Incident Handling Policy

Tags policy

What Is It?

Procedures for dealing with computer security incidents

Table of Contents

Montana Tech University Policy

Subject:

Information Technology

Policy:

IT Security Incident Response Policy

Revised:

03/07/2025          

Effective date:

5/15/2019

Review date:

Responsible Party:

 Information Technology Directory/CIO

 

Physical Copies

 

Version

Location

Date Updated

 

2

MG 107A – MT Tech CIO Office

 

 

2

MG 107 – MT Tech Network Office

 

 

2

Highlands 132C – MT Tech I.T. Office

 

 

2

MG 302A - Chancellor’s Office

 

 

2

MG 301 - Provost’s Office

 

 

2

MG 302 – Chief of Staff’s Office

 

 

2

MG 305 – Vice Chancellor of Administration and Finance Office

 

 

2

MUS 210– Vice Chancellor for Research and Dean of the Graduate School

 

 

2

SUB 201C– Vice Provost for Student Success and Dean of Students

 

 

2

MG 303A– Director of Finance and Budget

 

 

2

HPER 145A– Director of Athletics

 

 

2

URC 120– Foundation CEO

 

 

2

URC 105 – Executive Director, Marketing and Communications

 

Roles and Responsibilities

This section provides roles and responsibilities for the key parties that may be involved with incident response activities.

Incident Response Team

The Incident Response Team (IRT) is responsible for the preparation, notification, response, and recovery activities that are required to prevent or limit impacts of security incidents. The members of the IRT and the responsibility associated with their role include:

If 1) is unavailable, the responsibilities should be performed by 2), then 3).

  • Roles
  • Responsibility 
  1. Director Information Technology/CIO – Montana Technological University 
     
  2. Assistant Director of Information Technology – Network Services
     
  3. Software Engineer/Telecommunication

     
  • Prepare and maintain incident response procedures
  • Enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information
  • Overseeing and coordinating the incident management activities of the Incident Response Team (IRT) with assistance from UM CISO
  • Maintaining and escalating communication, as necessary, with top management at Montana Technological University (MTU) and relevant third-party authorities
  • Delegating relevant tasks pertaining to specific security incidents at MTU
  • Delegating relevant tasks pertaining to specific security incidents
  • Organizing IRT meetings in conjunction with Emergency Manager/Incident Commander.
    • Meetings should take place at least annually to review information security incidents, discuss response capabilities, and revise policies and procedures as needed.
  • Reviewing the performance of the IRT and making suggestions for improvements
  • Maintaining incident log containing all relevant information pertaining to both active and resolved Information Security Incidents

 

Emergency Manager/Incident Commander
  • Organizing IRT meetings
  • Reviewing the performance of the IRT and making suggestions for improvements
  • Organize “Situation Room” if needed

University of Montana -Chief Information Security Officer (CISO) and Information Security Office (ISO)
  • Advising CIO at MT Tech regarding incident response procedures
  • Enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information
  • Overseeing and coordinating the incident management activities of the Incident Response Team (IRT)
  • Maintaining and escalating communication, as necessary, with top management at the University of Montana
  • Delegating relevant tasks pertaining to specific security incidents at the University of Montana
  • Determining if incident follow-up is needed
  • Reviewing the performance of the IRT and making suggestions for improvements

University Unit Dean, Director, or Department Head

Data Steward
  • Protecting the confidentiality, integrity, and availability of university IT assets under their control
  • Ensuring IT security and privacy for the IT assets in their units
  • Reviewing the quality and effectiveness of incident management activities and procedures
  • Communicating the incident response requirements outlined within this Plan to MTU employees
  • Conduct annual meetings to review security initiatives, discuss reported security incidents or vulnerabilities, and develop action plans to meet information security goals and improve incident response plans

 

IT Department
  • Initial response and analysis of reported incidents
  • Containing security incidents
  • Collecting evidence
  • Eradicating the incident by identifying and mitigating vulnerabilities that were exploited, removing malware, etc.
  • Facilitating the recovery from security incidents by restoring affected systems, data, business processes, etc.
  • Configuration, implementation, management, monitoring, oversight, and day-to-day operations of university IT assets
  • Providing incident response information for IT
  • Implementing IRT controls and / or configurations during response activities
  • Increased monitoring during incident response as needed
  • Documenting all changes to asset configurations
  • Communicating with internal and external parties
  1. Vice Chancellor of Administration and Finance

 



2) Director of Finance and Budget
  • In conjunction with legal counsel, determine the extent of Federal and State regulatory notification requirements to be made in connection with a security incident
  • Carryout legal and regulatory reporting and notifications required in response to security incidents
  • Notify Risk Management and Tort Defense if necessary after consulting with legal counsel

Legal Counsel (Internal or as delegated to External)
  • Determine the extent that Federal and State regulatory notifications are required in connection with a security incident
  • Review notification and communications that may be issued during response activities, including pre-drafted templates. For example, communications or notifications issued to or by marketing, regulatory agencies, law enforcement, students, partners, and staff
  • Review and identify whether an information security incident is a “breach” as defined by Federal, State law, or regulators
  • Declare a “breach” (Note that typically external legal counsel will be responsible for determining if an incident is considered a “breach.”)

Executive Director, Marketing & Communications – Montana Technological University

 
  • Develop and facilitate communications that are necessary to support incident response capabilities. This may include communications or notifications to staff, students, and to the public, when to send, and what information to include
  • Maintain pre-drafted communications to facilitate internal and external notifications during an incident.
  • Interface and coordinate with approved outside public relations providers during incidents that may involve public communications.
  • Coordinate public or broad communications with [internal and external legal counsel, marketing, etc.] for review and approval, such as press releases or other public statements.
  • Ensure training is provided to staff regarding media requests or requests from external third parties for information.

External Parties

//note:External Parties should be chosen with consideration to those vendors that are partners with our insurance
  • Computer forensics
  • Advanced incident analysis
  • Legal services
  • Public relations management
  • Incident containment and eradication
  • Vulnerability mitigation

Users
  • Safeguarding security tokens, smart cards, identification badges, or other devices used for authentication and access to secure IT facilities
  • Report known or suspected incidents via MS Outlook or IT Helpdesk
  • Complete all required cybersecurity training in a timely manner

Roles and responsibilities may be expanded to include additional individuals and third parties based on the nature and severity of an incident.

Shared Responsibilities

The full IRT will share the following responsibilities under the guidance of the MTU CIO, CISO and ISO:

  • Identifying, analyzing, reporting, and responding to security incidents in accordance with this plan.
  • Ensuring incident response plans and supplemental documents are established and stored in a manner that ensures their availability in the event of major infrastructure outages or loss of facilities.
  • Reviewing the quality and effectiveness of incident management activities and procedures.
  • Maintaining up-to-date knowledge incident response best practices, common security threats, indicators of compromise, containment methods, etc.
  • Maintaining appropriate contacts with law enforcement, regulatory bodies, and other relevant authorities as needed.
  • Communicating the incident response requirements outlined within this plan to employees and relevant third parties.
  • Determining the incident communication process for internal and external parties. This includes defining when, what, and to whom to communicate incident response information.
  • Determining if additional follow-up and corrective actions are needed in response to security incidents.
  • Preparing and maintaining policy guidelines for establishing and implementing incident response procedures.
  • Coordinating communication and training related to the incident response policy and procedures.

Incident Response Procedures

Preparations 

  1. Information Technology Services will:
    1. maintain a list of assets previous to a suspected security incident or request for investigation.
      1. Servers
        1. Inventory (Appendix C,System Inventory)
      2. Log inventory
        1. Solarwinds repository, (Appendix C, Log Inventory)
      3. Networks
        1. Network Diagram, floorplans, remote locations/cloud environment (Appendix C, Network Map)
      4. Applications
        1. Diagram outlining remote locations/cloud environments
          Appendix C, System Inventory
      5. Incident Response Team Directory
        1. Appendix D, Contact Information
  2. Rank list by level of importance, identify backup locations and frequency, monitor traffic patterns so you can create baselines to be used for comparisons later.
    1. Appendix C, System Inventory
    2. Appendix C, Log Inventory

  c.   Maintain a Communication Plan to be used in the event of an incident
                                1. Appendix B, Communication Templates

Key stakeholders that will be involved in leading this communications plan include Executive Director of Communications and Marketing, University of Montana Legal Counsel, Director of Information Technology/CIO, and University of Montana CISO.

d. Apply security patches to firmware and applications regularly
                                1. Patch logs (Appendix C,System Inventory)

e. Use security software to protect data

  f. Provide Information Technology security training to all users.

Suspected Incident

When a suspected security incident or request for investigation has been identified the following shall occur:

1) Detect the issue

  1. Gather everything possible on the incident.
  2. Keep a Log Book

Logging of information is critical in situations that may eventually involve federal authorities and the possibility of a criminal trial. The implications from each security incident are not always known at the beginning of, or even during, the course of an incident. Therefore, a written log should be kept for all security incidents that are under investigation. The information should be logged in a location that cannot be altered by others.

Manually written logs are preferable since on-line logs can be altered or deleted.
The types of information that should be logged are:

  1. Dates and times of incident-related phone calls. 
  2. Dates and times when incident-related events were discovered or occurred. 
  3. Amount of time spent working on incident-related tasks. 
  4. People you have contacted or have contacted you. 
  5. Names of systems, programs or networks that have been affected

Users should immediately notify:

IT Helpdesk
Ph: 406-496-4244

2) Isolate the system

  1. Server/Desktop/Laptop Device
    1. Disconnect network cable/turn off device WIFI
    2. Do not power off or reboot the system
       
  2. Contain the breach
    1. Implement network segmentation to limit the attacker’s movement within the network
       
  3. Secure critical systems

Prioritize security systems with sensitive data (student records, financial systems, research data), refer to:
(Appendix C, System Inventory)

3) Analyze

  1. Computer Support/Information Technology/Network Services – Analyze the issue
    1. Investigate, analyze information, determining entry point/when it started and the breadth of the incident

 

  1. Confiscate Hardware
     
  2. Notify the owner, if the owner is not already aware.
     
  3. Patch the threat’s entry point.

2.If the incident involves personally identifiable information/ financial account information

the incident would be a ‘High’ Severity– Notify Incident Response Operational Team

  • Director Information Technology/CIO – Montana Technological University
  • Assistant Director Information Technology – Network – Montana Technological University
  • Assistant Director Information Technology – Information Services – Montana Technological University
  • Executive Director of Marketing and Communications – Montana Technological University
  • Chancellor – Montana Technological University
  • Executive Vice-Chancellor/Provost – Montana Technological University
  • Vice Chancellor of Administration and Finance/Liason Officer -Montana Technological University
  • Chief Information Office – University of Montana
  • Chief Information Security Officer – University of Montana
  • Legal - UM
  • Emergency Manager/Incident Commander

-Provide regular updates to incident Response Team on the status of the incident response

- If breach has been confirmed,

                Use caution when releasing information

All release of information must be authorized by the UM CISO, Montana TechCIO, Montana Tech Administration (Chancellor, Executive Vice Chancellor/Provost), approved by Legal -UM and the Executive Director of Communications and Marketing). 

Also, incident specific information, such as accounts involved, programs or system names, are not to be provided to any callers claiming to be a security officer from another site. All suspicious requests for information (i.e., requests made by callers claiming to be a CSA for another site), should be forwarded to the University of Montana CISO. If there is any doubt about whether you can release a specific piece of information contact the University of Montana CISO and appropriate Montana Tech administrative head.

Please note, that if Outlook Web/Web Email is available, you should also assume it has been compromised

Vice Chancellor of Administration and Finance is responsible for contacting Montana Risk Management and Torte Defense and approving Vendors (Appendix D)


Note: The insurance carrier can help with State/Federal Notification

4) Eradicate the problem

  • Remove malware: Clean infected systems
  • Remediate vulnerabilities: Patch systems, strengthen security controls (e.g... multi-factor authentication, intrusion detection systems).

5) Recover from the incident

  • Restore critical systems from backups using Restore Process
  • IT Team->EmergencyDocs->Emergency Response Binder ->RestoreProcess.docx

6) Post incident activity

  • Conduct a thorough review: 

    After an incident has been fully handled and all systems are restored to a normal mode of operation, a follow-up postmortem analysis should be performed. The follow-up stage is one of the most important stages for handling a security incident. All involved parties (or a representative from each group) should meet and discuss actions that were taken and the lessons learned. All existing procedures should be evaluated and modified,

    Analyze the incident to identify weaknesses and areas for improvement in security measures and response procedures.

    Questions to ask:
    1. Was the response time adequate following the initial detection?
    2. Were notification processes followed? Were relevant stakeholders kept informed of the incident and response status?
    3. Were any steps or actions taken that might have inhibited the recovery?
    4. What would the staff and management do differently the next time a similar incident occurs?
    5. What corrective action can prevent similar incidents in the future?
    6. What additional tools or resources are needed to detect, analyze, and mitigate future incidents?

 

If applicable, a set of recommendations should be presented to the appropriate management levels. A security incident report should be written by a person designated by the Montana Tech Director of Information Technology/CIO and distributed to all appropriate personnel.
 

  • Implement corrective actions: Make necessary changes to security policies, procedures and technologies
     
  • Employee training: Conduct security awareness training for all employees to improve their ability to recognize and respond to phishing attacks.

7) Implement necessary steps to prevent the incident from occurring in the future 

Severity

Severity should be defined for every incident by using the system’s criticality within Montana Technological University’s List of Critical Systems  (Appendix C, System Inventory) and considering the sensitivity of information stored on or access by the system. The Incident Response Team will prioritize the incident based upon its potential impact.

Impact addresses the potential effect an incident is likely to have on staff, students, reputation, or financial position of MTU. If an incident falls under multiple scenarios, the most severe scenario will be chosen.

Severity Table

Impact

Description

High
  • A system classified as having a “High” criticality is affected
  • Confidential, restricted, or any regulated (e.g., HIPAA, FERPA, PCI, PII) information may be exfiltrated
  • A significant number (≥ 50%) of staff or customers are affected
  • Damage to reputation or goodwill of the company is expected to be high
  • Financial impact of the incident is likely to be $10,000 or greater

Moderate
  • A system classified as having a “Medium” criticality is affected
  • Potential disclosure of internal use information
  • A moderate number of staff or customers are affected
  • There is moderate damage to university reputation or goodwill expected
  • Financial impact of the incident is likely to exceed $1,000, but less than $5,000

Low
  • A system classified as having a “Low” or “Minimal” criticality is affected
  • Only information classified as public may be exfiltrated
  • A minimal number (≤ 10%) of staff or customers are affected
  • There is minimal to zero impact to the university’s reputation or goodwill
  • The financial impact is expected to be less than $1,000
 

Communication Systems

The communication channels that will be used during an incident are outlined in the table below. During a high-visibility, critical, and/or extremely pervasive incident, the IRT may leverage a specific physical or virtual “Situation Room” to centralize communications and operations.

Function

Purpose

Technologies

Email
  • Coordinate IRT response activities
  • Establish a formal record of communication
  • Provide notifications to internal staff, as well as third-parties

In the event that email systems are unavailable or the incident manager deems there is risk of adversary monitoring, alternate forms of communication will be used

Primary:

  • Microsoft 365 (MS Outlook, MS Teams)

 

Secondary:

  • ReGroup

Voice
  • Provide ad-hoc updates to IRT personnel and senior leadership.
  • Manage incident response actions.
  • Rapid alerts and notifications to appropriate personnel.
  • Limit written communications.

Primary:

  • University phone landlines

 

Secondary:

  • Cell phones

 

Messaging
  • Establish a formal record of a communication.
  • Provide formal updates to senior leadership.
  • Mitigate the possibility of data interception or leakage if voice/email systems are at risk.

Leverage to communicate to both internal as well as external parties, such as vendors and law enforcement.

Primary:

  • Microsoft 365 (MS Outlook, MS Teams)

 

Secondary:

  • Cell phone SMS/MMS

 

“Situation Room”
  • Central area for communication and coordination
  • Used for major incidents that require extensive, ongoing collaboration

The incident commander will publish virtual and/or physical situation room locations and (as applicable) hours staffed
  • To be determined, as necessary, based on Zoom or Teams.

 

  • Physical room w/ whiteboard, phone/videoconference capabilities

If a “Situation Room” is established, the incident commander will ensure that the following actions occur:

  • Publish situation room location, web conferencing, phone bridge, and (as applicable) hours staffed.
  • Develop a shift schedule for round-the-clock operations if applicable.
  • Coordinate food, beverage, and break schedules.
  • Monitor and manage phones.
  • Monitor and manage incident emails and mailing list, and members/groups/teams’ activities.
  • Track official daily operational schedules and meeting schedules.
  • Establish a digital repository for incident-related logs, evidence, emails, documents, etc.
  • Establish a physical repository and evidence custodianship.
  • Monitor open-ticket actions.
  • Return any resources loaned or displaced during incident.
  • As appropriate, shred any documents not requiring retention.
  • Clean all white boards.
  • Request a resupply of items needing to be replenished for future incidents.

Internal Notifications

In the event of an incident, it is critical that relevant internal stakeholders are notified and updated appropriately as outlined in this section. The CIO or CISO will inform the IRT and other key individuals of the security incident and provide them with any information necessary.

Executive Team & Board of Regents Escalation

Security incidents may need to be escalated beyond the IRT to leadership depending on the severity of the incident. Incidents will be escalated based on the following scale:

Severity

Dir I.T./CIO escalates to:

Vice Chancellor of Administration and Finance escalates to:

High
  • Incident Response Team - ASAP (<1  hour)
  • Risk Management and Torte Defense
    see (Appendix D, Risk Management and Tort Defense)
  • Board of Regents - <24 hours
  • Work with Director of Financial Aid to notify FSA at CPSSAIG@ed.gov per SAIG agreement

Moderate
  • Incident Response Team - <8 hours
  • Board of Regents – Annual reporting

Low
  • Executive Management Team – Quarterly
  • Board of Regents – Annual reporting

External Legal Counsel


The University of Montana General Counsel is responsible for determining if external legal counsel needs to be engaged. Generally, incidents that involve potential unauthorized access to regulated client or employee data will require input from external, specialty counsel.

See (Appendix D, Contact Information) for contact information

 

Service Providers and Other External Parties
 

Depending on the nature of the incident, communication with other outside parties may be necessary, such as technology service providers or incident response specialists. These include, but are not limited to:


External service providers will not be engaged without approval from the State of Montana’s Risk Management and Tort Defense, UM CISO and MTU Director of I.T./CIO to ensure the service provider is appropriate and has been pre-approved or is approved by MTU’s cyber insurance provider as needed. The current cyber insurer may need to provide approval before a third-party is engaged in order to ensure any claim is covered. To facilitate this, the UM CISO will engage MTU’s Vice Chancellor of Administration and Finance and UM Legal Counsel to contact the insurer as soon as practicable following discovery of a security incident, in order to facilitate quick response. Please refer to the Insurance Notification section for details.

The MTU Director of I.T./CIO  is responsible for acting as the primary point of contact for external service providers and ensuring that they receive clear direction and appropriate oversight throughout the response process.

 

Regulatory and Law Enforcement Reporting
 

The Vice Chancellor of Administration and Finance in consultation with internal and external Legal Counsel, is responsible for determining the extent that Federal and State regulatory notification need to be made in connection with a security incident. There could be additional regulatory and law enforcement reporting requirements based on the incident scope and potential impact on clients and employees.

 

Notifications to Affected Parties
 

Certain security incidents will require notification to students, partners, staff, or other individuals, when authorized by Legal Counsel. An assessment will be required to determine the extent of the incident, the type of information access or obtained, and the likely risk of harm caused to constituents by the incident, to determine the notification requirements.

The Director of Information Technology/CIO in consultation with the UM CISO and internal and external Legal Counsel, is responsible for identifying and approving the notifications that need to be issued to individuals in response to security incidents.

Print Article

Related Articles (6)

Acceptable Use Policy
Guidelines for use of the computing systems and facilities located at, or operated by Montana Tech
Escalation Procedures for Security Incidents
This procedure describes the steps which are to be taken for physical and computer security incidents which occur within the Montana Tech facility.
Network Connection Policy
This policy describes the requirements and constraints for attaching a computer to the Montana Tech local area network (LAN). All devices connected o the Montana Tech network must meet minimum-security requirements.
Personal Computer Device Support Policy
In response to the increasing number of support requests made to Information Technology (IT) regarding personally owned computing devices (POCD), Montana Tech IT has established an official POCD support policy. The purpose of this policy is to define the support options available for personally owned computing devices.
Software Piracy
Whether you call it borrowing, copying, sharing or "fair use," software piracy is illegal and puts Montana Tech's students, faculty and staff, as well as the college itself, at risk for legal action.
Special Access Guidelines
These guidelines outline the many do's and do not's of using special access accounts. Special access is defined as having the privilege and password to use domain administrator accounts.
Loading...