Home > Incident Response

Incident Response

IT Security Incident Response is about responding to potential security incidents, while maintaining confidentiality, integrity, and availability (CIA) of any Institute-owned IT assets, particularly those classified as moderate, high, and business critical. The response must be conducted in a consistent manner in order to promptly restore operations, while following any industry (e.g., PCI) and government (e.g., HIPAA, FERPA, GDPR) standards to prevent the possibility of fines and loss of data. The response must also be properly documented for reporting requirements. Please be sure you are familiar with the following responsibilities from

UTIA IT0122P – Information Security Incident Response and Reporting Procedures.

End User Responsibilities

1. Stop all work on the computer and contact your local or regional IT support personnel.

2. Advise the local or regional IT support personnel if your system is classified as low, moderate, high, or business critical.

3. If a local or regional IT support person in not available, immediately contact the Institute’s Chief Information Security Officer (UTIA CISO).

4. Please contact the OIT HelpDesk for reporting a security incident only in the event you are unable to reach a local or regional IT support person or the UTIA CISO and be certain to tell them you are with the Institute.

Local IT/OIT HelpDesk Responsibilities

1. Quickly and briefly investigate system anomalies to assess if an information system security incident is in progress or has occurred.

2. Create a trouble ticket, completing all mandatory fields, marking the ticket request type as Incident. If a security incident has not occurred, mark the ticket request type as Service Request.

3. If the system is classified as moderate, high, or business critical:
* Do not turn the system’s power off;
* Disconnect all network connections;
* Contact the UTIA CISO immediately;
* Wait for direction from the incident response team before taking any further action.

4. If the system is classified as low:
* Run necessary scanning services as listed on UTIA Security website;
* Contact UTIA CISO for additional support, if necessary;
* Remediate the system by re-imaging or per other departmental guidelines if necessary (i.e., scan hard drive with additional tools, rebuild, etc.);
* Update the trouble ticket, logging results.

5. Local IT/OIT will close security trouble tickets for systems classified as low, while the UTIA CISO will review and close all tickets for systems classified as moderate, high, or business critical, as related to security incidents.

UTIA CISO Responsibilities

1. Provide advice and assistance to all users.

2. Determine who is on the Institute Response Team and provide oversight.

3. Provide checklist to the Incident Response Team to ensure all procedures are completed.

4. Work with the Incident Response Team to determine if an incident has occurred and the severity of the incident.

5. Perform follow-up activity with the Incident Response Team.

6. Maintains all documentation for all system security incidents.

7. The UTIA CISO will submit a detailed report to the UT System Administration CISO for appropriate State reporting.

Sandy Lindsey
Chief Information Security Officer
Information Technology Services
The University of Tennessee
Institute of Agriculture

 

 

G061​ McCord Hall
2640 Morgan Circle Drive
Knoxville, Tennessee, 37996
Phone: (865) 974-7292; (865) 806-5224
sandy@tennessee.edu