Description

The purpose of this Control is to provide the basis of effective and appropriate response to incidents that threaten the confidentiality, integrity, and availability of university information resources. The Incident Response Plan provides the procedures for this response, and ensures roles and responsibilities are clearly defined.

Applicability

  • This Control applies to the university Chief Information Security Officer.

Implementation

  • 1

    Priorities for handling information security incidents are as follows

    • 1.1

      Protection of human life and safety;

    • 1.2

      Protection of university data;

    • 1.3

      Prevention of damage to systems and restoration of systems to routine operation as quickly as possible; and

    • 1.4

      Collection and analysis of information to determine if a violation of TAMU’s Information Security Policies or the commission of a computer crime has occurred.

  • 2

    SECURITY OPERATIONS TEAM

    • 2.1

      Security Operations (SecOps) is a team of experienced security professionals and technicians with the authority and expertise to resolve a system incident. Security Operations reports into the Office of the CISO as part of the Texas A&M University Technology Services.

    • 2.2

      When a possible information security incident is reported, Security Operations shall investigate the incident, analyze available data, and resolve the incident. Data collected during the investigation shall be maintained as needed in order to:

      • 2.2.1

        assess changes necessary to avoid future incidents,

      • 2.2.2

        categorize the incident for reporting purposes, and

      • 2.2.3

        identify responsible parties.

  • 3

    INCIDENT RESPONSE PLAN

    • 3.1

      The Incident Response Plan shall provide a roadmap for implementing incident response procedures in response to a significant security incident.

    • 3.2

      Security Operations is responsible for developing, periodically updating, and regularly testing the Incident Response Plan in cooperation with the CIO and CISO.

    • 3.3

      The Incident Response Plan must contain the following elements:

      • 3.3.1

        Roles and responsibilities for staff and management support needed to effectively respond to significant security events.

      • 3.3.2

        Incident response procedures that vary based on the impact level of information resources involved in significant security incidents.

      • 3.3.3

        Stakeholder notification and participation plan based on the impact level of information resources involved in significant security incidents.

      • 3.3.4

        Metrics for measuring the response capability of Security Operations.

    • 3.4

      The Incident Response Plan shall be tested, at least annually, with tabletop exercises or other means to review and refine incident response procedures.

      • 3.4.1

        Annual testing shall identify lessons learned for continuous improvement of incident response procedures.