Security and Privacy  Incident Response Plan

Statement

All members of UTSA community are responsible for protecting the confidentiality, integrity, and availability of data created, received, stored, transmitted, or otherwise used by the university, irrespective of the medium on which the data resides and regardless of format (e.g., electronic, paper, fax, CD, or other physical form). In the event the confidentiality, integrity, or availability of data is compromised and a suspected incident has occurred, the incident should be reported immediately to the Office of Information Security (OIS) or the Privacy Office. Reporting incidents quickly—regardless of certainty or magnitude—is critical to ensure the appropriate teams can respond and contain the incident as soon as possible.

Rationale

Privacy and/or information technology (IT) security incidents can occur at any time and of varying magnitude. Identifying and resolving incidents in an organized systematic way is a vital component of our overarching compliance programs. This policy provides a framework for identifying, assessing, reacting to, communicating about, and documenting an incident and corresponding remediation plans.

Scope

This policy applies to all UTSA faculty, staff and students.

Related Policies

UTSA HOP 8.17

Contacts

OIS at informationsecurity@utsa.edu

Definitions

Event – An event is an exception to the normal operation of infrastructure, systems, or services. Not all events become incidents.

Incident – An incident is an event that, as assessed by the staff, violates the policies of UTSA as related to Information Security, Physical Security, Acceptable Use; other UTSA policy, standard, or code of conduct; or threatens the confidentiality, integrity, or availability of information systems or university data. Incidents will be categorized according to their potential for the exposure of protected data or the criticality of the resource.

Responsibilities

Security and privacy incidents must be:

  1. Reported
  2. Identified
  3. Declared
  4. Responded to
  5. Remediated and
  6. Resolved

Reporting an Event or Incident

If you know or suspect any unusual or suspicious behavior that does not match your expectation of good security or privacy management, immediately report the incident to your supervisor and OIS right away. Even if you are not certain or cannot confirm the incident, it is imperative that the incident is reported quickly so the right personnel can investigate as soon as possible.

To report an event or incident, notify your supervisor and contact OIS at informationsecurity@utsa.edu.

Another reporting method is to contact techcafe@utsa.edu, 458-5555

Examples

  • Category 1 information misdirected or disclosed via mail, fax, verbal means
  • Student record documents are misplaced, stolen, lost
  • Category 1 record documents are exposed (e.g., files left open on computer), improperly disposed of (e.g., not shredded) or stored (e.g., not locked or protected)
  • User accesses system or application with credentials other than his/her own
  • Unauthorized access to a system, application, or document
  • A device (e.g., laptop, smartphone, desktop, tablet, removable storage, smart watches, cameras, voice recorders, etc.) containing UTSA Category 1 data is lost, stolen, or otherwise unaccounted for
  • A rogue device is connected to the network which impacts or prevents others from working
  • System or individual is infected with malware or phishing (e.g., virus, ransomware)
  • Potential data loss due to a malware infection

Identifying an Event or Incident

Each reported event or incident must be investigated. Confirmed reports of such will be categorized as follows:

  1. Unauthorized or suspicious activity on the UTSA network, including systems or applications. This includes availability of UTSA networks or systems (as in Denial of Service).
  2. UTSA data is lost, stolen, misdirected to, or otherwise shared with an unauthorized party
  3. A system on UTSA network is unknown
  4. A system on UTSA network is infected with malware or otherwise compromised, targeted, or profiled
  5. Other suspected compromise of data confidentiality, integrity, or availability

Identifying Affected Data

As quickly as possible, reasonable effort must be made to identify the type of data affected by the incident upon discovery and/or declaration. Various regulatory reporting and/or notification requirements, including deadlines, must be adhered to in accordance with applicable state, federal, or regulatory agencies. Such requirements include, but are not limited to, Texas State rules for notification of a breach. This also includes the evaluation of the state of residence for affected individuals and any applicable reporting authorities.

Declaring an Incident

Under the authority of the Chief Information Security Officer, the Vice President of Information Management and Technology (or the designee) or the Privacy Officer can declare a privacy or information security incident. It is the responsibility of these individuals to evaluate the reported concern using the tools and risk assessment guides expeditiously to determine its authenticity and severity.

Severity judgments will be based on ongoing persistent threats, the volume of data involved, and the potential for reputational and/or financial harm to the institution, or any affected individuals. Low-scale severity incidents (defined as events) will be handled by the OIS, UTS Cyber Operations or the Privacy Office. For more severe incidents, the Information Security Officer or Privacy Officer will convene into a meeting the core members of the Security & Privacy Incident Response Team (SPIRT) and begin drafting the initial incident report.
The initial details of the incident will be discussed with the SPIRT core team at this time. The primary purpose of SPIRT is to determine and guide the university’s response to an information security or privacy incident, up to and including the need to satisfy existing data breach notification statutes or processes as well as an institutional decision to notify individuals of a breach of their personally identifiable or protected health information.

The SPIRT core team members include:

  1. Chief Information Security Officer
  2. Vice President of Information Management and Technology (or representative)
  3. Cyber Operations Director
  4. UTSA Privacy Officer
  5. Chief Technology Officer ( or representative)

As warranted by the type and scale of the incident, any of the SPIRT virtual team members may be convened by a core team member based on the type and scope of incident. Virtual team members provide assistance, advisement, and expertise from their representative areas. The SPIRT virtual team members may include:

  1. UTSA Emergency Management
  2. UTSA Risk Management
  3. Legal Affairs
  4. Human Resources
  5. VP of Business Affairs
  6. VP of Research, Economic Development, and Knowledge Enterprise
  7. UTSA Provost
  8. UTSA Chief of Police
  9. Director of Compliance
  10. UTSA Internal Audit
  11. UTSA Communications

Coordinating a Response to an Incident

Containing the Incident

Once an incident has been reported and declared, the incident must be contained to prevent further harm. By means of example, the following containment steps should be taken:

  • For IT security-related incidents, such as an infected system on the UTSA network, any network cables should be disconnected immediately and the system should remain powered on to allow for further investigation. OIS and Cyber operations will ensure digital evidence is identified and secured for follow-on investigations.
  • For incidents related to data in paper form, immediate efforts should be made to retrieve any copies or gain assurances that all records are accounted for.

Effective containment stops damage from being done and allows assessment of the scope of the incident and the initiation of remediation activities.

Assigning Roles

Upon declaring the incident, the SPIRT core team members will convene the appropriate virtual team members—including any additional resources necessary, such as storage facilities, out-of-band communication channels, or additional staff— and assign roles pertaining to the incident assessment and response:

  1. One incident commander
  2. One incident coordinator
  3. One IT forensics investigator
  4. One data analysis investigator
  5. One communications coordinator

The incident commander is responsible coordinating all stages of the incident response process, and specifically, acts as the leader of the investigation. In addition, the incident commander has the following duties:

  • Ensures the incident has been properly contained
  • Serves as the primary contact for the incident
  • Ensures appropriate stakeholders are designated specific roles and responsibilities
  • Includes additional resources and SPIRT virtual team members, as appropriate
  • Leads the incident responders to consensus on taking action or making decisions during the incident
  • Establishes out of band communication channels, as appropriate

The incident coordinator is responsible for the oversight of the incident response, including, but not limited to, the following duties:

  • Coordinates all meetings, including place, time, attendees, conference bridges, etc.
  • Aggregates documentation in a secured and centrally-stored facility (electronic/physical)
  • Provides documentation related to the incident to the SPIRT core team
  • Ensures adherence to this policy and any regulatory reporting requirements
  • Ensures interview communication plans are established
  • Establishes a response timeline

The IT forensics investigator is responsible for the electronic discovery of data from in-scope systems, applications, or logs. This function may involve an outside contractor to perform the actual forensic investigation.  UTSA has standing arrangements with organizations for this purpose.  Other duties may include:

  • Collect and preserve any physical evidence in a forensically-sound manner
  • Adhere to appropriate chain of custody procedures
  • Perform searches for various keywords, timelines, etc.
  • Document any relevant findings and provide to the incident coordinator
  • Captures system volatile memory when applicable.

The data analysis investigator is responsible for reviewing all aggregated documents, forms, transcripts, and other relevant materials. In addition, the data analysis investigator is responsible for the following duties:

  • Validate the scope of the incident and possible root cause
  • Establish the relevancy of all aggregated materials
  • Collect materials from interviews, (e.g., transcripts, other artifacts, etc.) and presents to team for further review
  • Quantify impact to UTSA and other affected individuals
  • Establish proof of the incident
  • Prepare incident reports and a comprehensive narrative of the incident
  • Prepare any necessary presentation materials

The communications coordinator must be prepared to respond to any authorized/approved party at any time throughout the incident. Responsibilities include:

  • Maintain awareness of the incident status throughout the investigation
  • Plan for controlled notifications to internal and external parties, including press releases, letters, website materials or other notifications

Remediating an Incident

 Once a security or privacy incident is contained, the next steps involve measures taken by UTSA to assure the root cause has been addressed.  These steps imply a variety of activities ranging from applying software updates, performing network engineering, modifying workflow, educating employees, or other similar measures. Remediation is complete when the probability of the incident reoccurring is reduced or eliminated.

Maintaining confidentiality

In order to limit exposure and maintain confidentiality about the incident, limited information pertaining to the incident should be disclosed upon initial notification (e.g., type/category of incident, date occurred, reported by, etc.). An informed parties log may be kept to document the degree and reason to which all parties have been informed about the incident. Throughout all communications, the incident responders should be reminded of the confidentiality of the incident and that information must not be shared outside the response team unless warranted.

Incident Report

The initial incident report must be presented and reviewed at the convening of the SPIRT core team. The SPIRT data analysis investigator is responsible for compiling the data elements below as part of the incident response procedures. Appropriate templates are available based on the type of incident.  Below are needed elements in the incident report:

  1. Incident Name
  2. Incident Description
  3. Dates and times
    1. Incident declared
    2.  Incident discovered
    3. Incident occurred
    4. Incident remediated
  4. Assets involved
  5. Data involved
  6. Individuals involved
  7. Individuals affected
  8. Root cause analysis
  9. Containment steps taken
  10. Remediation steps taken
  11. Communications sent and received
  12. Regulatory reports required and sent
  13. Lessons Learned

Closing an Incident

Closing an incident indicates that the incident has been completely contained, remediated, and properly reported. In order to close an incident, all attributes in the incident report must be completed, as defined in Incident Report. Incidents can only be closed by consensus of the SPIRT core team. Upon closure the incident is regarded as resolved.