Computer Security Incident Response Standard

Approver OWNER Date
CIO, Office of Information Technology Chief Information Security Officer (CISO), Office of Information Technology Approved: 2016-10-03
Last Revised: 2017-08-16

Introduction

Portland State University’s Office of Information Technology must be able to respond to computer security-related incidents in a manner that protects its own information and helps to protect the information of others that might be affected by an incident.

As such, Portland State University’s Office of Information Technology has established this Computer Security Incident Response Plan to address computer security incidents including theft, misuse of data, network or facility intrusions, hostile probes, and malicious software.

Purpose and Applicability

This plan is applicable to all Portland State University systems, system administrators, and users of privileged systems or data. 

Standards and Procedures

Planning

The Information Security Team (SEC) and Information Security Operations Coordination Team (SEC-OPS) will work together to establish and maintain Standard Operating Procedures (SOP) for security incidents — including but not limited to common indicators of compromises and reporting SOPs  — and to publish, promulgate, and educate responsible parties on these practices.

When a suspicious event has occurred

The user, administrator, or supervisor who discovers suspicious activity should investigate briefly. If suspicion is well-founded or indeterminate, the discoverer should notify a member of the SEC Team of the suspicious event immediately and start an event log while capturing any pertinent details to assist the investigation. The discoverer must provide a verbal or written report to the SEC Team within one working day of the initial suspicion.

Handling an incident

The SEC Team will designate an incident handler and supervise or conduct subsequent investigation and remediation and will enter the incident into the event log. The ISO/ISA, incident handler, and any other principals will work with the security team to evaluate the incident, classify the incident, formulate a response plan (or engage any event specific SOP), and review any response plan. The CISO will provide oversight of response, keep appropriate management apprised of the investigation, and assist with coordination. A written preliminary report must be submitted by the incident handler and ISO/ISA to the SEC Team and CISO (i.e. an email to the SEC Team) within two working days.

Sharing information on an incident

All information about the discovery, investigation, or remediation of an incident should be shared only on a need-to-know basis and within trusted communities of information security practitioners to ensure the integrity of the investigation and any significantly impacted system or data until the response plan has been completed. Any inquiries from external entities about a specific incident should be routed to the CIO who may work with University Communications or Office of General Counsel as appropriate to provide a response.

Designation as a disaster

In certain extraordinary incidents where a system may be unavailable for an extended time due to the needs of an investigation or the nature of the incident, the CISO or CIO may declare the incident to also be a disaster and engage the available disaster recovery plans or mechanisms available for the affected system.

Final report

Within five working days of the resolution of an incident deemed significant by the CISO or CIO, a written final report must be submitted to the SEC Team and CISO by the incident handler and ISO/ISA.  In cases where incident resolution is expected to take more than thirty days, a weekly status report must be submitted to the CISO and/or CIO.

After the incident

The incident handler, SEC Team and other principals will review the final report, review the response plan and root cause analysis, and determine if updates to policy, practices, or revision of the incident response plan is needed to prevent or respond more efficaciously to future security incidents.

Process Flow

Click to view a larger version of the Computer Security Incident Response Process Flow

 

Methods for Notifying the Information Security Team

Notification of suspicious activity may be submitted in the following ways:

  • Email or call to the Helpdesk (help@pdx.edu) / 503-725-4357
    • Requests will be escalated to a member of the SEC Team by the Helpdesk.
  • Email to the SEC Team at sec-requests@pdx.edu.
  • Phone call to a member of the SEC Team.

Related Policies, Procedures, and Information

Definitions

Term Definition

Security Incident

Any adverse event that threatens the security of information resources. Adverse events include compromises of integrity, denial of service, compromise of data (sold or used in an unauthorized fashion), loss of accountability, or damage to any part of the system. 

Incident Handler

The person responsible for managing communication and coordinating resources when responding to a Security Incident. This will typically be a person from the SEC Team, but if not then the assignment will be made in consultation with the individual’s supervisor. Until an Incident Handler has been identified, the first responder should serve the role to the best of their knowledge, skills, and abilities. 

Suspicious Event

Any anomalous event or event enumerated in the “Indicators of Compromise” SOP which may indicate a security incident. 

Event Log

A log of all suspicious or security events maintained by the SEC Team. 

Information Security Team (SEC)

The Information Security Team (SEC) is comprised of the Chief Information Security Officer (CISO), Information Security Analyst (ISA), and Information Security Officer (ISO). 

Information Security Operations Coordination Team (SEC-OPS)

The Information Security Operations Coordination Team is comprised of OIT staff who have a security focus or element within their job duties. They coordinate with the CISO and SEC Team for operations related to information security. 

Testing / Maintenance

The Computer Security Incident Response Plan will be reviewed annually by the Information Security Team.

Point of Contact

Contact the CISO for questions or concerns about this Plan.