Montana State University

IT Security Incident Response Policy


Subject:IT Security Incident Response

Policy:University IT Security Incident Response

Revised: September, 2007

Effective Date: October 12, 2007

Review Date:October, 2010

Responsible Party: Information Technology Center



Introduction and Purpose

This policy governs the general response to and handling of computer and information security incidents so that the appropriate steps are followed in the event of a suspected breach. The policy establishes responsibility and accountability for addressing computer security incidents so that each incident is handled and reported in accordance with applicable law and in a manner that best protects the University, the integrity of its data and computing systems and the privacy of its students and employees.

Policy

When a suspected security incident involving the MSU computing, networking, or information environment is identified, the procedures outlined in the MSU Incident Response Guidelines will be followed.

1. Definitions:

Security Incident – Theft, loss, misuse, exposure, or other activities contrary to the University’s Data Stewardship policy; intrusion, denial of service, corruption of software, or other breach or compromise of the University’s information infrastructure resulting in an impact to University operations.

Incident Response Management Team – Individuals responsible for management decisions related to incident handling. Decisions include, but are not limited to, the extent to which forensics will or will not be performed, the need to include additional entities in the response (Legal Counsel, University Police, external agencies, etc), and any communication and notification activities. Management Team members include the following (or their delegates):

  • Enterprise Security Manager
  • Chief Information Officer
  • Director, Communications and Public Affairs (as needed)
  • Director, ITC Network, Systems, and Operations (as needed)
  • Director, ITC Administrative Systems Group (as needed)
  • Director, ITC Sales and Support Services (as needed)
  • Director, Division Planning and Coordination (as needed)

Incident Response Operational Team – Individuals responsible for hands-on response activities. This includes identifying the type of incident (physical theft, worm infection, server breach, inadvertent posting, etc), determination of the type of data involved and extent of exposure (when applicable), whether or not the breach is still active, and all other appropriate response and remediation steps as determined by the Incident Management Team in accordance with the Incident Response Guidelines. Operational Team members include:

  • Representatives from the MSU Security Committee
  • Representatives from the MSU Security Operations Team
  • Others as appropriate

2. Applicability

This policy applies to any Security Incident involving the computing, networking, or information infrastructure of MSU.

3. Responsibilities

The individual who identifies the suspected incident is responsible for immediately notifying the ITC Help Desk which will open the incident log and notify the Incident Response Management Team. The Incident Response Management Team will determine the appropriate response and work with the Incident Response Operational Team to implement the steps necessary to address the incident in accordance with relevant laws, based upon the incident and resource availability.

 All members of the MSU community will work cooperatively with Incident Response Management and Incident Response Operational team members during activities associated with the handling of an incident. All individuals involved in the response to a suspected breach will be accountable to the Incident Response Management Team and shall perform the steps identified by the team for addressing the incident.

4. Sanctions

If the incident is deemed to be the result of intentional or grossly negligent violation of MSU Policy, sanctions  may be levied  which may include departmental responsibility for the cost incurred associated with response activities, mandatory training for departmental personnel, and/or other steps as deemed appropriate by the IT Governance Council. 

5. Exclusions

None.

6. Interpretation

Ultimate authority to interpret this policy rests with the President but is generally delegated to the CIO and Legal Counsel, in conjunction with the Enterprise Security Manager.