HCC Ybor Campus HCC SouthShore Campus HCC Plant City Campus HCC District Administrative Offices HCC Dale Mabry Campus HCC Brandon Campus

1.       OVERVIEW

Critical incidents will occur that require full participation of OIT technical personnel, physical security, and College leadership to properly manage the outcome. To accomplish this OIT will establish critical incident response procedures that will ensure appropriate leadership and technical resources are involved to:

 

         Assess of the seriousness of an incident.

         Assess the extent of damage.

         Identify the vulnerability created.

         Estimate what additional resources are required to mitigate the incident.

 

It will also ensure that proper follow-up reporting occurs and that procedures are adjusted so that responses to future incidents are improved.

 

A rapid response to incidents that threaten the confidentiality, integrity, and availability of College information assets, information systems, and the networks that deliver the information, is required to protect those assets. Without a rapid response, those assets could be compromised and the College could be in violation of Federal, State, and Local statutes, in violation of its own stated policies, and in violation of trust endowed by its constituents.

 

2.       PURPOSE

The purpose of this policy is to provide the basis of appropriate response to incidents that threaten the confidentiality, integrity, and availability of College information assets, information systems, and the networks that deliver the information. This policy underlies the establishment and ongoing deployment of trained emergency response teams, formed with the purpose of managing the aforementioned incidents at the College. This effort is being taken to improve the response time to incidents, to provide consistent response, and improve incident reporting.

 

3.       SCOPE

3.1.     This policy applies to the Office of Information Technology and all system and services for which it is responsible.

Nothing in this Incident Response Policy and Procedures document should be taken to be in conflict with the following higher level policies:

 

         College Security Policy

         Acceptable Use Policy

         Federal/State mandates

         Memoranda from the College Attorney

 

3.2.     These policies and procedures specifically exclude the following:

         Non-electronic information including paper mail.

         Physical security.

         Contingency planning, business continuity and disaster recovery. Disasters are governed by a different set of policies and declared by a different governing body than Critical Incidents. An event may initially be declared a ‘Critical Incident’ and subsequently declared to be a ‘Disaster’ by the appropriate body. In this case, a critical incident response team would be subsumed into the Disaster Recovery process.


 

4.       DEFINITION OF CRITICAL INCIDENTS AND THEIR CONSEQUENCES WITHIN THE CONTEXT OF THE COLLEGE

An incident is any adverse event that threatens the confidentiality, integrity, or availability of College information assets, information systems, and the networks that deliver the information. Any violation of computer security policies, acceptable use policies, or standard computer security practices is an incident.

 

Adverse events may also be incidents and may include, denial-of-service attacks, loss of accountability, or damage to any part of the system. Examples include the insertion of malicious code (e.g. viruses, Trojan horses, or backdoors), unauthorized scans or probes, successful and unsuccessful intrusions, and insider attacks.

 

Incidents as defined above vary in their impact on the College and in the degree of threat they pose; consequently not all incidents require the same response. Incidents with high impact and high threat involve high risk and great vulnerability to the College; such high risk incidents are called ‘critical incidents’ and require that a Computer Emergency Response Team (CERT) be assembled to apply appropriate response. An incident can only be declared “critical” by the College CSO or rightful designee. The CSO or rightful designee will activate the CERT in the event of such a declaration.

 

4.1.     Notification

         Faculty, staff, students, contractors, consultants, temporaries, and other workers at HCC, including all personnel affiliated with third parties using HCC information technology resources should notify OIT Help Desk immediately of any real or suspected security incident.

         Criminal activity or immediate risks to the safety of individuals should be reported to the College Public Safety Office or 911 immediately.

 

4.2.     Process

         A process for incident response will be developed and published as a separate document.

         Any response to an incident should proceed in accordance with the published incident response process.

 

5.       DEFINITION OF APPROPRIATE RESPONSE TO CRITICAL INCIDENTS

The following items define appropriate responses of a CERT to a critical incident.

         Determine the extent of the incident

         Assume control of the incident and involve appropriate personnel, as conditions require

         Report to the CSO for the decision on how to proceed

         Document all actions and results

         Begin interviews

         Contain the incident before it spreads

         Collect as much accurate and timely information as possible

         Initiate a chain of custody of evidence

         Preserve evidence

         Protect the rights of clients, employees, and others, as established by law, regulations, and policies

         Minimize business interruptions within the organization

         Restore the system

         Conduct a post-incident critique

         Revise response as require

 

6.       ORGANIZATIONAL STRUCTURE AND DELINEATION OF ROLES, RESPONSIBILITIES AND LEVELS OF AUTHORITY.

6.1.    Summary of Responsibilities

         CIO - The Chief Information Officer (CIO) responsible for the administration and leadership of all administrative technology; oversight includes fiscal responsibility, and setting the vision, mission and strategies for moving the institution forward in a competitive technology-rich higher education environment. The CIO will communicate status of critical incidents to the College leadership

 

         CISO - The Chief Security Officer (CISO) is responsible for the security of all electronic data and telecommunications equipment and traffic. The CISO has sole authority to declare a critical incident and form a CERT.

 

The CISO will Communicates to the CIO that a critical incident has been declared and a CERT formed. The CISO will also communicate status of critical incidents to the CIO, select and train incident response team members/coordinators, and develop and promote policies and procedures.

 

         CERTC - The Computer Emergency Response Team Coordinator (CERTC) is an individual who is selected to oversee and direct the Computer Emergency Response Team actions as well as to act as the single point of contact for the given incident. The CERTC will typically also be responsible for ensuring that specific information is communicated to the CISO in a timely fashion and that all evidence is preserved as indicated by policy.

 

         CERT – The Computer Emergency Response Team (CERT) is a group of individuals who have been trained in incident management, each having distinct response roles. The CERT works under the direction of the CERTC.

 

         Supporting Groups – Any other group or individual that may be involved with or asked to help in an incident response. These groups or individuals will provide technical and other assistance to the CERT as requested.

 

7.       CLOSURE

Once an affected system is contained, the problem is eradicated, or the system is no longer needed for forensics discovery the CERTC will forward a “redeployment request form” to the CSO to place the system back in production. The CSO will have sole discretion in the decision to place a system back into production once it has been taken out due to a critical incident. Attached to the "Redeployment Request" form will be a "Lessons Learned" form outlining what did and did not go well.

 

8.       DEFINITIONS

 

Term

Definition

Confidentiality

Confidentiality provides the ability to ensure that the necessary level of secrecy is enforced at each junction of data processing and prevention of unauthorized disclosure. This level of confidentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination.

 

Integrity

Integrity is upheld when the assurance of accuracy and reliability of information and systems is provided, and unauthorized modification of data is prevented.

 

Availability

Systems and networks should provide adequate capacity in order to perform in a predictable manner with an acceptable level of performance.

 

Vulnerability

Vulnerability is a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. Vulnerability characterizes the absence or weakness of a safeguard that could be exploited.

 

Threat

A threat is any potential danger to information systems. The threat is that someone or something will identify a specific vulnerability and use it against the organization or individual.

Risk

A risk is the likelihood of a threat agent taking advantage of vulnerability. A risk is the possibility and probability that a threat agent will exploit vulnerability.

 

Exposure

An exposure is an instance of being exposed to losses from a threat agent. Vulnerability can cause an organization to be exposed to possible damages.

 

 

9.       REVISION HISTORY

Date

Description

 

06/16/2009

Initial policy draft.

OIT

07/01/2010

Official Policy designation

Gorham, Stephen