Incident Response Policy

Approved: 05/08/2017
Last Reviewed: 05/08/2017
Last Modified: 05/08/2017

Statement

Santa Fe College (SF) is committed to conducting business in compliance with all applicable laws, regulations and SF rules and policies. SF has adopted this policy to minimize possible negative consequences of a technology incident and to improve SF’s ability to promptly restore operations affected by such incidents. This policy will outline and define standard methods for identifying, tracking and responding to those incidents, following a pre-defined and consistent incident handling methodology.

Purpose

The purpose of this policy is to define what constitutes a security incident and to create a framework that will enable SF to respond in a quick, effective and standardized manner in the event of an information security incident. It will also assist in ensuring that all obligations under SF policy, along with state and federal laws and regulations, are fulfilled and adhered to with respect to such incidents. The incident response plan will define areas of responsibility during each phase and establish procedures for handling each phase with the goal of minimizing negative consequences and resuming normal operations as quickly as possible.

These procedures are not intended to replace in part, or in whole, pertinent Florida or federal laws. Such laws include the Computer Crimes Act, Chapter 815 of the Florida Statutes; the Public Records Law; Chapter 119 of the Florida Statutes; 501.171 of Florida Statutes for security of confidential personal information; or obscenity and child pornography laws.

Scope

This policy applies to users of any IT resource owned, operated, leased, licensed, or managed by SF. Users include, but are not limited to, students, faculty, staff, contractors, alumni, guests or agents of the administration, and external individuals and organizations using IT resources, wired or wireless, regardless of location and ownership of the connecting device.

Definitions

Information Technology (IT) Resources - Equipment or services used to input, store, process, transmit, and output information, including, but not limited to, desktops, laptops, mobile devices, servers, telephones, fax machines, copiers, printers, wired and wireless networks, Internet, email, cloud storage, and social media sites.

Information Security Incident - Sometimes referred to as an “electronic security incident”, a “technology incident”, or simply an “incident”, an information security incident is defined as an attempted or successful unauthorized access, use, disclosure, modification or destruction of information; interference with information technology operations; or violation of explicit or implied acceptable use policy. Information security incidents range from unauthorized intrusions into SF network systems to mishandling information in a way that may risk its confidentiality, integrity, or availability.

1. Examples of information security incidents included (but not limited to):
   1. Computer security intrusion
   2. Unauthorized use of systems or data
   3. Unauthorized change to computer or software
   4. Loss or theft of equipment used to store private or potentially sensitive information
   5. Denial of service attack
   6. Interference with the intended use of information technology resources
   7. Compromised user account
2. A serious incident is an incident that may pose a threat to college resources, stakeholders and/or services. Specifically, an incident is designated as serious if it meets one or more of the following criteria:
   1. Involves potential unauthorized disclosure of sensitive information (as defined below)
   2. Involves serious legal issues
   3. May cause server disruption to critical services
   4. Involves active threats
   5. Is widespread
   6. Is likely to raise public interest

Confidential Data - For the purposes of this policy, confidential data or confidential information is information stored and/or housed by electronic methods for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be required. Unauthorized access to or disclosure of confidential information could constitute an unwarranted invasion of privacy and cause financial loss and damage to the College’s reputation and the loss of community confidence.

Policy

5.1 Incident Reporting

Technology and computing systems are essential to the institution's academic and financial well-being. A security breach in any one of these systems could have a devastating effect on each member of the SF community. Each user is a stakeholder in the security of these systems and is encouraged to exercise active vigilance in reporting suspected information security vulnerabilities.

If you believe that your computer system has been compromised in any way, it is best to report the incident to the Help Desk at extension 5999. Our support staff will help you assess the problem and determine how to proceed. Since quick response is essential in limiting the damage caused by a security incident, we encourage everyone to report information that may help identify breaches in the security of SF technology systems.

If you witness a physical crime in progress, such as someone stealing a computer system, you should always alert the Santa Fe College Police Department by calling 352-395-5555 or call 911.

5.2 Incident Classification/Severity Assessment

In order to facilitate the accurate and productive response to any information security incident, all incidents must be classified and assessed by the Technical Incident Response Team (TIRT) for severity. The classification levels below are designed to indicate how many people are affected, or potentially affected, by the incident being addressed. The lowest level includes incidents that impact a single person, while the highest level may affect the entire college community. As the incident progresses, its classification may be reevaluated and changed to ensure proper handling.

It is also possible that one incident may fall under multiple classifications. If this happens, the classification with the highest severity will dictate the course of the incident response.

Low

• Threats, harassment, or criminal offenses involving individual user accounts.
• Compromise of individual user accounts.
• Compromise of desktop systems.
• Forgery, misrepresentation, or misuse of resources.
• Denial of service on individual accounts.

Medium

• Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks to infrastructure, confidential service accounts or software areas.
• Large-scale attacks of any kind (worms, sniffing attacks, etc.).
• Some network failures, denial of service, minimal impact to business operations occur, however there is minimal loss or compromise of information.

High

• Significantly impact the reputation of the institution or its ability to conduct normal operations.
• The release of sensitive, confidential, or privileged data.
• Affects business continuity.
• There is a reasonable expectation that Confidential Data was accessible to unauthorized individuals as a result of the incident.
• There is a reasonable expectation that the incident has or may result in financial theft or loss of intellectual property.
• The incident could have long term effects on the Campus community.
• The incident affects critical systems or has a Campus-wide effect.
• The incident is a violation of Florida State and/or Federal law.
• There is a possibility that the incident has or could result in compromise of additional SF systems or data.
• There is a possibility that physical harm could result to any person or to College property as a result of the incident.
• There is a possibility that the incident could affect the availability of SF or department mission-critical infrastructure, systems, applications, or data.
• The data or systems involved in the incident are impacted by state or federal regulation, grants, or College policy.

5.3 Incident Response for Each Severity Level

• Regardless of the severity level, the following will occur:
  • The ITS Help Desk technician taking the initial report will document as many of the details of the incident as possible in the Help Desk ticketing system. They will then determine what the problem is and assess its magnitude (low, medium, or high) based on all currently available information.
  • Once the Manager of Systems and Networking or his/her designee is notified of an incident, she/he will task appropriate personnel to begin the containment and recovery procedures. If they do not have enough people on-hand to properly contain and/or recover from the incident, they will work with the User Support Manager and the ITS Director to task employees from other areas of ITS.
  • Once the Chief Information Officer (CIO) is notified of an incident, they will conduct an investigation to determine if the TIRT needs to be activated. More details are provided below for each level of severity.

Low

• If the incident type -- such as an infected computer -- falls under the duties and responsibilities of the Help Desk or another member of Desktop Support, then the appropriate technician will handle the incident themselves and only report the results to User Support Manager as necessary.
• If the incident involves a legal issue, then the technician will report the incident to the User Support Manager.
• If an incident is escalated to the User Support Manager, they will determine if the incident can be handled at the Desktop Support level, or if it needs to be escalated to the Systems and Datacenter Manager and/or the CIO.
• If the CIO is notified, they will investigate and may activate the TIRT under extreme circumstances, or they may simply turn the matter over to the SFPD and/or the College’s Legal Department.

Medium

• If the Help Desk determines that multiple people are being affected by a particular incident, they will notify a Systems and Datacenter Manager or technician (or the ITS Director, depending on the issue) and the User Support Manager as soon as possible. They may also notify the CIO for informational purposes.
• Once an incident has been escalated from the Help Desk, the area of ITS in charge of the incident may notify the CIO on a case-by-case basis. They will also keep User Support Manager and the Help Desk up-to-date on the incident in order to mitigate misinformation.
• If the CIO is notified, they will begin the investigation and may activate the TIRT on a case-by-case basis.

High

• If the Help Desk determines that multiple areas of the college are being impacted by a particular incident, they will notify the User Support Manager, Systems and Datacenter Manager, and the CIO as soon as possible.
• Once the CIO is notified, they will begin the investigation process and activate the TIRT.
• The CIO or designee will keep User Support Manager and the Help Desk up-to-date on the incident in order to mitigate misinformation.

5.4 Technology Incident Response Team (TIRT)

5.4.1 TIRT Structure

TIRT Leader: The CIO is responsible for organizing, activating, and directing the TIRT. Typical duties center on managing incident response processes, but also updating policies and procedures to better anticipate and respond to future incidents. The CIO performs high-level direction of the team’s overall activities including confirmation of an incident.

TIRT Incident Lead: This position has ownership of the particular incident -- or set of related incidents -- and is designated to coordinate all TIRT actions and responses. All information about incidents must be passed through the TIRT Incident Lead before it leaves the team and is passed on to the organization or the public. It is possible that there could be more than one Incident Lead depending on incident types and levels of expertise. The Incident Lead should have a fundamental understanding of information technology but does not necessarily need to possess a high degree of information technology proficiency.

TIRT Associate Members: Although additional temporary team members may be required, depending on the incident type and their area(s) of expertise, the TIRT should have core member representation from the following areas:

• Human resources
• General Counsel
• SF Police Department
• Records
• Student Life
• IT Security
• Risk Management
• Counseling (as needed)
• Finance
• Communications and Creative Services

TIRT Availability: Because technology incidents can occur at any time, the availability of the team is paramount. To maximize the full potential of the team, members must be available outside of normal business hours and have proper clearance in the event of dealing with sensitive or confidential data.

5.4.2 Activating the TIRT

Upon notification of a technology incident, the Chief Information Officer (or designee) will carry out an initial investigation and make the decision whether to activate the TIRT. The TIRT has both an investigative and problem-solving component. Its mission is to be responsible for investigating, classifying, resolving, and documenting technology incidents in a timely, cost-effective manner and to report their findings to management and other appropriate authorities as required. During their investigation, they may call upon additional offices and resources to carry out the investigation and the remediation of any incident. The TIRT is authorized to take appropriate steps deemed necessary to contain, mitigate, or resolve a technology incident, and their responsibilities include, but are not limited to:

• Determining the impact, scope, and nature of the event or incident
• Notifying affected constituents of the incident
• Understanding the technical cause of the event or incident
• Researching and recommending solutions and work-arounds
• Making the decision to involve outside entities, including law enforcement agencies, vendors, and computer forensic experts
• Identifying and mitigating risks
• Assessing incident damage and cost
• Discussing, reviewing, and documenting any lessons learned from the incident

Policy Enforcement

Refusing to cooperate under this policy shall be deemed to be in violation of this policy and will be reported to the SF Chief Information Officer (CIO). The CIO reserves the right to deny or immediately remove access privileges to individuals or groups without prior notice to protect SF technology resources. The CIO may delegate further enforcement of this policy to the appropriate persons in coordination with disciplinary procedures for students, faculty, and staff.

Contacts

Questions regarding this Policy should be directed to Information Technology
Services at 352-395-5999 or can be emailed to help.desk@sfcollege.edu.

History/Revision Dates

This policy replaces a prior policy entitled “Information Security Incident Response Policy.”

Approved: 05/08/2017