P301: Cyber Incident Response Policy
- Issued by:
- Information Security Program Council (ISPC)
- June 2017
In order to achieve this policy's objectives, the University's Information Security Program Council (ISPC) shall ensure:
- Procedures and processes are in place to identify and respond to suspected or known incidents. Such procedures and processes should: mitigate incidents to the extent practicable, measure harmful effects of known incidents, document incidents and their outcomes, include the collection of evidence, and provide appropriate reporting about incidents management.
- Incident response plans are in place. Such plans will include examples of security incidents and the appropriate responses.
- An Incident Response Team is assembled to receive notice of events of interest (EOI) and incidents and to manage the process of investigating, responding to, and reporting of an incident.
- Incident Response Team members understand their roles and responsibilities.
ESTABLISHMENT OF AN INCIDENT RESPONSE TEAM
The ISPC, sensitive system workers and sensitive information workers are responsible for incident detection and remediation of information resources. The CISO or designee and other ISPC members will consult key representatives of Stony Brook University (SBU) IT, Human Resources, Office of General Counsel, or other departments as warranted to establish an Incident Response Team appropriate to respond to a specific incident.
As necessary, staff shall be assigned to manage specific security incidents:
- Initial Investigations. An Incident Response Plan (Plan) shall provide a quick and orderly response to incidents. The Plan will identify steps to be followed for the initial reporting of events of interest (EOI) and subsequent investigations. Where appropriate, staff should be available to handle incidents reported outside of standard business hours.
- High Impact Decisions. An Incident Management Advisory Board (Advisory Board) comprised of senior leaders will make select decisions throughout an incident.
- Pursue or Protect. The Advisory Board will decide if an incident response calls for pursuit (watch and learn) instead of protect (containment). Until the Advisory Board makes a clear decision, the default response will always be to protect and steps to contain any potential damage will be taken as soon as possible.
- Documentation and Communications. The initial investigations staff will inform the CISO or designee of the incident and the preliminary risk classification. The CISO shall follow the guidelines identified in the Documentation and Communication of Incidents section of this Policy.
- Responder Procedures. Appropriate procedures and staff shall be identified to address the specific incident. Responders will attempt to identify as much information about the event to limit additional adverse effects. Responders and appropriate staff will follow procedures where appropriate or recommend to the CISO or designee appropriate actions to be taken.
- Incident Reporting. Management will be informed on the status of ongoing incidents. A post incident report shall be created.
IDENTIFYING AND REPORTING INCIDENTS
The Incident Response Team shall work with SBU departments to establish proactive monitoring systems that can identify potential incidents. In addition, any Stony Brook University (SBU) community member may refer an event of interest (EOI) or concern to the Incident Response Team or designee. A triage team comprised of a subset of Incident Response Team members will determine if the reported event should be classified as an incident as outlined in an Incident Response Plan (Plan).
Once an EOI has been classified as a high severity incident, the Incident Response Team will log and track incidents and take steps to investigate, escalate, remediate, refer to others, or otherwise address as outlined in this Policy and the Plan.
In addition to reporting incidents, community members should report to the appropriate management any suspected weaknesses or deficiencies in information resources.
DOCUMENTATION AND COMMUNICATION OF INCIDENTS
The ISPC will ensure that incidents are appropriately logged and archived. Incident reporting will be provided by the CISO (or designee) to senior leadership and the ISPC.
The CISO (or designee) and Incident Response Team representatives are responsible for communicating incident details to appropriate personnel and maintaining contact, for the purpose of update and instruction, for the duration of the incident.
SPECIAL SITUATIONS AND EXCEPTIONS
By using mobile devices within the Stony Brook University (SBU) network for business purposes, Staff are subject to Stony Brook University (SBU) policies restricting their use. Any mobile devices, including those that are personally owned, such as phones, wireless devices or other electronic transmitters, may be subject to examination by Stony Brook University (SBU) Staff in the event of an incident.
In the event a follow-up action concerning a person or organization after an information security incident requires legal action, proper forensic procedures including chain of custody shall be required for collection, retention, and presentation of evidence to support potential legal action subject to the relevant jurisdiction.
Cloud computing agreements shall be put in place to ensure privacy and tenant breach formal notification upon the compromise of Stony Brook University system(s) or data.
Over time, the CISO and ISPC shall identify and document how to address special situations and exceptions as needed.
BREACH OF SENSITIVE INFORMATION
Where sensitive data is involved, the breach will be reported according to all mandates applicable to the category of sensitive data involved.
The CISO shall provide appropriate reporting to senior leadership and identified management. Such reporting may include, but is not limited to; updates to inform management of relevant details, risks, current status and progress, tasks to be completed, and expected outcomes and dates. Post incident reporting shall include appropriate details, mitigation actions and timeframes, and lessons learned.
In addition to reporting of specific incidents, the ISPC shall provide annual reporting to University Senior Leadership summarizing incidents reported and actions taken. The annual report may identify numbers and types of incidents, impact, costs incurred, lessons learned, and other relevant factors.
Incident reports and supporting documents shall be retained in accordance with New York State (NYS) and SUNY data retention policies.
Event of Interest (EOI) - potential incident that warrants further investigation
Incident - adverse event or significant threat of such in an information system, network or resource
Management - Individuals within the organization that have supervisory responsibilities
Additional definitions are listed in P300: Information Security Program Administration Policy
Specific questions concerning information security or this policy should be referred to:
Information Security Program Council (ISPC)