IT Security Incident Response is about responding to potential security incidents, while maintaining confidentiality, integrity, and availability (CIA) of any Institute-owned IT assets, particularly those classified as moderate, high, and business critical. The response must be conducted in a consistent manner in order to promptly restore operations, while following any industry (e.g., PCI) and government (e.g., HIPAA, FERPA, GDPR) standards to prevent the possibility of fines and loss of data. The response must also be properly documented for reporting requirements. Please be sure you are familiar with the following responsibilities from
UTIA IT0122P – Information Security Incident Response and Reporting Procedures.
End User Responsibilities
1. Stop all work on the computer and contact your local or regional IT support personnel.
2. Advise the local or regional IT support personnel if your system is classified as low, moderate, high, or business critical.
3. If a local or regional IT support person in not available, immediately contact the Chief Information Security Officer (CISO).
4. Please contact the OIT HelpDesk for reporting a security incident only in the event you are unable to reach a local or regional IT support person, or the Institute’s CISO and be certain to tell them you are with the Institute.
Local IT/OIT HelpDesk Responsibilities
1. Quickly and briefly investigate system anomalies to assess if an information system security incident is in progress or has occurred.
2. Create a trouble ticket, completing all mandatory fields, marking the ticket request type as Incident. If a security incident has not occurred, mark the ticket request type as Service Request.
3. If the system is classified as moderate, high, or business critical:
* Do not turn the system’s power off;
* Disconnect all network connections;
* Contact the Institute’s Chief Information Security Officer (CISO) at once;
* Wait for direction from the incident response team before taking any further action.
4. If the system is classified as low:
* Run necessary scanning services as listed on UTIA Security website;
* Contact Institute’s CISO for additional support, if necessary;
* Remediate the system by re-imaging or per other departmental guidelines if necessary (i.e., scan hard drive with additional tools, rebuild, etc.);
* Update the trouble ticket, logging results.
5. Local IT/OIT will close security trouble tickets for systems classified as low, while the Institute’s CISO will review and close all tickets for systems classified as moderate, high, or business critical, as related to security incidents.
UTIA CISO Responsibilities
1. Provide advice and assistance to all users.
2. Determine who is on the Institute Response Team and provide oversight.
3. Provide checklist to the Incident Response Team to ensure all procedures are completed.
4. Work with the Incident Response Team to determine if an incident has occurred and the severity of the incident.
5. Perform follow-up activity with the Incident Response Team.
6. Maintains all documentation for all system security incidents.
7. The Institute’s CISO will submit a detailed report to the UT System Administration CISO for appropriate state reporting.