9.8.6 Procedures for Information Technology Security Incident Reporting
The following procedures establish responsibility for reporting and responding to security incidents involving Illinois State University's information technology resources, computers, networking systems and data, collectively defined here as "ISU Information Technology Resources and Systems". When information security incidents occur it is necessary to respond in a manner that is expedient, consistent, and proportional to the situation.
II. Information Security Incident Response
Information technology security incident - an event that:
Impacts or has the potential to impact the confidentiality, availability, or integrity of ISU Information Technology Resources and Systems.Violates state or federal law or the policies and procedures of the University.
The following individuals/teams are involved in incident response and may include overlapping members or may be made up of different members that will handle security incidents:
IT Security Incident Coordinator - The individual responsible for monitoring, evaluating. and determining the appropriate response to incident reports. The Incident Coordinator coordinates incident investigation, implements the Information Technology Security Incident Response Plan. The Incident Coordinator needs to be accessible during off-hours as incidents often take place outside of normal working hours, weekends or on holidays, and should have a backup to ensure that someone is available should an incident take place. The University's Chief Technology Officer and the Associate Vice President for Administrative Technologies are responsible for designating the Incident Coordinator and their backup.
IT Security Incident Response Team (ITSIRT) - This team performs specific investigative, containment, eradication, recovery, and follow-up steps. This team should consist of technology and functional specialists from various units in disciplines that may include:
- A representative from the site/area where the security incident is suspected (e.g. department head, web administrator, network administrator, security liaison, etc.)
- Staff knowledgeable about or considered experts in the type of suspected incident
- Computer forensic specialists
- Data security personnel
- Personnel responsible for the physical security of a site under investigation. This is especially important if the area is secured by alarms or other physical controls
- Other personnel determined at the time to be necessary to complete the incident determination, investigation, containment, and/or eradication.
Unit Security Liaisons - Individuals identified by Deans, Directors and Department Heads to act on their behalf to submit requests for access to ISU Information Technology Resources and Systems and serve as the primary contact for security incident response issues as stated in 9.8 Policy on Security of Information Technology Resources and Systems.
III. Information Technology Security Incident Reporting
Any individual or group who in the course of using ISU Information Technology Resources and Systems observes an information technology security incident shall report that incident.
Suspected criminal activity involving ISU Information Technology Resources and Systems shall be reported to the Illinois State University Police. Such activity includes but is not limited to; computer theft, credit card theft . Criminal activity can be reported in person at ISU Police offices or by telephone (309) 438-8631 (voice) or (309) 438-8266 (TTY). Notification of crimes in progress or other emergencies dial 9-1-1 or use a nearby campus emergency blue light kiosk.
In accordance with the Illinois Abused and Neglected Child Reporting Act (325 ILCS 5/4.5). any Illinois State University employee who in the course of their duties for the University installs, repairs or services information technology resources or systems, discovers any depiction of child pornography shall immediately report that discovery to the IT Security Response line: 438-ITSR (4877).
Copyright and Intellectual Property
Suspected violations of copyright and intellectual property rights shall be reported to the University Digital Millennium Copyright Act (DMCA) agent at firstname.lastname@example.org.
All other incidents
Individuals reporting security incidents
- Individuals should initially attempt to contact their designated Unit Security Liaisons.
- If their designated Unit Security Liaison are unavailable, individuals should complete the Information Technology Security Incident Report form.
- The form will be reviewed by a member of the Information Technology Security Incident Response Team (ITSIRT). A member of the ITSIRT will contact the individual and provide them with a response plan designed to repair- the system, restore services, and document the incident.
- If the security incident has potentially serious consequences, individuals should report the incident to the Information Technology Security Response line at 438-ITSR (4877). If the incident also requires immediate police attention contact the University Police at 438-8631.
Unit Security Liaisons reporting security incidents
Unit Security Liaisons shall report information technology security incidents involving information technology resources within their area of responsibility. The procedures to report incidents are dependent upon on the classification of the resource or system.
Highly Restricted Data
If the incident involves data with the classification of "Highly Restricted" do the following:
- Take immediate action to contain the incident.
- Phone the IT Security Response line at 438-ITSR (4877).
- Wait to be contacted by member the IT Incident Response Team.
If the incident involves data with the classification of "Restricted" do the following:
- Take immediate action to contain the incident.
- File an IT Security Incident Report form, including a description of the incident and documenting any actions taken thus far. If unable to access the form, report the incident by calling 438-ITSR (4877). The ITSIRT will investigate the incident in consultation with the security liaison and develop a response plan.
- Notify the appropriate college, department or unit administrator that an incident has occurred and that the ITSIRT has been contacted.
- Refrain from discussing the incident with others until contacted by a member of the ITSIRT.
If the incident involves data with the classification of "Unrestricted" and does not seriously impact individuals or the university do the following:
- Repair the system and restore service.
- Document the incident by filing an IT Security Incident Report form, including a description of the incident and documenting any actions taken.
If the classification of the information system or resource is not known follow the procedures for "Restricted".
The University's Chief Technology Officer and the Associate Vice President for Administrative Technologies are responsible for the creation and maintenance of any procedures, processes, or functions in support of response to Information Technology security incidents.
Last Review: July 2013