Incident Response - UWO Procedure
Incident Response Procedure for UWO
Incident Response Procedure
Original Issuance Date: July 11, 2017
Last Revision Date: December 2018
1. Purpose of Procedure
The Information Security Incident Response Procedure provides specific details of how information security incidents are handled within UW System institutions. This procedure has been developed to comply with UW System Administrative Policy 1033, Information Security: Incident Response, which requires every UW System institution to have such a written procedure.
2. Responsible UW Oshkosh Officer
Chief Information Officer (CIO)
This incident response procedure applies to UW Oshkosh employees.
This procedure has been developed to comply with UW System Administrative Policy (SYS) 1033, Information Security: Incident Response and the broader information security objectives of the UW System as outlined in Regent Policy Document 25-5, Information Technology: Information Security. SYS 1033 requires each UW System institution to have an information security incident response procedure.
An Information Security Incident is generally defined as any known or highly suspected circumstance that results in an actual or possible unauthorized release of information deemed to be of high risk or moderate risk to University of Wisconsin Oshkosh, or an incident subject to regulation or legislation that is beyond a UW Oshkosh’s sphere of control. This procedure will be tested at least annually under the leadership of the Chief Information Officer.
Data Definitions: There are important distinctions between High Risk data, Moderate Risk data and Low Risk data, which are necessary to properly classify an information security incident. The policy and procedures for data classification of the three data types are significantly different. Refer to the SYS 1031 & 1031.A.
UW System Administrative Policy 1033, Information Security: Incident Response, requires the creation of an information security incident response procedure at each UW System institution. This policy requires that any individual, who suspects that an information security incident has likely occurred, must report it to the appropriate institution personnel.
A. Incident Response Team Roles
The Information Security Incident Response Team (ISIRT) is comprised of appropriate individuals and groups from within UW Oshkosh’s organization, charged by UW Oshkosh with the responsibility of assisting in the process described within this procedure. Depending upon the situation, additional external resources may be involved as well.
I. CHIEF INFORMATION OFFICER (CIO)
The CIO is responsible for executing or delegating the following:
Setting priorities during incident and remediation.
Notifying the UWSA Vice President for Information Security
Designating an alternate to cover the responsibilities of the CIO role in an incident response event if the CIO is unavailable
Notifying the University Marketing and Communication Officer as appropriate for internal and external communication
Chairing the Post Incident – Closeout Phase
Notifying the UW System Office of General Counsel, as appropriate
Notifying the Office of Risk Management, as appropriate
Contacting the University Marketing and Communication for assistance, as appropriate
Communicating to the CIO Council when a high impact incident has been declared, as appropriate
Contact University Police department and Emergency Management team as appropriate.
II. IT MANAGEMENT
Participating with Chief Information Security Officer (CISO) in forensic investigation decisions
Chairing the Post Incident – Closeout Phase
Establishing a Post-Event Team to determine the root cause and root effect of the incident
III. RISK MANAGER
The Risk Manager is an emergency point of contact in situations in which a High Risk information security incident is suspected and the CIO and ISO are unable to be contacted in accordance with the timeframe identified within the documented initial incident escalation process.
IV. INFORMATION SECURITY OFFICER (ISO)
The ISO is responsible for executing or delegating the following:
Updating the CIO on a regular basis during a critical incident
Beginning an Incident Response case file and maintaining proper documentation of the incident
Managing incident resources
Activating the ISIRT, notifying the team of meeting locations and call-in telephone numbers and teleconference links
Developing containment procedures specific to each incident
Managing the incident work plan(s) and task assignments
Raising dependency issues for team consideration as they arise
Developing work plans that address tasks completed and outstanding
Certifying that all systems are returned to operational quality with the cause rectified
Ensuring destruction/retention of all materials at the end of an incident
Identifying external personnel/resources as needed
V. INFORMATION TECHNOLOGY SUPPORT STAFF
The Information Technology Support Staff Team members are responsible for the following:
Providing support to Incident response team as required
VI. OFFICE OF GENERAL COUNSEL, UW SYSTEM
The Office of General Counsel Incident Response Team members are a resource for the following:
Providing guidance to the CIO regarding legal and regulatory aspects of the incident and its public disclosure
Advising the Office of Human Resources and Workforce Diversity regarding investigations involving employees
Advising the CIO and/or ISO regarding the decision to simply protect UW System information technology operations or to also pursue civil or criminal actions
Consulting with the CIO and/or ISO regarding involvement with law enforcement
Advising the CIO and/or ISO regarding involvement with regulatory agencies
Reviewing communications drafted by the Office of University Marketing and Communications as required
Communicating with external counsel
VII. OFFICE OF RISK MANAGEMENT, UW SYSTEM ADMINISTRATION (UW SYSTEM)
The Office of Risk Management Incident Response Team members are a resource for the following:
Providing subject matter area expert advice
Assisting in interviews when necessary
Notifying UW System’s cyber liability insurer, as appropriate
This contact information is provided as a means to establish team contact in a situation in which electronic directory services may not be accessible.
ISIRT members are accountable to the University CIO for the execution of relevant protocols contained within this procedure and associated activities.
VII. UNIVERSITY POLICE DEPARTMENT
The University Police Department Incident Response Team members are a resource for the following:
Coordinate with external law enforcement as required
Communicating with the Federal Bureau of Investigation (FBI) as requested by the Office of General Counsel and CIO
7. Related Documents
Regent Policy Document 25-5, Information Technology: Information Security
UW System Administrative Policy 1031, Information Security: Data Classification
UW System Administrative Policy 1033, Information Security: Incident Response
8. Policy History
First Approved: July 11, 2017
9. Scheduled Review