Information Security Incident Response
Policy
POLICY SUMMARY
It is vital to the Institute and its community that any security incident that threatens the security or privacy of confidential information is properly contained, investigated, remedied and documented.
PolicySummary
It is vital to the Institute and its community that any security incident that threatens the security or privacy of confidential information is properly contained, investigated, remedied and documented. Therefore, this policy will provide the basis for appropriate response to incidents that may threaten the confidentiality, integrity or availability of digital assets, networks, information systems which may store or deliver that information. The goal of this plan is to define, detect, isolate and formulate a response to computer security incidents. It will provide the basis for determining the scope and risk of the incident. Also to communicate the results to the stakeholders, students, faculty, staff and Federal regulators when appropriate in order to reduce the likelihood of the incident reoccurring.
Reason for Policy
The Incident Response Policy applies to all members of the Pratt Institute community. This includes faculty and staff members, students, alumni, guests, and contractors. This Policy also includes computing or network devices owned, leased, or otherwise controlled by Pratt Institute. Additionally, incidents involving confidential information apply to any computing or network device, regardless of ownership, on which confidential or restricted information is stored or by which access to confidential or restricted information might be gained. (Examples include, but are not limited to: a mobile device on which credentials are stored which could be used to access confidential data, a server housed in an off-site facility.)
Policy
Any intrusion attempts, security breaches, theft or loss of hardware, software or exfiltration of data must be reported to the Pratt Technology Desk as soon as the user becomes aware of the incident. Anyone with knowledge, or a reasonable suspicion of an incident that violates confidentiality, integrity, or availability of data or services has a responsibility to report the incident to the following address: Email: services@pratt.edu or Call 718-636-3765 or Go directly to Activity Resource Center Room 101.
REPORTING A SECURITY INCIDENT
A security incident intake form shall be filled, recorded and used for auditing and lessons learned purposes. The Pratt Technology Desk will evaluate, record and assign the incident to the System Security Analyst who is solely responsible for determining whether the incident IS or IS NOT a breach of confidential information incident.
If it is determined to NOT be a breach of confidential information security incident, the incident shall be assigned to the System Security Analyst who will determine the level of security risk and work with the proper Administrators to mitigate the incident.
If the System Security Analyst in collaboration with other appropriate staff determines there IS a breach/violation of confidential data security, an Incident Response Team will be formed consisting of appropriate administrators and staff. The purpose of this team is to determine the appropriate course of action to take to address the incident. The VP of Information Technology shall designate the team members. Membership will include individuals from IT whose primary responsibilities consist of maintaining affected systems from which the data was compromised.
The Incident Response Teams responsibility is to assess the potential and actual data caused to the Institute caused by the Confidential Data Security Incident. Among their responsibilities are to develop and execute a plan to mitigate the damage caused by the incident. The Incident Response Team has a responsibility to share information with members outside of the team on a need-to-know basis and only after a consultation and approval from the VP of Information Technology.
While the members of Incident Response Team have defined daily roles and responsibilities. The responsibilities while addressing a security incident will take priorities over their normal duties.
The Incident Response Team formed to respond to the Confidential Data Security Incident should approach the incident and assess it according to the following factors. The factors should be followed in decreasing order.
- Safety- If the system involved in the incident for which the team was formed to assess and mitigate promotes a danger to human life or safety, responding rapidly and appropriately is the top priority.
- Criticality of Systems- Confidentiality, availability and integrity of critical systems is a major concern for the Institute. The ability to isolate problems and maintain the confidentiality, availability and integrity of a system is pivotal to the success of the Institute. Urgent concerns should be addressed promptly and appropriately. Pivotal IT staff members should be available for consultation.
- Identify- Working promptly and efficiently in order to understand the scope of the incident. Being able to identify the problems with the systems and data effected is important and a high priority.
- Containment- Once the safety of people and systems has been resolved, the problems have been identified. It may be necessary to take further action in order to limit the incident from spreading. Actions such as segmentation or disconnection from the network may be necessary.
- Preservation of evidence- A plan to properly preserve the evidence must be formulated with proper steps for implementation. Any plan must ensure data integrity and must follow proper chain of custody standards. Steps that may be taken are but not limited to: cloning of a hard disk, preservation of log data, screen captures or collection of browser history. Preservation of the evidence should be logged, addressed quickly and efficiently in order to restore any affected systems as soon as practical.
If, in the judgement of the VP of Information Technology, the incident is expected to cause a significant amount of harm to the Institute, it’s community or any other subject of the compromised system or data. The VP of Information Technology may recommend a Senior Response Team to be formed. The Senior Response Team will be tasked with analyzing the incident and breach of personally identifiable information (PII). They will then determine the best course of action on how to best notify the individuals whose PII had been compromised. As well as how to inform any Federal and local agencies in accordance with Federal Standards such as The Family Education and Privacy Act (FERPA, Gramm-Leach-Bliley Act (GLBA), General Data Protection Act (GDPR) or any Federal regulation the Institute must adhere to. It will be the responsibility of the Senior Response Team to consider the following factors:
- Legal duty to notify appropriate parties (Law enforcement, Federal Regulators)
- Length of the compromise
- Human involvement
- Sensitivity of the compromised data
- Existence of evidence that the affected systems were compromised outside of normal operations.
- Any other factors the members of the Incident Response Team and Senior Response team consider valuable information.
INCIDENT RESPONSE LIFECYCLE
PREPARATION
This phase as its name implies deals with the preparing of a team to be ready to handle an
incident at a moment’s notice. An incident can range from anything such as a power outage or
hardware failure to the most extreme incidents such as a violation of organizational policy by
disgruntled employees or being hacked by state sponsored hackers.
IDENTIFICATION
This phase deals with the detection and determination of whether a deviation from normal
operations within an organization is an incident. This step requires one to gather events from various sources such as log files, error messages, and other resources, such intrusion detection systems and firewalls. These sources may produce evidence as to determine whether or not an event is an incident. If a particular event is determined to be an incident, then it should be reported as soon as possible in order to allow the Incident Response Team enough time to collect evidence and prepare for the following steps.
CONTAINMENT
The primary purpose of this phase is to limit the damage and prevent any further damage
from happening. There are several steps to this phase; however, each one is necessary in order to completely mitigate the incident and prevent the destruction of any evidence that may be needed later for prosecution. The first step is Short-term Containment; basically, the focus of this step is to limit the damage as soon as possible. Short-term containment can be as straightforward as isolating a network segment of infected workstations to taking down production servers that were hacked and having all traffic routed to failover servers. Short-term containment is not intended to be a long-term solution to the problem; it is only intended to limit the incident before it gets worse.
ERADICATION
Complete removal of all malicious software and components. The process may include:
● Identifying all affected hosts within (and sometimes beyond) your organization, so the host may be fixed.
● Locating the source of the attack in order to remove all instances of the software.
● Carrying out malware analysis to assess the damage and discover catalogue indicators of compromise that will reveal other machines that have been affected by the same malware or intruders.
● Checking to see if the attacker has responded in any way to your actions.
● Anticipating a different form of attack and developing a response.
● Allowing sufficient time to ensure that the network is secure and that there is no response from the attacker.
RECOVERY
The process of restoring data that has been lost, accidentally deleted, corrupted or made inaccessible. Restoring to a previous state before the attack. Steps may include:
● Replacing compromised files with clean versions.
● Rebuilding infected systems.
● Removing temporary constraints that were imposed whilst containing the attack.
● Changing passwords on compromised accounts.
● Installing patches, changing passwords and tightening network perimeter security.
● Testing all systems thoroughly – including security controls.
● Confirming the integrity of business systems and controls.
POST-INCIDENT ACTIVITY
After a breach or attack the IRT will be provided with the opportunity to learn what happened, why it happened and how it can be prevented from happening again. Lastly the information should be documented, and a report should be generated for upper management. The following steps should be taken in a Lessons Learned approach.
● Discovery-Team discusses a way to make improvements to a process. This allows for a holistic approach in analyzing the issue.
● Validation-Allows others to test the suggestions from the discovery phase.
● Integration-A lesson can be applied to the organization in this phase.
● Assessment-During this phase the team will determine whether or not the solution was successfully integrated into the system.
● Report-The team will provide a full report of the incident along with any lessons learned and any actions that can be taken in order to improve Institutional security.
DefinitionsSECURITY INCIDENT
Any event that accidentally or purposefully threatens the personal safety, privacy, reliability, confidentiality, integrity or availability of Pratts systems, applications, data or networks, some examples of Pratt systems are but no limited to:
● Servers
● Desktop Computers
● Laptop Computers
● Workstations
● Mobile Devices (Phones, tablets)
● Network Equipment (Routers, Switches, Ethernet Ports)
Examples of Security Incidents include but not limited to:
● Intentional or accidental disclosure if Confidential or Sensitive data
● Theft or loss of Pratt computer equipment such as a laptop or mobile device
● Unauthorized access either accidentally or intentionally
● Malware or Virus infection
● Denial-of-Service (DoS) attack.
● Distributed Denial-of-Service (DDoS) attack
● Unauthorized access or compromise of Pratt systems known to house sensitive or confidential information.
● Unauthorized access to network equipment or software such as routers, firewalls or switches.
● Any attempt to exfiltrate or share sensitive or confidential data with unauthorized entities.
● A virus or worm used to open file shares to infect one or many desktops, laptops or workstations
● An attacker uses tools to exploit vulnerabilities in Pratt systems to gain access to Pratt system passwords or hashes
● Intentionally or accidentally violating an explicit or implied Pratt security policy
● Unauthorized modification of personal or sensitive information; for example: Altering information in Colleague outside of the scope of your duties.
CONFIDENTIAL INFORMATION
Information gathered or disclosed which may not to be disclosed to a third-party without prior consent. Information that must be safeguarded in order to protect the privacy of individuals or the Institute. This includes but is not limited to:
● Salary Information
● Credit or debit card numbers
● FERPA protected information
● HIPAA protected information
● GDPR protected information
● Tax return information
● Background check reports
● Credit reports or credit history
● Passwords, passphrases, PIN numbers, security codes, access codes, employee/student ID numbers. As well as any proprietary information, or intellectual property in which Pratt Institute has ownership rights or exclusive legal interest. Any information that may cause critical harm to the Institute, its faculty, staff and students may also be considered confidential information. Examples of these include but are not limited to:
● Data, software, intellectual properties and or other material in which the Institute has agreed to maintain confidentiality
● Financial information
● Business Planning
PERSONAL INFORMATION
Personal information means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier. This includes but not limited to:
● Location data such as IP address other data or information that identifies the geographical location of the subject
● Name
● Identification number
● Social Security number
● Factors specific to physical, physiological, genetic, mental, cultural or social identity of a natural person
● Driver’s license or government issued identification number
● Credit or debit card number along with PIN or password which would permit a third-party access to the data subjects financial records
ENFORCEMENT
Any violation of this policy is a cause for disciplinary action. Any action taken due to violating this policy may result in, but is not limited to:
● Loss of Institutional computing services such as, email, network access or computer use privileges.
● Employees may be subject to disciplinary action or termination;
● Attending a class and/or successful completion of a quiz;
● Prosecution under civil or criminal laws;
● Suspension or expulsion from the Institute.
VIOLATIONS
Reports of data and systems compromises and the exposure of personal and restricted information should be immediately reported to: services@pratt.edu or call 718-636-3765
Revision History
Version
Date
Update
Written By
1.0
12/19/2018
N/A
David Soto-System Security Analyst
1.1
2/14/2019
Draft Update
David Soto-System Security Analyst
1.2
5/1/2019
Update to address grammatical errors
David Soto-System Security Analyst
1.3
9/3/2019
Updated recommended changes
David Soto-System Security Analyst
Pratt Institute’s System Security Analyst is responsible for the maintenance and revision of this document.