IT-17 Interim Standard for IT Security Incident Response


Table of contents

Purpose and scope

This document is intended to provide an organized, well-defined approach for responding to critical IT security incidents affecting electronic information assets at the University. It is a five-step process that loops back onto itself. In this way, it is an ever evolving and improving process that will change over time. This Incident Response Plan shall be implemented by the Chief Information Security Officer (CISO) in coordination with the IT Security Office and the Division of Information Technology (DIT). Additional institution community members, outside contractors, institutional partners, and external agencies will also play a role in the response as necessary.

This Standard for IT Security Incident Response covers the response to security incidents that threaten the confidentiality, integrity, and availability of technology and  information, including the University's systems, networks, and media that collect, process, store, and deliver such information. It applies to critical information security incidents of all types and is applicable to employees, contractors, vendors, and other persons and/or organizations that perform technology functions in support of the University, including systems, network, desktop, and applications. All University of Maryland, College Park and University System of Maryland policies, procedures, and guidelines, and all applicable local, state, federal, and international laws and regulations apply to this process.

Top

Authority

Under Section X-1.00(A) of the Consolidated USM and UMD Policies and Procedures (University of Maryland Policy on the Acceptable Use of Information Technology Resources). The VP/CIO or designee is granted authority to protect the campus IT infrastructure from harm as well as protecting the University from liability.

Additionally the Cybersecurity Policies set forth by the CIO are also relevant. See IT Policies, Standards & Guidelines, specifically IT-1, IT-2, IT-4, IT-5, IT-16.

Top

Reporting an IT Security incident 

All University community members must report a suspected IT security incident in a timely manner by contacting the IT Security Operations Center.

E-mail: soc@umd.edu.
Phone: (301) 226-4225.

Contracts with all 3rd Party Contractors must include a mandatory requirement that any suspected breaches be reported to the institution in a timely manner. If a University community member becomes aware of a suspected breach involving one of the University's 3rd party contractors, the community member must report the suspected breach through the reporting channels listed above.

Please Note: Some laws and contractual agreements require specific reporting timelines in order to remain in legal compliance. Where there are specific reporting requirements for particular areas of the University, those areas have specific incident reporting and handling procedures that meet the legal and contractual requirements and dovetail with this University IT security incident handling plan.

Top

Types of incidents and breaches

Following University System of Maryland (USM) recommendations, there are 3 categories of IT security incidents:

High severity incident

A High Severity Incident is an event that has broad impacts on the University and/or high cost to the University but does not involve the University violation of contractual agreements and/or relevant local, state, federal or international law. Any information or technical incidents that could pose a life safety risk to a member of the University community are High Severity risks. Any calculations of cost or individual harm must consider factors such as (but not limited to):

Examples of High Severity Incidents include (but are not limited to) ransomware attacks that impact large portions of the entire University, malware that brings into question the integrity of systems of record, stolen/misused administrator credentials on critical IT systems.

Top

Medium severity incident

A Medium Severity Incident is an event that impacts the University that involves a violation of a relevant contractual agreement; violation of a relevant local, state, federal, or international law or regulation; or involves the unauthorized access to or acquisition of personally identifiable information that causes a reasonable risk of harm to an individual whose information was subject to unauthorized access or acquisition. Personally Identifiable Information (PII) is defined in the University of Maryland Privacy Policy - X-15.00(A).

Top

Low severity incident

A Low Severity Incident is an event that impacts the confidentiality, availability, and/or integrity of the University's systems, services, or data; but does not have a broad or costly impact on the University or a major area of the University. Low Severity Incidents must not involve a University violation of contractual agreements and/or local, state, federal, or international laws or regulations. Examples of  Low Severity Incidents include (but are not limited to) day-to-day phishing, spyware, adware, misuse of credentials, and/or ransomware that does not have a broad or costly impact on the University.

Top

Incident response team members

As the University operates in a decentralized IT environment model, incidents may require the participation of IT staff from the Division of IT as well as from Unit IT and possibly external participants with various applicable skill sets. In the end, every incident is different and incident management leadership must determine the best people to respond to any given event. Within the University, the following roles are essential in incident management leadership and response.

Chief Information Officer (CIO) - Provides essential executive-level leadership to the management of all campus security and disaster incidents. The CIO provides general oversight and feedback on the handling of Low Severity incidents and plays a direct role in the handling of all Medium and High Severity incidents.

Chief Information Security Officer (CISO) -  Ultimately responsible for the preparation, planning, execution, recovery from, and general oversight of all types of incidents. The CISO may delegate tasks and responsibilities and call on other members of the institution as appropriate; but still retains institutional oversight and overall responsibility for the overall handling and management of all institutional security and disaster incidents.

Chief Data Privacy Officer (CDPO) -  Ultimately responsible for ensuring that the University complies with Federal, State, and/or local laws and regulations related to privacy.  The Chief Data Privacy Officer will review the incident details and determine if a privacy violation has occurred and if a breach notification needs to be issued.

IT Security Office (ISO) - Serves as the general staffing resource for the handling of all institutional security and disaster incidents. Under the direction of the CISO, the IT Security Office handles all the information security aspects of any incidents and provides overall incident tracking and management effort.

Division of Information Technology (DIT) - Serves as subject matter technical experts and general resources in the response to any types of incidents. The CISO or ISO will determine which technical skills and resources are needed for any particular incident and will call on the directors of each technical area for assistance when needed.

Unit IT Subject Matter Experts (SME) - Since IT is decentralized at the University, many incidents will require assistance and expertise from Unit IT to resolve incidents that occur in Units that are not managed by DIT.

University Subject Matter Experts -  Offices that have expertise in particular subject matter areas outside of DIT and the IT Security Office. Institutional offices such as the Office of General Counsel, the University of Maryland Police Department, University Human Resources, Office of Marketing and Communications, Procurement and Business Services, and others could be called on as necessary to assist with an incident.

External Contractors - When particular skills are not available within the University, the University may obtain those skills by establishing contractual relationships with external providers. These external contractual providers have clearly established roles they can fulfill for the institution, have contracts established ahead of an incident occurring, and are ready to assist an institution on very short notice and without procurement delays.

External Partners - External to the University; assistance, resources, guidance, and oversight are provided by external partners such as the University System of Maryland Office, the University System of Maryland Security Council, the Maryland Office of the Attorney General, the University System of Maryland Board of Regents, MDREN, and other local, state, federal, and international groups.

Cyberinsurance Providers - The University System of Maryland, in coordination with the Maryland State Treasurer's Office, holds a cyberinsurance policy that institutions may use to cover the costs and impacts of an incident. The policy also provides external expertise and resources that can assist with the overall handling of an incident.

Top

The incident response process

Top

Preparation

Preparation is fundamental to the success of incident response programs.

Incident response methodologies typically emphasize the proactive and ongoing use of tools, training, and processes necessary for preventing incidents by ensuring that systems,    networks, and    applications are sufficiently secure.

Many of the necessary tools and training are available on the IT Security Office website.

One of the recommended preparation practices is for colleges and departments to conduct an annual IT Risk assessment.

The benefits of conducting an IT Risk Assessment include identifying applicable threats, including organization-specific threats. Each risk is categorized and prioritized to determine if risk can be mitigated, transferred, or accepted until a reasonable overall level of risk is reached. Another benefit of conducting risk assessments regularly is that critical resources are identified, allowing staff to emphasize monitoring and response activities for those resources.

The IT Security Office and the Division of IT conduct the following preparatory steps:

By taking these steps, we are able to prevent incidents and be prepared to address incidents that are unforeseen or unavoidable.

Top

Detection and analysis

Initial reporting and triage of an incident

All members of the University community must promptly report all actual, potential and suspected security incidents to the IT Security Office through one of the methods listed in the section "Reporting an IT Security Incident".

When a suspected security incident is reported, a member of the IT Security Office, under the supervision of the CISO, must promptly:

Top

Resource engagement, investigation and incident processing

Once the reporting and triage are complete, and the incident has been designated as a Low, Medium, or High Severity; appropriate resources need to be engaged, an initial investigation needs to be completed, and the incident needs to be processed.

During the investigation of any incident, the following should be done when appropriate:

Top

Low severity incident

For a Low Severity incident, the IT Security Office should determine where they need assistance and engage with their peers within the Division of Information Technology or Unit IT. In concert with DIT/Unit IT, the IT Security Office will handle all the investigation and processing of the incident. If during the investigation and processing of the incident, it is determined that the scope or legal aspects of the incident are greater than expected and require the incident to be reclassified as a High and Medium Severity incident, the CISO must be notified immediately.

Top

High and medium severity incidents

For High and Medium Severity incidents, the CISO or their designee is responsible for leading the engagement of resources and the investigation and processing of the incident. The CISO needs to determine which resources, both internal and external to the institution, will be needed. Discretion is essential and engagement of resources must be done only as necessary and with confidentiality in mind. For a High and Medium Severity incident, at a minimum, the CISO will need to engage appropriate people from within the Division of IT; and when enough detail is known to be meaningful, the CISO must notify the CIO, University leadership, and the University System of Maryland CISO. For High Severity incidents, the Office of General Counsel must be immediately notified. In consultation with the Office of General Counsel, it may be necessary for the incident to be managed from this point forward by the Office of General Counsel. For High and Medium Severity incidents, it will likely be necessary to engage law enforcement resources. If an incident involves a contractual relationship, the person(s) responsible for the contractual relationship needs to be informed and included in the incident management activities.

Top

Documentation of incident records

Security incident details must be recorded as the incident progresses. From the initial report to the final after action report, the details must be continually updated as information becomes available. Every step taken, every person involved, and the times and dates when everything happens should be meticulously recorded. Once concluded, all security incidents must be archived for future review and long and short-term trend analysis of details such as:

In addition, when the response involves an investigation of specific individuals, known or unknown, details of the individuals must be recorded and archived such as:

Top

Time tracking

Throughout the course of any incident response, it is critical for the institution to be able to quantify all time spent on the situation. Employees' time allocation is one of the primary factors in determining the cost of an incident. In many cases, where little logical and no physical damage is done to systems, it is the only factor that determines the cost of the security incident. The cost of responding to incidents is an important metric that must be quantified for the following reasons:

Top

Containment

Taking appropriate measures to address the incident

Non-emergency measures

As the investigation proceeds, it will be necessary to put measures in place to interrupt any malicious activity so that eradication and recovery steps can begin. When possible, the measures taken should be the minimum necessary to ensure the malicious activity is stopped while maintaining institutional operations. In order to ensure that the measures are appropriate for the incident, the CISO or their designee must sign off on any containment measures prior to the measures being put in place. If it is necessary to take steps that could dramatically impact institutional operations, the CIO and CISO must review the steps before they are taken. If necessary, the CIO and CISO will notify University leadership and other members of the community as needed.

Top

Emergency measures

If a member of the IT Security Office determines that emergency countermeasures are necessary to avoid significant harm to the institution or an individual, the member should immediately apply the countermeasures and immediately notify the CISO. Examples of an emergency response measure include, but are not limited to, locking an account, implementing firewall rules, disconnecting a system or device from the network, turning off the power to a system, and/or shutting down mission critical systems, services, or network components.

Top

Evidence preservation

When handling the incident care should be taken to preserve necessary evidence that may be utilized for University disciplinary actions or criminal proceedings.  For Medium and High Severity incidents evidence will be very important and should be coordinated with the Office of General Counsel, the University of Maryland Police Department, and other law enforcement agencies. Preserving evidence may require that disk and memory images be taken before systems are powered off or moved. It may also be necessary to not interrupt network connectivity until network traces and statistics are gathered. The IT Security Office and CISO will coordinate the gathering of any necessary evidence with all the appropriate resources.

The evidence gathering and analysis must be performed in a forensically sound manner, with proper chain of custody and proper documentation of the evidence gathering process. This is especially important if the evidence will later be used in a court of law. Once the evidence is gathered, chain-of-custody and protecting the evidence is essential. Evidence can be easily contaminated either accidentally or intentionally. The CISO, in concert with University leadership, the Office of General Counsel,  the University of Maryland Police Department, and other law enforcement agencies, may consider the use of specialized technical assistance and advice from a third-party forensic expert to ensure the evidence is gathered and preserved in a forensically sound manner. A forensic expert should be used when there is a need to extract information from the compromised system(s) without altering the original data, and when it is necessary to ensure the admissibility of evidence.

At times, the severity or cause of an incident may prompt the University's leadership to seek either criminal prosecution or civil litigation. In this situation, the capabilities of the University's employees may not  be adequate to appropriately conduct a technical investigation of the security incident. If the University decides that an incident requires a more detailed technical investigation, an external firm specializing in forensic incident response and digital media forensics should be engaged. Such forensic investigation must be performed by a third-party forensic analyst with the appropriate certifications and in a manner that is consistent with industry standards.

Top

Communications during response process

The CISO, in concert with University leadership, must determine if communications to employees, customers, any regulatory or law enforcement bodies, or any other third party is required or desirable during the security incident response process. All external communications must be approved by the CISO and/or CIO, the Office of General Counsel, and the Office of Marketing and Communications.

Top

The media

If information concerning security incidents at the University becomes public, various print and/or broadcast media representatives may inquire about the situation. No information concerning security incidents will be released to the media representatives without direct guidance from the CISO, the CIO, the Office of General Counsel, and the Office of Marketing and Communications.

Top

Compliance with breach notification obligations

Most states, and some territories, have breach notification statutes that require notice to residents of these states or territories when certain confidential information regarding those individuals is exposed to unauthorized third parties. While the specifics of each of these breach notification statutes vary by jurisdiction, they typically require the business that maintains such personal information to disclose any security breach to the individuals whose personal information was, or is reasonably believed to have been, acquired or accessed by an unauthorized person. They may also require notice to law enforcement, state or federal agencies, and the media as well.

If PII regarding faculty, staff, students, or other individuals was, or potentially was, exposed by the security incident, the CISO or their designee, in consultation with the Office of General Counsel, must determine whether notification is required under applicable breach notification statutes or other federal or state laws or regulations. If confidential information has been breached, notification must also be made to the University System of Maryland CISO.

Many institutional contracts, data use agreements, and partnering agreements also require reporting at various points during the incident process (suspected incident, incident, suspected breach, or breach). Contracts and agreements typically include mandatory reporting times and stipulate how reports are required to be made. Employees with responsibility for relationships involving contracts and agreements must ensure that any notification requirements are met when an incident occurs.

Top

Eradication & recovery

One of the primary purposes of this plan is to ensure an efficient recovery from security incidents. Once the security incident is contained and eradicated, the CISO, in concert with the IT Security Office and the Division of IT and/or Unit IT, will work collaboratively to restore the systems, files, and other affected elements to normal operation. Upon completion of the incident response activities, care must be taken to ensure that all affected systems are re-deployed into production in a safe and appropriate manner. The following guidelines are provided as recommendations for best practices.

Once the affected systems, files, and/or property have been restored, they should be tested to make sure they are no longer vulnerable to the type of attack or problem that caused the Incident. Computer systems should also be tested to ensure they will function correctly when placed back into production or on the network. However, care must be taken to ensure that no relevant evidence is destroyed in the process.

Top

Post-incident activity

Final findings report

At the conclusion of each security incident all details of the incident must be documented in the University's IT security incident management system. A full written report must be compiled for all Medium and High Severity incidents in addition to the information documented in the IT security incident management system. The written report must include the following:

Top

Preparation feedback loop

Once the Final Findings Report is complete, the lessons learned, steps taken, and an overall view of how the incident handling process performed must be looped back to the preparation step to ensure that the institution is prepared to handle future incidents more effectively and efficiently. This feedback loop should inform adjustments that are needed from a process, policy, and procedure perspective as well as technical and risk perspective. For Low Severity incidents, this review will take the form of periodic reporting of the incidents that have been recorded on at least a quarterly basis. For Medium and High Severity incidents, this will typically take the form of a meeting of the University leadership, CIO, CISO, IT Security Office, and relevant other community members that participated in the incident.

Top

Confidentiality

All information pertaining to security incidents, including but not limited to the fact that an incident occurred and the details regarding the security incident, are considered confidential information and must be safeguarded against unauthorized access, unless and until it is made publicly available by the University with the approval of the CISO and/or CIO. Investigations can be compromised through inappropriate disclosure of pertinent information. Investigative information should be shared only to people with an institutional need to know. All internal communications concerning security incidents must be conducted in an efficient and secure manner. The following guidelines pertain to all internal communications.

Top

Life safety

As more and more of the University's technological systems are tied to the University's physical systems and our information becomes essential for everyday life, technological incidents could impact the physical safety and health of our communities. If at any point, it becomes known to anyone that an incident could pose a life safety risk, the University's CIO and CISO must be immediately notified. If there is ever a conflict between the handling of an incident and life safety, life safety must take priority over all other parts of the incident handling process.

Top