Introduction
Portland State University’s Office of Information Technology must be able to respond to computer security-related incidents in a manner that protects its own information and helps to protect the information of others that might be affected by an incident.
As such, Portland State University’s Office of Information Technology has established this Computer Security Incident Response Plan to address computer security incidents including theft, misuse of data, network or facility intrusions, hostile probes, and malicious software.
Purpose and Applicability
This plan is applicable to all Portland State University systems, system administrators, and users of privileged systems or data.
Standards and Procedures
Planning
The Information Security Team (SEC) and Information Security Operations Coordination Team (SEC-OPS) will work together to establish and maintain Standard Operating Procedures (SOP) for security incidents — including but not limited to common indicators of compromises and reporting SOPs — and to publish, promulgate, and educate responsible parties on these practices.
When a suspicious event has occurred
The user, administrator, or supervisor who discovers suspicious activity should investigate briefly. If suspicion is well-founded or indeterminate, the discoverer should notify a member of the SEC Team of the suspicious event immediately and start an event log while capturing any pertinent details to assist the investigation. If there is any reason to suspect Personally Identifiable Information (PII) has been released or compromised immediately contact the SEC Team which will also notify the Data Protection Officer (DPO). The discoverer must provide a verbal or written report to the SEC Team within one working day of the initial suspicion.
Handling an incident
The SEC Team will designate an incident handler and supervise or conduct subsequent investigation and remediation and will enter the incident into the event log. The ISO/ISA, incident handler, and any other principals will work with the security team to evaluate the incident, classify the incident, identify if PII is involved, formulate a response plan (or engage any event-specific SOP), and review any response plan. The CISO will provide oversight of response, keep appropriate management apprised of the investigation, and assist with coordination. A written preliminary report must be submitted by the incident handler and ISO/ISA to the SEC Team and CISO (i.e. an email to the SEC Team) within two working days.
Sharing information on an incident
All information about the discovery, investigation, or remediation of an incident should be shared only on a need-to-know basis and within trusted communities of information security practitioners to ensure the integrity of the investigation and any significantly impacted system or data until the response plan has been completed. Any inquiries from external entities about a specific incident should be routed to the CIO who may work with University Communications or Office of General Counsel as appropriate to provide a response.
Classifying an Incident by Severity
In general, severity is dictated by the number of records impacted, the type of records, and the effects on system availability. In some cases, single or small record sets may have a high impact or high availability impacts to low significance systems may also achieve a high severity.
Low
An incident is of low severity if initial suspicions cannot be supported or the impacted systems or data are unimportant or extraordinarily limited in scope.
Medium
An incident is of medium severity if an adverse event affecting important systems or restricted or confidential data is suspected to have occurred affecting a limited to moderate scope of systems or data.
High
An incident is of high severity if an adverse event affecting important systems or restricted or confidential data (such as PII) is suspected to have occurred with an extensive scope of systems or data.
Designation as a disaster
In certain extraordinary incidents of any severity where a system may be unavailable for an extended time due to the needs of an investigation or the nature of the incident, the CISO or CIO may declare the incident to also be a disaster and engage the available disaster recovery plans or mechanisms available for the affected system.
Final report
Within five working days of the resolution of an incident classified as a high severity by the CISO or CIO, a written final report must be submitted to the SEC Team and CISO by the incident handler and ISO/ISA. In cases where incident resolution is expected to take more than thirty days, a weekly status report must be submitted to the CISO and/or CIO. The CISO or CIO may also request a report at their discretion for low and medium severity incidents.
After the incident
The incident handler, SEC Team and other principals will review the final report, review the response plan and root cause analysis, and determine if new risks are identified or updates to policy, practices, or revision of the incident response plan is needed to prevent or respond more efficiently to future security incidents.
Process Flow
Methods for Notifying the Information Security Team
Notification of suspicious activity may be submitted in the following ways:
- Email the OIT Helpdesk at help@pdx.edu or call 503-725-4357.
- Requests will be escalated to a member of the SEC Team by the Helpdesk.
- Email the SEC Team at help-security@pdx.edu.
Related Policies, Procedures, and Information
Indicators of Compromise SOP
Definitions
| Term |
Definition |
|---|
| Event Log |
A log of all suspicious or security events maintained by the SEC Team. |
| Incident Handler |
The person responsible for managing communication and coordinating resources when responding to a Security Incident. This will typically be a person from the SEC Team, but if not then the assignment will be made in consultation with the individual’s supervisor. Until an Incident Handler has been identified, the first responder should serve the role to the best of their knowledge, skills, and abilities. |
| Information Security Team (SEC) |
The Information Security Team (SEC) is comprised of the Chief Information Security Officer (CISO), Information Security Analyst (ISA), and Information Security Officer (ISO). |
| Information Security Operations Coordination Team (SEC-OPS) |
The Information Security Operations Coordination Team is comprised of OIT staff who have a security focus or element within their job duties. They coordinate with the CISO and SEC Team for operations related to information security. |
| Personally Identifiable Information (PII) |
PII is any representation of data that can be used to identify a specific individual either directly (e.g., name, ssn, address) or indirectly (using a combination of data elements such as gender, race, birthdate, etc.). Technology has expanded the scope of PII considerably and data elements such as IP address, login IDs, social media posts, digital images, geolocation, and biometric can also be classified as PII. |
| Risk Register |
A ranked register of identified risks and their treatment status maintained by the SEC Team. |
| Security Incident |
Any adverse event that threatens the security of information resources. Adverse events include compromises of integrity, denial of service, compromise of data (sold or used in an unauthorized fashion), loss of accountability, or damage to any part of the system. |
| Suspicious Event |
Any anomalous event or event enumerated in the “Indicators of Compromise” SOP which may indicate a security incident. |
Testing / Maintenance
The Computer Security Incident Response Plan will be reviewed annually by the Information Security Team.
Point of Contact
Contact help-security@pdx.edu for questions or concerns about this Plan.