Description

The purpose of this Control is to provide the basis of effective and appropriate response to incidents that threaten the confidentiality, integrity, and availability of university data, assets, information systems, and networks. The Incident Response Policy Control provides the procedure and process for monitoring, detection, response, documentation, and appropriate reporting internally and externally. Finally, the Control establishes responsibility and accountability for all steps in the process of addressing computer security incidents. Further, it is the purpose of this Control to ensure computer security incidents that threaten the security or privacy of confidential information are properly identified, contained, investigated, and remedied.

Applicability

  • This Control applies to all Texas A&M University (TAMU) employees, students, information resource users, administrators, and owners, or designees. This Control also applies to all TAMU assets as part of all colleges and departments whether academic or non-academic. The applicability of this Control is not limited to person(s) or assets residing permanently or temporarily in any one state. This Control addresses, in part or whole, controls and control sets in regard to Information security monitoring, detection, and response across all federal, state, TAMU System (TAMUS), and University regulations.

Implementation

  • 1

    Information Security Incident Handling Priorities.

    • 1.1

      Priorities for handling information security incidents are as follows:

      • 1.1.1

        Protection of human life and safety;

      • 1.1.2

        Protection of CONFIDENTIAL and CONTROLLED (PROTECTED, PRIVATE, and PROPRIETARY) information;

      • 1.1.3

        Prevention of damage to systems and restoration of systems to routine operation as quickly as possible; and

      • 1.1.4

        Collection and analysis of information to determine if a violation of TAMU’s Information Security Policies or the commission of a computer crime has occurred.

  • 2

    Information Security Incident Recognition

    • 2.1

      System and application Users may not readily recognize that a computer incident has occurred. These issues are frequently difficult to identify and require analysis to determine if there has been an incident and the impact of the incident. It is imperative for Users to report suspected incidents immediately to TAMU’s Help Desk Central (helpdesk@tamu.edu or phone (979) 845-8300).

  • 3

    Reportable Information Security Incidents. Reportable Information Security Incidents include, but are not limited to, the following:

    • 3.1

      Unauthorized Disclosure

      • 3.1.1

        CONFIDENTIAL and CONTROLLED (PROTECTED, PRIVATE, and PROPRIETARY) information is disclosed without authorization.

    • 3.2

      System Incapacitation or Loss

      • 3.2.1

        A system’s ability to function is impaired by a high volume of activity from various sources.

      • 3.2.2

        A resource such as power, network access, or routing tables is modified, degrading the system’s ability to perform normal functions.

      • 3.2.3

        A malicious code (virus, Trojan Horse, Malware, etc.) interferes with a system’s operation.

      • 3.2.4

        An asset is stolen, damaged, or destroyed.

    • 3.3

      System Tampering

      • 3.3.1

        A User ID is employed to gain access to system administrative functions without prior authorization.

      • 3.3.2

        A system weakness allows access to system administrative functions by unauthorized Users.

      • 3.3.3

        A valid User ID is permitted to gain access to system administrative functions without authorization.

      • 3.3.4

        Non-Administrative personnel are allowed to perform Administrative System functions.

    • 3.4

      Information Tampering

      • 3.4.1

        A User ID is employed to gain access without authorization to password files, protected or restricted data, licensed applications, software, or restricted applications, software, and/or code.

      • 3.4.2

        A system weakness allows unauthorized access to password files, protected or restricted data, licensed applications, software, or restricted applications, software, and/or code.

      • 3.4.3

        A theft of information assets provides access to password files, protected or restricted data, licensed applications, software, or restricted applications, software, or code.

    • 3.5

      Misuse of Information Technology

      • 3.5.1

        A User installs unlicensed software.

      • 3.5.2

        A User’s account is employed in violation of Legal Statutes, Regulations, or University Policies.

    • 3.6

      Unauthorized Access

      • 3.6.1

        A valid User ID is employed without authorization.

      • 3.6.2

        A system weakness is exploited, but no access is gained outside the account’s authorizations.

      • 3.6.3

        A User’s privilege to access information is higher than that which was authorized.

      • 3.6.4

        Access to facilities (buildings, rooms, secure areas) is gained without authorization.

      • 3.6.5

        A User’s laptop or desktop computer is stolen.

    • 3.7

      Unauthorized Use

      • 3.7.1

        Any use of CONFIDENTIAL and CONTROLLED (PROTECTED, PRIVATE, and PROPRIETARY) information for a purpose not specifically permitted based on the User’s need to know.

      • 3.7.2

        Attempted exploration of information assets.

      • 3.7.3

        Illegal data gathering is directed against a system (port scanning, sniffing, net scanning, etc.).

      • 3.7.4

        Actions are attempted that could impair a system’s ability to function.

      • 3.7.5

        Actions are attempted that could result in a system or information compromise.

    • 3.8

      Non-System Incidents

      • 3.8.1

        Physical Access Incidents – Unauthorized access to facilities results in information asset exposure or compromise.

      • 3.8.2

        Physical Access to Information – Unauthorized parties gains access to CONFIDENTIAL and CONTROLLED (PROTECTED, PRIVATE, and PROPRIETARY) information.

      • 3.8.3

        Equipment Control Incidents – TAMU information assets are exposed or compromised due to a lack of control over computing equipment.

      • 3.8.4

        Media Control Incidents – TAMU information assets are exposed or compromised due to a lack of control over computing media.

      • 3.8.5

        Individuals without proper identification in areas that require identification to be displayed.

      • 3.8.6

        Observations of individuals making unauthorized copies (hard copy or electronic) of CONFIDENTIAL and CONTROLLED (PROTECTED, PRIVATE, and PROPRIETARY) information.

    • 3.9

      Physical Safeguards/Environmental Hazards – TAMU information assets are exposed or compromised due to an environmental hazard such as a tornado or thunderstorm.

  • 4

    Reporting Information Security Incidents. All attempted or successful information security incidents, such as a break-in, intrusion, computer virus, suspicious email or phone communications, or suspected illegal or unethical activity, shall be reported as quickly as possible.

    • 4.1

      When any individual observes or suspects the occurrence of an information security incident, they shall report the incident to TAMU Help Desk Central (helpdesk@tamu.edu or phone (979) 845-8300). Help Desk Central will contact the Incident Response Team. When an Incident Response Team member is made aware of a potential incident, they shall ensure that the appropriate actions are taken in response to the incident.

    • 4.2

      Any attempt to interfere with, prevent, obstruct, or dissuade an individual in their efforts to report a suspected information security problem or violation is prohibited. Any form of retaliation against an individual reporting or investigating information security problems or violations is also prohibited.

    • 4.3

      It is recommended that Users not respond directly to the originator of suspicious or offensive electronic mail messages or telephone calls. It is recommended that Users retain copies of messages, notes, or voicemail entries of this nature and turn them over to the TAMU Incident Response Team.

  • 5

    Incident Response Team. The Incident Response Team (IRT) is a team of experienced security professionals and technicians with the authority and expertise to resolve a system incident. The Incident Response Team reports into the Office of the CISO as part of the TAMU Division of IT.

    • 5.1

      Depending on the type of incident, temporary members represented on the Incident Response Team may also include:

      • 5.1.1

        TAMU Division of IT Executive Leadership Team

      • 5.1.2

        One or more college-specific Information Security Officers (ISO)

      • 5.1.3

        The TAMU Privacy Officer

      • 5.1.4

        College-specific Information Systems and/or information technology support individuals

      • 5.1.5

        Members of TAMU Network and Infrastructure teams

      • 5.1.6

        TAMU Office of Facilities Coordination

      • 5.1.7

        TAMU University Risk & Compliance

      • 5.1.8

        Office of General Counsel

      • 5.1.9

        TAMU Division of Marketing & Communications

    • 5.2

      Incident Response Team is responsible for:

      • 5.2.1

        Analysis/investigation,

      • 5.2.2

        Verification of an incident,

      • 5.2.3

        Determining the impact,

      • 5.2.4

        Resolving the incident,

      • 5.2.5

        Recovering from the incident, and

      • 5.2.6

        Compiling the security indent report.

    • 5.3

      The Incident Response Team shall develop, modify, periodically update, and regularly test the Incident Response Procedures.

    • 5.4

      When a possible information security incident is reported, the Incident Response Team shall investigate the incident, analyze available data, and resolve the incident. All data collected during the investigation shall be maintained to assess changes necessary to avoid future incidents, categorize the incident for reporting purposes, and identify responsible parties. If responsible parties are identified, the information may be provided to the appropriate entities at TAMU, TAMUS, regulatory bodies, or law enforcement as required by law.

    • 5.5

      The Incident Response Team is responsible for communicating with and escalating information to the TAMU Privacy Officer, TAMU University Risk and Compliance, individuals in TAMUS, and others, as appropriate and for the benefit and protection of TAMU, its employees, and students.

    • 5.6

      The contact information below can be used to report Security Incidents:

      • 5.6.1

        TAMU Help Desk Central: (979) 845-8300 or helpdesk@tamu.edu, or

      • 5.6.2

        TAMU Security Incident Reporting: security@tamu.edu

  • 6

    Extended Incident Response Coordination. The following addresses roles and activities in response to security incidents that have severe impact and consequences beyond the University.

    • 6.1

      Roles

      • 6.1.1

        Chief Information Security Officer (CISO) – The CISO or designee will identify an Extended Incident Response Team (Extended IRT) Incident Manager (IM). The CISO is the university’s internal point of contact for all information resources security matters. The CISO may function as the Incident Manager on the Extended IRT.

      • 6.1.2

        Incident Manager (IM) - the individual assigned by the CISO or designee to provide operational management to the Extended-IRT. When activated, all the information resource incident activities are coordinated by this individual including, but not limited to: assessment, containment, mitigation, repair, restoration of services, investigations, reports, etc.

      • 6.1.3

        Extended Incident Response Team (IRT) - personnel responsible for coordinating, responding, investigating, and remediating cyber-security incidents that have severe far reaching impacts beyond the University. In the case of such an incident, Extended IRT members may also be include (but are not limited to):

        • 6.1.3.1

          Incident Manager,

        • 6.1.3.2

          Unit IT Manager or Designee (from unit whose resources were impacted),

        • 6.1.3.3

          University President’s Representative, and

        • 6.1.3.4

          University Marketing and Communications Representative.

        • 6.1.3.5

          Office of General Counsel (OGC) - may be called upon to help assess the need for legal action.

      • 6.1.4

        Unit IT Manager - an individual assigned by the unit head and who will be the unit’s contact with the Extended IRT IM for questions regarding ongoing objectives and actions being taken to mitigate the effects of the cybersecurity incident. This individual serves as liaison between the Extended IRT and the unit head(s). This individual reports directly to both the IM and to their respective unit head, during the incident.

      • 6.1.5

        Supporting Incident Resources – individuals that are not specifically identified in this section but provide support to Extended IRT functions. Such resources may be individuals with a particular skill or third parties with access to needed resources and who may be called upon to provide various services or other duties.

      • 6.1.6

        University Police Department (UPD) – UPD is normally the liaison between the university and law enforcement agencies external to the university. While a cybersecurity incident is ongoing, the UPD will coordinate directly with the assigned IM or designee as needed.

  • 7

    Preparation and Planning

    • 7.1

      It is essential that pre-incident planning take place for timely and orderly response of needed resources.

    • 7.2

      Appropriate university personnel shall be identified, by the Incident Manager as potential candidates to populate the Extended IRT team.

    • 7.3

      The Extended IRT team will have appropriate training and experience sufficient to ensure that skills have been acquired to fulfill assigned roles.

    • 7.4

      Incident response exercises will be organized on a periodic basis to ensure that all Extended IRT team members are familiar with their assigned roles and can work together efficiently.

  • 8

    Extended Incident Management Actions and Activities

    • 8.1

      When a severe cybersecurity incident that requires an extended Incident response team is suspected or confirmed, the appropriate incident management procedures must be followed (Texas A&M Incident Response Plan). The default priority of cybersecurity incident response is containment (not necessarily prosecution) and protection of university information resources.

    • 8.2

      The CISO or designee shall activate the Extended IRT when a severe and wide-reaching incident occurs.

    • 8.3

      Open communications with the information resource owner or designee will be maintained throughout the duration of the incident.

    • 8.4

      Technical information resources support personnel assigned to the Extended IRT are responsible for ensuring that appropriate actions are undertaken, such as, but not limited to, repair, recovery, remediation, and mitigation.

    • 8.5

      The IM and the CISO, will coordinate with the university’s communication office to provide information/communication regarding the incident to entities external to the university.

    • 8.6

      The determination to preserve physical and electronic evidence will be made by the IM in consultation with the Office of General Council (OGC).

    • 8.7

      If law enforcement is involved, the IM, or their designee, in consultation with OGC, will act as the liaison between UPD, law enforcement and the university for the duration of the incident.

  • 9

    Official Notification

    • 9.1

      When an Extended IRT is formed, the CISO shall notify the TAMUS CISO.

    • 9.2

      The CIO will notify the President of Texas A&M University.

  • 10

    After-Action Activities

    • 10.1

      A Root Cause Analysis (RCA) report shall be produced by the Extended IRT as soon as practical after containment that will include:

      • 10.1.1

        Identification of information resources impacted,

      • 10.1.2

        Timeline or sequence of relevant events,

      • 10.1.3

        Analysis of cause,

      • 10.1.4

        Impact, remediation, and recovery,

      • 10.1.5

        Recommendations for mitigations and prevention, and

      • 10.1.6

        Requirements and process for notifications.

    • 10.2

      The CISO shall ensure that “lessons learned” meetings are convened to assist in continuous improvement of the incident response activities.

    • 10.3

      The CISO shall ensure that any reports are submitted as required by the State and Federal regulations.