Incident Response Procedure for UWO

Incident Response Procedure for UWO

Incident Response Procedure


Original Issuance Date: July 11, 2017
Last Revision Date: December 2018

1. Purpose of Procedure

The Information Security Incident Response Procedure provides specific details of how information security incidents are handled within UW System institutions. This procedure has been developed to comply with UW System Administrative Policy 1033, Information Security: Incident Response, which requires every UW System institution to have such a written procedure.

Top

2. Responsible UW Oshkosh Officer

Chief Information Officer (CIO)

Top

3. Scope

This incident response procedure applies to UW Oshkosh employees.

Top

4. Background

This procedure has been developed to comply with UW System Administrative Policy (SYS) 1033, Information Security: Incident Response and the broader information security objectives of the UW System as outlined in Regent Policy Document 25-5, Information Technology: Information Security. SYS 1033 requires each UW System institution to have an information security incident response procedure.

An Information Security Incident is generally defined as any known or highly suspected circumstance that results in an actual or possible unauthorized release of information deemed to be of high risk or moderate risk to University of Wisconsin Oshkosh, or an incident subject to regulation or legislation that is beyond a UW Oshkosh’s sphere of control. This procedure will be tested at least annually under the leadership of the Chief Information Officer.

Top

5. Definitions

Data Definitions: There are important distinctions between High Risk data, Moderate Risk data and Low Risk data, which are necessary to properly classify an information security incident. The policy and procedures for data classification of the three data types are significantly different. Refer to the SYS 1031 & 1031.A.

Top

6. Procedure

UW System Administrative Policy 1033, Information Security: Incident Response, requires the creation of an information security incident response procedure at each UW System institution. This policy requires that any individual, who suspects that an information security incident has likely occurred, must report it to the appropriate institution personnel.

A. Incident Response Team Roles

The Information Security Incident Response Team (ISIRT) is comprised of appropriate individuals and groups from within UW Oshkosh’s organization, charged by UW Oshkosh with the responsibility of assisting in the process described within this procedure. Depending upon the situation, additional external resources may be involved as well.

I. CHIEF INFORMATION OFFICER (CIO)

The CIO is responsible for executing or delegating the following:

  • Setting priorities during incident and remediation.

  • Notifying the UWSA Vice President for Information Security

  • Designating an alternate to cover the responsibilities of the CIO role in an incident response event if the CIO is unavailable

  • Notifying the University Marketing and Communication Officer as appropriate for internal and external communication

  • Chairing the Post Incident – Closeout Phase

  • Notifying the UW System Office of General Counsel, as appropriate

  • Notifying the Office of Risk Management, as appropriate

  • Contacting the University Marketing and Communication for assistance, as appropriate

  • Communicating to the CIO Council when a high impact incident has been declared, as appropriate

  • Contact University Police department and Emergency Management team as appropriate.

II. IT MANAGEMENT

  • Participating with Chief Information Security Officer (CISO) in forensic investigation decisions

  • Chairing the Post Incident – Closeout Phase

  • Establishing a Post-Event Team to determine the root cause and root effect of the incident

III. RISK MANAGER

The Risk Manager is an emergency point of contact in situations in which a High Risk information security incident is suspected and the CIO and ISO are unable to be contacted in accordance with the timeframe identified within the documented initial incident escalation process.

IV. INFORMATION SECURITY OFFICER (ISO)

The ISO is responsible for executing or delegating the following:

  • Updating the CIO on a regular basis during a critical incident

  • Beginning an Incident Response case file and maintaining proper documentation of the incident

  • Managing incident resources

  • Activating the ISIRT, notifying the team of meeting locations and call-in telephone numbers and teleconference links

  • Developing containment procedures specific to each incident

  • Managing the incident work plan(s) and task assignments

  • Raising dependency issues for team consideration as they arise

  • Developing work plans that address tasks completed and outstanding

  • Certifying that all systems are returned to operational quality with the cause rectified

  • Ensuring destruction/retention of all materials at the end of an incident

  • Identifying external personnel/resources as needed

V. INFORMATION TECHNOLOGY SUPPORT STAFF

The Information Technology Support Staff Team members are responsible for the following:

  • Providing support to Incident response team as required

VI. OFFICE OF GENERAL COUNSEL, UW SYSTEM

The Office of General Counsel Incident Response Team members are a resource for the following:

  • Providing guidance to the CIO regarding legal and regulatory aspects of the incident and its public disclosure

  • Advising the Office of Human Resources and Workforce Diversity regarding investigations involving employees

  • Advising the CIO and/or ISO regarding the decision to simply protect UW System information technology operations or to also pursue civil or criminal actions

  • Consulting with the CIO and/or ISO regarding involvement with law enforcement

  • Advising the CIO and/or ISO regarding involvement with regulatory agencies

  • Reviewing communications drafted by the Office of University Marketing and Communications as required

  • Communicating with external counsel

VII. OFFICE OF RISK MANAGEMENT, UW SYSTEM ADMINISTRATION (UW SYSTEM)

The Office of Risk Management Incident Response Team members are a resource for the following:

  • Providing subject matter area expert advice

  • Assisting in interviews when necessary

  • Notifying UW System’s cyber liability insurer, as appropriate


This contact information is provided as a means to establish team contact in a situation in which electronic directory services may not be accessible.

ISIRT members are accountable to the University CIO for the execution of relevant protocols contained within this procedure and associated activities.

VII. UNIVERSITY POLICE DEPARTMENT

The University Police Department Incident Response Team members are a resource for the following:

  • Coordinate with external law enforcement as required

  • Communicating with the Federal Bureau of Investigation (FBI) as requested by the Office of General Counsel and CIO

7. Related Documents

Regent Policy Document 25-5, Information Technology: Information Security
UW System Administrative Policy 1031, Information Security: Data Classification
UW System Administrative Policy 1033, Information Security: Incident Response

uwosh.edu/it/policies

Top


8. Policy History

First Approved: July 11, 2017

Top

9. Scheduled Review

October 2019





Keywords:Incident Response   Doc ID:88871
Owner:Christian B.Group:UW Oshkosh
Created:2019-01-07 15:31 CDTUpdated:2019-05-02 13:30 CDT
Sites:UW Oshkosh
Feedback:  0   0