Office of Information Technology
Computer Security Incident Response Standard
Portland State University’s Office of Information Technology must be able to respond to computer security-related incidents in a manner that protects its own information and helps to protect the information of others that might be affected by an incident.
As such, Portland State University’s Office of Information Technology has established this Computer Security Incident Response Plan to address computer security incidents including theft, misuse of data, network or facility intrusions, hostile probes, and malicious software.
Purpose and Applicability
This plan is applicable to all Portland State University systems, system administrators, and users of privileged systems or data.
Standards and Procedures
The Information Security Team (SEC) and Information Security Operations Coordination Team (SEC-OPS) will work together to establish and maintain Standard Operating Procedures (SOP) for security incidents — including but not limited to common indicators of compromises and reporting SOPs — and to publish, promulgate, and educate responsible parties on these practices.
When a suspicious event has occurred
The user, administrator, or supervisor who discovers suspicious activity should investigate briefly. If suspicion is well-founded or indeterminate, the discoverer should notify a member of the SEC Team of the suspicious event immediately and start an event log while capturing any pertinent details to assist the investigation. The discoverer must provide a verbal or written report to the SEC Team within one working day of the initial suspicion.
Handling an incident
The SEC Team will designate an incident handler and supervise or conduct subsequent investigation and remediation and will enter the incident into the event log. The ISO/ISA, incident handler, and any other principals will work with the security team to evaluate the incident, classify the incident, formulate a response plan (or engage any event specific SOP), and review any response plan. The CISO will provide oversight of response, keep appropriate management apprised of the investigation, and assist with coordination. A written preliminary report must be submitted by the incident handler and ISO/ISA to the SEC Team and CISO (i.e. an email to the SEC Team) within two working days.
Sharing information on an incident
All information about the discovery, investigation, or remediation of an incident should be shared only on a need-to-know basis and within trusted communities of information security practitioners to ensure the integrity of the investigation and any significantly impacted system or data until the response plan has been completed. Any inquiries from external entities about a specific incident should be routed to the CIO who may work with University Communications or Office of General Counsel as appropriate to provide a response.
Designation as a disaster
In certain extraordinary incidents where a system may be unavailable for an extended time due to the needs of an investigation or the nature of the incident, the CISO or CIO may declare the incident to also be a disaster and engage the available disaster recovery plans or mechanisms available for the affected system.
Within five working days of the resolution of an incident deemed significant by the CISO or CIO, a written final report must be submitted to the SEC Team and CISO by the incident handler and ISO/ISA. In cases where incident resolution is expected to take more than thirty days, a weekly status report must be submitted to the CISO and/or CIO.
After the incident
The incident handler, SEC Team and other principals will review the final report, review the response plan and root cause analysis, and determine if updates to policy, practices, or revision of the incident response plan is needed to prevent or respond more efficaciously to future security incidents.
Methods for Notifying the Information Security Team
Notification of suspicious activity may be submitted in the following ways:
- Email the OIT Helpdesk at email@example.com or call 503-725-4357.
- Requests will be escalated to a member of the SEC Team by the Helpdesk.
- Email the SEC Team at firstname.lastname@example.org.
- Call a member of the SEC Team.
- Chat message to #security channel in Slack.
Related Policies, Procedures, and Information
Final Incident Report Template
Preliminary Incident Report SOP
Indicators of Compromise SOP
Phishing Response SOP
|Security Incident||Any adverse event that threatens the security of information resources. Adverse events include compromises of integrity, denial of service, compromise of data (sold or used in an unauthorized fashion), loss of accountability, or damage to any part of the system.|
|Incident Handler||The person responsible for managing communication and coordinating resources when responding to a Security Incident. This will typically be a person from the SEC Team, but if not then the assignment will be made in consultation with the individual’s supervisor. Until an Incident Handler has been identified, the first responder should serve the role to the best of their knowledge, skills, and abilities.|
|Suspicious Event||Any anomalous event or event enumerated in the “Indicators of Compromise” SOP which may indicate a security incident.|
|Event Log||A log of all suspicious or security events maintained by the SEC Team.|
|Information Security Team (SEC)||The Information Security Team (SEC) is comprised of the Chief Information Security Officer (CISO), Information Security Analyst (ISA), and Information Security Officer (ISO).|
|Information Security Operations Coordination Team (SEC-OPS)||The Information Security Operations Coordination Team is comprised of OIT staff who have a security focus or element within their job duties. They coordinate with the CISO and SEC Team for operations related to information security.|
Testing / Maintenance
The Computer Security Incident Response Plan will be reviewed annually by the Information Security Team.
Point of Contact
Contact the CISO for questions or concerns about this Plan.
Chief Information Officer
Associate Chief Information Officer
Senior Director, Computing Infrastructure Services
Originally Approved: December 2015
Last Revised: November 2015