IT-17 Interim Standard for IT Security Incident Response - - IT Service Desk

IT-17 Interim Standard for IT Security Incident Response

Purpose and scope

This document is intended to provide an organized, well-defined approach for responding to critical IT security incidents affecting electronic information assets at the University. It is a five-step process that loops back onto itself. In this way, it is an ever evolving and improving process that will change over time. This Incident Response Plan shall be implemented by the Chief Information Security Officer (CISO) in coordination with the IT Security Office and the Division of Information Technology (DIT). Additional institution community members, outside contractors, institutional partners, and external agencies will also play a role in the response as necessary.

This Standard for IT Security Incident Response covers the response to security incidents that threaten the confidentiality, integrity, and availability of technology and information, including the University's systems, networks, and media that collect, process, store, and deliver such information. It applies to critical information security incidents of all types and is applicable to employees, contractors, vendors, and other persons and/or organizations that perform technology functions in support of the University, including systems, network, desktop, and applications. All University of Maryland, College Park and University System of Maryland policies, procedures, and guidelines, and all applicable local, state, federal, and international laws and regulations apply to this process.

Authority

Under Section X-1.00(A) of the Consolidated USM and UMD Policies and Procedures (University of Maryland Policy on the Acceptable Use of Information Technology Resources ). The VP/CIO or designee is granted authority to protect the campus IT infrastructure from harm as well as protecting the University from liability.

Additionally the Cybersecurity Policies set forth by the CIO are also relevant. See IT Policies, Standards & Guidelines, specifically IT-1, IT-2, IT-4, IT-5, IT-16.

Reporting an IT Security incident

All University community members must report a suspected IT security incident in a timely manner by contacting the IT Security Operations Center.

E-mail: soc@umd.edu.
Phone: (301) 226-4225.

Contracts with all 3rd Party Contractors must include a mandatory requirement that any suspected breaches be reported to the institution in a timely manner. If a University community member becomes aware of a suspected breach involving one of the University's 3rd party contractors, the community member must report the suspected breach through the reporting channels listed above.

Please Note: Some laws and contractual agreements require specific reporting timelines in order to remain in legal compliance. Where there are specific reporting requirements for particular areas of the University, those areas have specific incident reporting and handling procedures that meet the legal and contractual requirements and dovetail with this University IT security incident handling plan.

Types of incidents and breaches

Following University System of Maryland (USM) recommendations, there are 3 categories of IT security incidents:

High severity incident

A High Severity Incident is an event that has broad impacts on the University and/or high cost to the University but does not involve the University violation of contractual agreements and/or relevant local, state, federal or international law. Any information or technical incidents that could pose a life safety risk to a member of the University community are High Severity risks. Any calculations of cost or individual harm must consider factors such as (but not limited to):

Impact to the operation of the University
Financial impact,
Reputational impact
Impacts to University resources
Broad impacts to confidentiality, availability, and/or integrity.
Tangible and intangible impacts to an individual.

Examples of High Severity Incidents include (but are not limited to) ransomware attacks that impact large portions of the entire University, malware that brings into question the integrity of systems of record, stolen/misused administrator credentials on critical IT systems.

Medium severity incident

A Medium Severity Incident is an event that impacts the University that involves a violation of a relevant contractual agreement; violation of a relevant local, state, federal, or international law or regulation; or involves the unauthorized access to or acquisition of personally identifiable information that causes a reasonable risk of harm to an individual whose information was subject to unauthorized access or acquisition. Personally Identifiable Information (PII) is defined in the University of Maryland Privacy Policy - X-15.00(A).

Low severity incident

A Low Severity Incident is an event that impacts the confidentiality, availability, and/or integrity of the University's systems, services, or data; but does not have a broad or costly impact on the University or a major area of the University. Low Severity Incidents must not involve a University violation of contractual agreements and/or local, state, federal, or international laws or regulations. Examples of Low Severity Incidents include (but are not limited to) day-to-day phishing, spyware, adware, misuse of credentials, and/or ransomware that does not have a broad or costly impact on the University.

Incident response team members

As the University operates in a decentralized IT environment model, incidents may require the participation of IT staff from the Division of IT as well as from Unit IT and possibly external participants with various applicable skill sets. In the end, every incident is different and incident management leadership must determine the best people to respond to any given event. Within the University, the following roles are essential in incident management leadership and response.

Chief Information Officer (CIO) - Provides essential executive-level leadership to the management of all campus security and disaster incidents. The CIO provides general oversight and feedback on the handling of Low Severity incidents and plays a direct role in the handling of all Medium and High Severity incidents.

Chief Information Security Officer (CISO) - Ultimately responsible for the preparation, planning, execution, recovery from, and general oversight of all types of incidents. The CISO may delegate tasks and responsibilities and call on other members of the institution as appropriate; but still retains institutional oversight and overall responsibility for the overall handling and management of all institutional security and disaster incidents.

Chief Data Privacy Officer (CDPO) - Ultimately responsible for ensuring that the University complies with Federal, State, and/or local laws and regulations related to privacy. The Chief Data Privacy Officer will review the incident details and determine if a privacy violation has occurred and if a breach notification needs to be issued.

IT Security Office (ISO) - Serves as the general staffing resource for the handling of all institutional security and disaster incidents. Under the direction of the CISO, the IT Security Office handles all the information security aspects of any incidents and provides overall incident tracking and management effort.

Division of Information Technology (DIT) - Serves as subject matter technical experts and general resources in the response to any types of incidents. The CISO or ISO will determine which technical skills and resources are needed for any particular incident and will call on the directors of each technical area for assistance when needed.

Unit IT Subject Matter Experts (SME) - Since IT is decentralized at the University, many incidents will require assistance and expertise from Unit IT to resolve incidents that occur in Units that are not managed by DIT.

University Subject Matter Experts - Offices that have expertise in particular subject matter areas outside of DIT and the IT Security Office. Institutional offices such as the Office of General Counsel, the University of Maryland Police Department, University Human Resources, Office of Marketing and Communications, Procurement and Business Services, and others could be called on as necessary to assist with an incident.

External Contractors - When particular skills are not available within the University, the University may obtain those skills by establishing contractual relationships with external providers. These external contractual providers have clearly established roles they can fulfill for the institution, have contracts established ahead of an incident occurring, and are ready to assist an institution on very short notice and without procurement delays.

External Partners - External to the University; assistance, resources, guidance, and oversight are provided by external partners such as the University System of Maryland Office, the University System of Maryland Security Council, the Maryland Office of the Attorney General, the University System of Maryland Board of Regents, MDREN, and other local, state, federal, and international groups.

Cyberinsurance Providers - The University System of Maryland, in coordination with the Maryland State Treasurer's Office, holds a cyberinsurance policy that institutions may use to cover the costs and impacts of an incident. The policy also provides external expertise and resources that can assist with the overall handling of an incident.

The incident response process

Preparation

Preparation is fundamental to the success of incident response programs.

Incident response methodologies typically emphasize the proactive and ongoing use of tools, training, and processes necessary for preventing incidents by ensuring that systems, networks, and applications are sufficiently secure.

Many of the necessary tools and training are available on the IT Security Office website.

One of the recommended preparation practices is for colleges and departments to conduct an annual IT Risk assessment.

The benefits of conducting an IT Risk Assessment include identifying applicable threats, including organization-specific threats. Each risk is categorized and prioritized to determine if risk can be mitigated, transferred, or accepted until a reasonable overall level of risk is reached. Another benefit of conducting risk assessments regularly is that critical resources are identified, allowing staff to emphasize monitoring and response activities for those resources.

The IT Security Office and the Division of IT conduct the following preparatory steps:

Following and adopting the security best practices for the technologies we operate.
Analyzing the types of incidents that have been impacting the University and our institutional peers looking for trends and commonalities between the incidents and determining if there are steps that could be taken to avoid incidents.
Reviewing the vulnerabilities in our systems and taking steps to compensate for the weaknesses.
Engaging external penetration testers to highlight vulnerabilities that we haven't noticed.
Running simulations and tabletop drills to practice incident response with all the parties who could be involved in an IT security incident.

By taking these steps, we are able to prevent incidents and be prepared to address incidents that are unforeseen or unavoidable.

Detection and analysis

Initial reporting and triage of an incident

All members of the University community must promptly report all actual, potential and suspected security incidents to the IT Security Office through one of the methods listed in the section "Reporting an IT Security Incident".

When a suspected security incident is reported, a member of the IT Security Office, under the supervision of the CISO, must promptly:

Gather initial incident details, as appropriate under the Institution Incident Standard Operating Procedures for the incident type;
As appropriate, assign it a unique tracking ID number;
Conduct an initial investigation/evaluation of the incident;
Determine if emergency countermeasures are necessary to halt further risk and spread of the incident;
Assign the incident an incident type (High, Medium, Low); and
For High and Medium incidents, inform the CISO immediately.

Resource engagement, investigation and incident processing

Once the reporting and triage are complete, and the incident has been designated as a Low, Medium, or High Severity; appropriate resources need to be engaged, an initial investigation needs to be completed, and the incident needs to be processed.

During the investigation of any incident, the following should be done when appropriate:

Determine the nature of the attack or event, point of origin, and the intent of any perpetrator(s);
Identify the systems, processes, files, databases, and information affected, or potentially affected, and their sensitivity;
If sensitive information was involved in the incident, determine if the information was accessed or exfiltrated;
Determine if any people were harmed (physically or otherwise) due to the incident;
Determine if the attack or event was intentional and/or malicious, or whether it was the result of negligence, inadvertence, or some other non-malicious cause; and
Determine if the attack or event was specifically directed at the institution to acquire specific information or if the attack was random.

Low severity incident

For a Low Severity incident, the IT Security Office should determine where they need assistance and engage with their peers within the Division of Information Technology or Unit IT. In concert with DIT/Unit IT, the IT Security Office will handle all the investigation and processing of the incident. If during the investigation and processing of the incident, it is determined that the scope or legal aspects of the incident are greater than expected and require the incident to be reclassified as a High and Medium Severity incident, the CISO must be notified immediately.

High and medium severity incidents

For High and Medium Severity incidents, the CISO or their designee is responsible for leading the engagement of resources and the investigation and processing of the incident. The CISO needs to determine which resources, both internal and external to the institution, will be needed. Discretion is essential and engagement of resources must be done only as necessary and with confidentiality in mind. For a High and Medium Severity incident, at a minimum, the CISO will need to engage appropriate people from within the Division of IT; and when enough detail is known to be meaningful, the CISO must notify the CIO, University leadership, and the University System of Maryland CISO. For High Severity incidents, the Office of General Counsel must be immediately notified. In consultation with the Office of General Counsel, it may be necessary for the incident to be managed from this point forward by the Office of General Counsel. For High and Medium Severity incidents, it will likely be necessary to engage law enforcement resources. If an incident involves a contractual relationship, the person(s) responsible for the contractual relationship needs to be informed and included in the incident management activities.

Documentation of incident records

Security incident details must be recorded as the incident progresses. From the initial report to the final after action report, the details must be continually updated as information becomes available. Every step taken, every person involved, and the times and dates when everything happens should be meticulously recorded. Once concluded, all security incidents must be archived for future review and long and short-term trend analysis of details such as:

Internal and external vulnerabilities,
Targeted systems,
Originating hosts, domains and networks,
Techniques used during attacks, and
Procedural or administrative problems that facilitated the Security Incident.

In addition, when the response involves an investigation of specific individuals, known or unknown, details of the individuals must be recorded and archived such as:

Records of any evidence gathered in the investigation, along with source and custody information,
Records of all persons or other entities external to the IT Security Office to whom evidence or other relevant information has been provided, along with chain-of-custody information as appropriate,
Records of all subjects, known or unknown of the investigation,
Reports of evidence gathering, evidence analyses, and any conclusions drawn, regardless of delivery to persons or entities external to the IT Security Office.

Time tracking

Throughout the course of any incident response, it is critical for the institution to be able to quantify all time spent on the situation. Employees' time allocation is one of the primary factors in determining the cost of an incident. In many cases, where little logical and no physical damage is done to systems, it is the only factor that determines the cost of the security incident. The cost of responding to incidents is an important metric that must be quantified for the following reasons:

University leadership must understand the costs associated with Information Technology, and Information Security for budget planning and analysis.
The CISO and CIO, with the assistance of the IT leadership team, must be aware of the costs associated with incidents to evaluate potential capital expenditures and the expected ROI for products or services designed to reduce the number or severity of security incidents.
Law Enforcement organizations generally require a cost threshold to be met prior to committing their resources to any investigation.

Containment

Taking appropriate measures to address the incident

Non-emergency measures

As the investigation proceeds, it will be necessary to put measures in place to interrupt any malicious activity so that eradication and recovery steps can begin. When possible, the measures taken should be the minimum necessary to ensure the malicious activity is stopped while maintaining institutional operations. In order to ensure that the measures are appropriate for the incident, the CISO or their designee must sign off on any containment measures prior to the measures being put in place. If it is necessary to take steps that could dramatically impact institutional operations, the CIO and CISO must review the steps before they are taken. If necessary, the CIO and CISO will notify University leadership and other members of the community as needed.

Emergency measures

If a member of the IT Security Office determines that emergency countermeasures are necessary to avoid significant harm to the institution or an individual, the member should immediately apply the countermeasures and immediately notify the CISO. Examples of an emergency response measure include, but are not limited to, locking an account, implementing firewall rules, disconnecting a system or device from the network, turning off the power to a system, and/or shutting down mission critical systems, services, or network components.

Evidence preservation

When handling the incident care should be taken to preserve necessary evidence that may be utilized for University disciplinary actions or criminal proceedings. For Medium and High Severity incidents evidence will be very important and should be coordinated with the Office of General Counsel, the University of Maryland Police Department, and other law enforcement agencies. Preserving evidence may require that disk and memory images be taken before systems are powered off or moved. It may also be necessary to not interrupt network connectivity until network traces and statistics are gathered. The IT Security Office and CISO will coordinate the gathering of any necessary evidence with all the appropriate resources.

The evidence gathering and analysis must be performed in a forensically sound manner, with proper chain of custody and proper documentation of the evidence gathering process. This is especially important if the evidence will later be used in a court of law. Once the evidence is gathered, chain-of-custody and protecting the evidence is essential. Evidence can be easily contaminated either accidentally or intentionally. The CISO, in concert with University leadership, the Office of General Counsel, the University of Maryland Police Department, and other law enforcement agencies, may consider the use of specialized technical assistance and advice from a third-party forensic expert to ensure the evidence is gathered and preserved in a forensically sound manner. A forensic expert should be used when there is a need to extract information from the compromised system(s) without altering the original data, and when it is necessary to ensure the admissibility of evidence.

At times, the severity or cause of an incident may prompt the University's leadership to seek either criminal prosecution or civil litigation. In this situation, the capabilities of the University's employees may not be adequate to appropriately conduct a technical investigation of the security incident. If the University decides that an incident requires a more detailed technical investigation, an external firm specializing in forensic incident response and digital media forensics should be engaged. Such forensic investigation must be performed by a third-party forensic analyst with the appropriate certifications and in a manner that is consistent with industry standards.

Communications during response process

The CISO, in concert with University leadership, must determine if communications to employees, customers, any regulatory or law enforcement bodies, or any other third party is required or desirable during the security incident response process. All external communications must be approved by the CISO and/or CIO, the Office of General Counsel, and the Office of Marketing and Communications.

The media

If information concerning security incidents at the University becomes public, various print and/or broadcast media representatives may inquire about the situation. No information concerning security incidents will be released to the media representatives without direct guidance from the CISO, the CIO, the Office of General Counsel, and the Office of Marketing and Communications.

Compliance with breach notification obligations

Most states, and some territories, have breach notification statutes that require notice to residents of these states or territories when certain confidential information regarding those individuals is exposed to unauthorized third parties. While the specifics of each of these breach notification statutes vary by jurisdiction, they typically require the business that maintains such personal information to disclose any security breach to the individuals whose personal information was, or is reasonably believed to have been, acquired or accessed by an unauthorized person. They may also require notice to law enforcement, state or federal agencies, and the media as well.

If PII regarding faculty, staff, students, or other individuals was, or potentially was, exposed by the security incident, the CISO or their designee, in consultation with the Office of General Counsel, must determine whether notification is required under applicable breach notification statutes or other federal or state laws or regulations. If confidential information has been breached, notification must also be made to the University System of Maryland CISO.

Many institutional contracts, data use agreements, and partnering agreements also require reporting at various points during the incident process (suspected incident, incident, suspected breach, or breach). Contracts and agreements typically include mandatory reporting times and stipulate how reports are required to be made. Employees with responsibility for relationships involving contracts and agreements must ensure that any notification requirements are met when an incident occurs.

Eradication & recovery

One of the primary purposes of this plan is to ensure an efficient recovery from security incidents. Once the security incident is contained and eradicated, the CISO, in concert with the IT Security Office and the Division of IT and/or Unit IT, will work collaboratively to restore the systems, files, and other affected elements to normal operation. Upon completion of the incident response activities, care must be taken to ensure that all affected systems are re-deployed into production in a safe and appropriate manner. The following guidelines are provided as recommendations for best practices.

When possible, wipe the storage of any affected machines before reinstallation (See NIST SP 800-88);
Replace disks with new media when wiping is not possible;
Rebuild operating systems and system applications from original manufacturer media or known good University-maintained builds;
Restore system data from last known (verifiably) clean backup media;
Recreate user accounts based on documented approved user lists;
All restored users must be approved by the system or application owners;
Change all passwords for all users on rebuilt systems;
Review all system configuration parameters and ensure they are configured in accordance with documented and approved University configuration guidelines;
Coordinate all incident recovery operations with all affected system administration personnel, this is critical to ensure appropriate testing;
Test all systems and applications recovered;
If network devices are affected, ensure that any security specific configuration parameters (firewall rule sets, router logging configurations) are appropriately configured according to documented and approved network configuration guidelines;
Notify all affected users that all recovery operations are complete and that the rebuilt systems have been tested and accepted.

Once the affected systems, files, and/or property have been restored, they should be tested to make sure they are no longer vulnerable to the type of attack or problem that caused the Incident. Computer systems should also be tested to ensure they will function correctly when placed back into production or on the network. However, care must be taken to ensure that no relevant evidence is destroyed in the process.

Post-incident activity

Final findings report

At the conclusion of each security incident all details of the incident must be documented in the University's IT security incident management system. A full written report must be compiled for all Medium and High Severity incidents in addition to the information documented in the IT security incident management system. The written report must include the following:

A full description of the incident.
The detailed timeline of the incident.
A cost estimate for the incident.
An analysis of the vulnerabilities that were exploited during the incident.
A listing of the people and organizations affected by or involved in responding to the incident. Individual names of persons whose personal data was affected by the incident need not be included.
An accounting of any lessons learned, and analysis of steps taken to avoid similar incidents in the future.

Preparation feedback loop

Once the Final Findings Report is complete, the lessons learned, steps taken, and an overall view of how the incident handling process performed must be looped back to the preparation step to ensure that the institution is prepared to handle future incidents more effectively and efficiently. This feedback loop should inform adjustments that are needed from a process, policy, and procedure perspective as well as technical and risk perspective. For Low Severity incidents, this review will take the form of periodic reporting of the incidents that have been recorded on at least a quarterly basis. For Medium and High Severity incidents, this will typically take the form of a meeting of the University leadership, CIO, CISO, IT Security Office, and relevant other community members that participated in the incident.

Confidentiality

All information pertaining to security incidents, including but not limited to the fact that an incident occurred and the details regarding the security incident, are considered confidential information and must be safeguarded against unauthorized access, unless and until it is made publicly available by the University with the approval of the CISO and/or CIO. Investigations can be compromised through inappropriate disclosure of pertinent information. Investigative information should be shared only to people with an institutional need to know. All internal communications concerning security incidents must be conducted in an efficient and secure manner. The following guidelines pertain to all internal communications.

All employees provided with any information regarding a security incident must have a legitimate need to know.
Phone conversations should be protected from unauthorized ambient eavesdropping.
The number of employees involved should be limited to the lowest number required to respond efficiently and appropriately to the situation.
Only approved secure communications channels may be used for internal incident communications.
All external communications must be approved by the CISO, CIO,the Office of General Counsel, and the Office of Marketing and Communications.

Life safety

As more and more of the University's technological systems are tied to the University's physical systems and our information becomes essential for everyday life, technological incidents could impact the physical safety and health of our communities. If at any point, it becomes known to anyone that an incident could pose a life safety risk, the University's CIO and CISO must be immediately notified. If there is ever a conflict between the handling of an incident and life safety, life safety must take priority over all other parts of the incident handling process.