1. K-State home
  2. »Policies
  3. »PPM
  4. »3400
  5. »IT Security Incident Reporting and Response Policy

Policies

Internal Audit Office

Kansas State University
214 Anderson Hall
Manhattan, KS 66506-0118

 

785-532-7308
785-532-0186
internalaudit@k-state.edu

IT Security Incident Reporting and Response Policy

Chapter 3434
Issued April 15, 2009

Table of Contents

.010 Purpose
.020 Scope
.030 Effective Date
.040 Authority
.050 Policy
.060 Definitions
.070 Roles and Responsibilities
.080 Implementing Procedures
.090 Related Laws, Regulations, or Policies
.100 Questions/Waivers

.010 Purpose

This policy governs the actions required for reporting or responding to security incidents involving K-State information and/or information technology resources to ensure effective and consistent reporting and handling of such events.

.020 Scope

This policy applies to all members of the University community, including students, personnel, units, and affiliates using University information technology resources or data.

.030 Effective Date

This policy became effective on January 8, 2009

.040 Authority

For major incidents, which include a breach of personal identity information (PII), Kansas Regents IT Council (RITC) policy requires escalation to the top administration on campus and prompt notification of the Board of Regents office. Likewise, Kansas Senate bill 196 that went into effect in January 2007 requires a prompt investigation and notification of potential victims in response to a security incident involving a breach of PII.

.050 Policy

All members of the University community are responsible for reporting known or suspected information or information technology security incidents. All security incidents at K-State must be promptly reported to K-State’s Chief Information Security Officer (CISO) and other appropriate authority(ies) as outlined in Section .080 "Implementing Procedures".

Incident response will be handled appropriately based on the type and severity of the incident in accordance with the incident response summary table in Section .080.B.2 below and K-State's IT Security Incident Management Procedures. Handling of security incidents involving confidential data will be overseen by an Executive Incident Management Team.

All individuals involved in investigating a security incident should maintain confidentiality, unless the Vice Provost for Information Technology Services authorizes information disclosure in advance.

.060 Definitions

  1. security incident is any real or suspected event that may adversely affect the security of K-State information or the systems that process, store, or transmit that information. Examples include:

    • Unauthorized access to data, especially confidential data like a person’s name and social security number

    • Computer infected with malware such as a worm, virus, Trojan Horse, or botnet

    • Reconnaissance activities such as scanning the network for security vulnerabilities

    • Denial of Service attack

    • Web site defacement

    • Violation of a K-State security policy

    • Security weakness such as an un-patched vulnerability

  2. Personal identity information(PII) is an individual’s name (first name and last name, or first initial and last name) in combination with one or more of the following: a) Social security number, b) driver’s license number or state identification card number, c) passport number, or c) financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer’s financial account.

.070 Roles and Responsibilities

  1. The incident manageris responsible for managing the response to a security incident as defined in the incident response summary table in Section .080.B.2 below.

  2. The Executive Incident Management Teamoversees the handling of security incidents involving confidential data (e.g., personal identity information). This team has authority to make decisions related to the incident and to notify appropriate parties. The team consists of:

    • Senior administrator for the affected unit

    • Vice Provost for IT Services

    • Chief Information Security Officer

    • Representative from the Office of General Counsel

    • Assistant Vice President for Media Relations

    • Others as needed (for example, K-State Police for criminal incidents)

.080 Implementing Procedures

  1. Reporting Security incidentsAny member of the K-State community who suspects the occurrence of a security incident must report incidents through the following channels:

  2. Responding to Security Incidents

    • Incident Severity

      Incident response will be managed based on the level of severity of the incident. The level of severity is a measure of its impact on or threat to the operation or integrity of the institution and its information. It determines the priority for handling the incident, who manages the incident, and the timing and extent of the response. Four levels of incident severity will be used to guide incident response: high, medium, low, and NA ("Not Applicable").

      • High

        The severity of a security incident will be considered "high " if any of the following conditions exist:

        • Threatens to have a significant adverse impact on a large number of systems and/or people (for example, the entire institution is affected)

        • Poses a potential large financial risk or legal liability to the University

        • Threatens confidential data (for example, the compromise of a server that contains or names with social security numbers or credit card information)

        • Adversely impacts an enterprise system or service critical to the operation of a major portion of the university (for example, e-mail, student information system, financial information system, human resources information system, learning management system, Internet service, or a major portion of the campus network)

        • Poses a significant and immediate threat to human safety, such as a death-threat to an individual or group.

        • Has a high probability of propagating to many other systems on campus and/or off campus and causing significant damage or disruption

      • Medium

        The severity of a security incident will be considered "medium" if any of the following conditions exist:

        • Adversely impacts a moderate number of systems and/or people, such as an individual department, unit, or building

        • Adversely impacts a non-critical enterprise system or service

        • Adversely impacts a departmental system or service, such as a departmental file server

        • Disrupts a building or departmental network

        • Has a moderate probability of propagating to other systems on campus and/or off campus and causing moderate damage or disruption

      • Low

        Low severity incidents have the following characteristics:

        • Adversely impacts a very small number of systems or individuals

        • Disrupts a very small number of network devices or segments

        • Has little or no risk of propagation or causes only minimal disruption or damage in their attempt to propagate

      • NA("Not Applicable")

        This is used for events reported as a suspected IT security incident but upon investigation of the suspicious activity, no evidence of a security incident is found.

    • Incident Response Summary Table

      The following table summarizes the handling of IT security incidents based on incident severity, including response time, the responsible incident managers, and notification and reporting requirements. Detailed procedures for incident response and management are further defined in the K-State IT Security Incident Management Procedures.

Incident SeverityCharacteristics (one or more condition present determines the severity)Response TimeIncident ManagerWho to NotifyPost-Incident Report Required*
High
  1. Significant adverse impact on a large number of systems and/or people
  2. Potential large financial risk or legal liability to the University
  3. Threatens confidential data
  4. Adversely impacts a critical enterprise system or service
  5. Significant and immediate threat to human safety
  6. High probability of propagating to a large number of other systems on or off campus and causing significant disruption
ImmediateChief Information Security Officer or an Executive Incident Management Team
  1. Chief Information Security Officer
  2. Vice Provost for IT Services
  3. Unit administrator (VP, Provost, Dean, etc.)
  4. Unit head
  5. SIRT respresentative
  6. Departmental security contact
  7. Technical support for affected device
  8. If breach of PII, see K-State IT Security Incident Management Procedures for additional notification requirements
Yes
Medium
  1. Adversely impacts a moderate number of systems and/or people
  2. Adversely impacts a non-critical enterprise system or service
  3. Adversely impacts a departmental scale system or service
  4. Disrupts a building or departmental network
  5. Moderate risk of propagating and causing further disruption
4 hoursAppointed by unit head
  1. Chief Information Security Officer
  2. Unit head
  3. SIRT representative
  4. Departmental security contact
  5. Technical support for affected device
No, unless requested by Vice Provost for IT Services or other appropriate administrator
Low
  1. Adversely impacts a very small number of non-critical individual systems, services, or people
  2. Disrupts a very small number of network devices or segments
  3. Little risk of propagation and further disruption
Next
business day
Technical support for affected device
  1. Chief Information Security Officer
  2. SIRT representative
  3. Departmental security contact
No
N/A"Not Applicable" - used for suspicious activities which upon investigation are determined not to be an IT security incident.
  

* See K-State IT Security Incident Management Procedures for details about the Post-Incident Report

.090 Related Laws, Regulations, or Policies

  1. K-State IT Security Incident Management Procedures (pdf)

  2. K-State IT security team (pdf)

  3. K-State Security Incident Response Team (SIRT) (pdf)

  4. Kansas Regents IT Council (RITC) Security Incident Policy and Procedure (pdf) – April 2005

  5. Enterprise IT Security Reporting Protocols, State of Kansas IT Security Council, October 2007

  6. Kansas IT Executive Council (ITEC) IT Enterprise Security Policy, ITEC policy 7320

  7. Kansas Senate Bill 196 requiring notification of victims in a breach of personal identity information – www.kslegislature.org/bills/2006/196.pdf

.100 Questions/Waivers

The Vice Provost for Information Technology Services (ITS) is responsible for this policy. The Vice Provost for ITS or designee must approve any exception to this policy or related procedures.

Questions should be directed to the Chief Information Security Officer.