IT Security Incident Reporting and Response Policy
Issued April 15, 2009
Table of Contents
.030 Effective Date
This policy governs the actions required for reporting or responding to security incidents involving K-State information and/or information technology resources to ensure effective and consistent reporting and handling of such events.
This policy applies to all members of the University community, including students, personnel, units, and affiliates using University information technology resources or data.
This policy became effective on January 8, 2009
For major incidents, which include a breach of personal identity information (PII), Kansas Regents IT Council (RITC) policy requires escalation to the top administration on campus and prompt notification of the Board of Regents office. Likewise, Kansas Senate bill 196 that went into effect in January 2007 requires a prompt investigation and notification of potential victims in response to a security incident involving a breach of PII.
All members of the University community are responsible for reporting known or suspected information or information technology security incidents. All security incidents at K-State must be promptly reported to K-State’s Chief Information Security Officer (CISO) and other appropriate authority(ies) as outlined in Section .080 "Implementing Procedures".
Incident response will be handled appropriately based on the type and severity of the incident in accordance with the incident response summary table in Section .080.B.2 below and K-State's IT Security Incident Management Procedures. Handling of security incidents involving confidential data will be overseen by an Executive Incident Management Team.
All individuals involved in investigating a security incident should maintain confidentiality, unless the Vice Provost for Information Technology Services authorizes information disclosure in advance.
A security incident is any real or suspected event that may adversely affect the security of K-State information or the systems that process, store, or transmit that information. Examples include:
Unauthorized access to data, especially confidential data like a person’s name and social security number
Computer infected with malware such as a worm, virus, Trojan Horse, or botnet
Reconnaissance activities such as scanning the network for security vulnerabilities
Denial of Service attack
Web site defacement
Violation of a K-State security policy
Security weakness such as an un-patched vulnerability
Personal identity information(PII) is an individual’s name (first name and last name, or first initial and last name) in combination with one or more of the following: a) Social security number, b) driver’s license number or state identification card number, c) passport number, or c) financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer’s financial account.
The incident manageris responsible for managing the response to a security incident as defined in the incident response summary table in Section .080.B.2 below.
The Executive Incident Management Teamoversees the handling of security incidents involving confidential data (e.g., personal identity information). This team has authority to make decisions related to the incident and to notify appropriate parties. The team consists of:
Senior administrator for the affected unit
Vice Provost for IT Services
Chief Information Security Officer
Representative from the Office of General Counsel
Assistant Vice President for Media Relations
Others as needed (for example, K-State Police for criminal incidents)
Reporting Security incidentsAny member of the K-State community who suspects the occurrence of a security incident must report incidents through the following channels:
All suspected high severity events as defined in Section .080.B.1 below , including those involving possible breaches of personal identity information, must be reported directly to the Chief Information Security Officer (CISO) as quickly as possible by phone (preferred), e-mail, or in person. If the CISO cannot be reached, contact the Vice Provost for IT Services.
All other suspected incidents must also be reported to the CISO. These incidents may be first reported to departmental IT support personnel, the unit's Security Incident Response Team (SIRT) representative, or the unit head who can then contact the CISO. Reports should be made by sending email to firstname.lastname@example.org (preferred) or by notifying the CISO by phone, email, or in person.
For detailed information about reporting IT security incidents, see the K-State IT Security Incident Management Procedures.
Responding to Security Incidents
Incident response will be managed based on the level of severity of the incident. The level of severity is a measure of its impact on or threat to the operation or integrity of the institution and its information. It determines the priority for handling the incident, who manages the incident, and the timing and extent of the response. Four levels of incident severity will be used to guide incident response: high, medium, low, and NA ("Not Applicable").
The severity of a security incident will be considered "high " if any of the following conditions exist:
Threatens to have a significant adverse impact on a large number of systems and/or people (for example, the entire institution is affected)
Poses a potential large financial risk or legal liability to the University
Threatens confidential data (for example, the compromise of a server that contains or names with social security numbers or credit card information)
Adversely impacts an enterprise system or service critical to the operation of a major portion of the university (for example, e-mail, student information system, financial information system, human resources information system, learning management system, Internet service, or a major portion of the campus network)
Poses a significant and immediate threat to human safety, such as a death-threat to an individual or group.
Has a high probability of propagating to many other systems on campus and/or off campus and causing significant damage or disruption
The severity of a security incident will be considered "medium" if any of the following conditions exist:
Adversely impacts a moderate number of systems and/or people, such as an individual department, unit, or building
Adversely impacts a non-critical enterprise system or service
Adversely impacts a departmental system or service, such as a departmental file server
Disrupts a building or departmental network
Has a moderate probability of propagating to other systems on campus and/or off campus and causing moderate damage or disruption
Low severity incidents have the following characteristics:
Adversely impacts a very small number of systems or individuals
Disrupts a very small number of network devices or segments
Has little or no risk of propagation or causes only minimal disruption or damage in their attempt to propagate
This is used for events reported as a suspected IT security incident but upon investigation of the suspicious activity, no evidence of a security incident is found.
The following table summarizes the handling of IT security incidents based on incident severity, including response time, the responsible incident managers, and notification and reporting requirements. Detailed procedures for incident response and management are further defined in the K-State IT Security Incident Management Procedures.
|Incident Severity||Characteristics (one or more condition present determines the severity)||Response Time||Incident Manager||Who to Notify||Post-Incident Report Required*|
|High||Immediate||Chief Information Security Officer or an Executive Incident Management Team||Yes|
|Medium||4 hours||Appointed by unit head||No, unless requested by Vice Provost for IT Services or other appropriate administrator|
|Technical support for affected device||No|
|N/A||"Not Applicable" - used for suspicious activities which upon investigation are determined not to be an IT security incident.|
* See K-State IT Security Incident Management Procedures for details about the Post-Incident Report
K-State IT security team (pdf)
Kansas Regents IT Council (RITC) Security Incident Policy and Procedure (pdf) – April 2005
Enterprise IT Security Reporting Protocols, State of Kansas IT Security Council, October 2007
Kansas IT Executive Council (ITEC) IT Enterprise Security Policy, ITEC policy 7320
Kansas Senate Bill 196 requiring notification of victims in a breach of personal identity information – www.kslegislature.org/bills/2006/196.pdf
The Vice Provost for Information Technology Services (ITS) is responsible for this policy. The Vice Provost for ITS or designee must approve any exception to this policy or related procedures.
Questions should be directed to the Chief Information Security Officer.