Incident Response Policy and Procedures; Current Threats

Share on

With the recent ransomware attacks we have heard about, I thought now would be the opportune time to remind you of UTIA IT0122 – Information Security Incident Response Policy and UTIA IT0122P – Information Security Incident Response Plan and Reporting Procedures​. These two documents are very important for a number of reasons, first and foremost being that we must properly report incidents and possible incidents so that we don’t lose valuable information about the incident and cost the Institute money. These documents have recently been updated and here is a summary of those changes:

UTIA IT0122 – Information Security Incident Response Policy

  • Put the policy in the new format, using the NIST controls (the bolded and underlined headings).
  • Rearranged the existing content to match the controls.
  • Added information for Incident Response Training, Incident Response Monitoring, Incident Response Assistance, and Incident Response Plan.
  • Added the word “immediately” for notifying the CISO.
  • Moved a bit of the procedural text to the procedures document.

UTIA IT0122P – Information Security Incident Response and Reporting Procedures

  • Changed the name to Information Security Incident Response Plan and Reporting Procedures
  • Added “These procedures must be followed in the event of a security incident or possible incident. Reportable information security incidents will be treated as an incident until procedures have ruled out an actual incident.” to the scope.
  • Added “Reportable” to the Information Security Incidents heading.
  • Added ransomware and spear phishing attacks to the suspected compromised list, as well as examples of malware sources.

Please take some time to look closely at these two documents. The procedures include specific roles and responsibilities, as well as a list of reportable incidents. While telling and hearing about an incident is never easy, it is necessary. One of the biggest reasons people don’t want to report an incident is they feel embarrassed that it happened. Please know that I understand things can happen and my goal is not to make you feel bad. I just want to make sure we do the right thing and report in the required way.

The UTIA Policies and Procedures page has recently moved, so please follow the link and bookmark the new site.

Current Threat Alert  

State Retirement Guidance for The University of Tennessee, Knoxville Personnel

This email has been going around for a few years, but when I hear about it I like to remind others that this is not real if the sender is not a part of UT. The sender wants you to set up an appointment for a call or teleconference to answer your retirement benefits questions. The problem is, the email and its sender have nothing to do with UT and its retirement programs.

And don’t use “Unsubscribe” to opt out of future mailings. The link may or may not allow you to truly unsubscribe. Just block the sender by doing the following: right-click on the Message Preview, then click “Junk,” then “Block Sender.”

Spear Phishing

This one is not going away any time soon! Unfortunately, there is no way to prevent it, either, but it is not because of a compromised email account or malware. The latest rounds don’t really have much or any content to the email, they just have the subject, “Send me your available cell phone number,” or something very similar.

Please do not reply and remember that these messages do not come to only you. Because they are sent using bcc: plenty of others are receiving the same message. Please see the Spear Phishing information under Keeping You Safe to keep up with the latest information about spear phishing attempts.

Please keep an eye on for other information on current threats.

I appreciate all that you do to keep the Institute’s data and IT assets safe. And please contact me anytime you have questions about something that is possibly an IT security issue. I am here to help you with answers and solutions.

Thank you all for all that you do!