all of the following, depending on the incident: Company Officers/Compliance/Legal/HR

Policy Statement

This plan outlines the most general tasks for Incident Response and will be supplemented by specific internal guidelines and procedures that describe the use of security tools and/or channels of communication.  These internal guidelines and procedures are subject to amendment as technology changes.  This plan includes the following:

  • Preparation: Includes the establishment and use of policies, procedures, technology & tools, effective governance, and communications plans, that enables the IRT to assess an event and/or respond to an incident.
  • Detection & Analysis: Detection is the discovery of an adverse event with security tools or notification by an inside or outside party about a suspected incident. This phase includes the declaration and initial classification of the incident.  This phase includes sub-procedures for prioritization, escalation, and communication.
  • Containment, Eradication, & Recovery
    • Containment: Where the affected host or system is identified, isolated, or otherwise mitigated. Most incidents require containment, however, containment strategies can vary based on the type of incident
    • Eradication: Eradication may be necessary to eliminate components of the incident.
    • Recovery: Consists of restoring systems to normal operation, confirming that systems are functioning normally, vulnerabilities are remediated to prevent similar incidents.
  • Post Incident Activity: Includes the activity in which the incident is reviewed to understand at a minimum, what happened, what went wrong, how well was the response implemented/managed, and areas of improvement.
  • Incident Notification: When an incident is analyzed and prioritized, the incident response team will notify the appropriate individuals so that all who need to be involved will play their roles.  Exact reporting requirements can vary from incident to incident, but parties that are typically notified include Directory of Security, Corporate Officers, HR, Legal, Compliance, Business Owners, and in some cases external vendors, business partners, law enforcement, regulatory authorities, affected individuals.
  • Documentation: Information relevant to the incident is maintained according to the Enterprise standards.  These can include emails, system data, log data, and investigatory notes.

Testing and Adaptation
The Enterprise must test Incident Response capabilities regularly with measures such as simulations.

The IR Plan must include processes for periodic review and the incorporation of lessons learned after an incident or formal IR testing has occurred. Updates made to the IR Plan must be approved by the Cyber Security Committee and communicated to relevant stakeholders.

Related Documents