Incident Handling Policy

Tags policy

What Is It?

Procedures for dealing with computer security incidents

Table of Contents

Incident Handling Procedure

Montana Tech University Policy

Subject:

Information Technology

 

Policy:

IT Security Incident Response Policy

 

Revised:

 7/07/2023

                            

Effective date:

 5/15/2019

 

Responsible Party:

 Information Technology Directory/CIO

 


 

Introduction and Purpose:

This policy governs the general response that should be used when a computer and/or information security incident has been encountered.

Policy:

Board of Regents policies governing the use of university information technology apply to all University faculty, staff, students, and patrons. All users of University information technology must comply with Montana Technological University policies as well as University of Montana Policies, Board of Regents policies, state and federal law.

Procedures for managing an Information Technology security incident will be determined, maintained, and posted online by Montana Tech’s Director/CIO, Information Technology. The Director/CIO will immediately communicate any emergency to the Chancellor and Executive Vice-Chancellor/Provost per the designated procedures.   

Internal control considerations, if applicable:

Changes to procedures will be shared by the CIO or designee at the next Executive Team meeting so that the campus community can be notified as needed.

Procedures:

Preparation

  1. Information Technology will:
    1. maintain a list of assets previous to a suspected security incident or request for investigation.
      1. Servers (Patch log, Virtual Space documents)
      2. Networks
      3. Applications
      4. Critical endpoints (C-level laptops/any laptop with PII)
    2. Rank list by level of importance, identify backup locations and frequency, monitor traffic patterns so you can create baselines to be used for comparisons later.

IT TEAM -> Emergency Docs -> CriticalSystems.docx

c.   Maintain a Communication Plan to be used in the event of an incident
     IT TEAM -> Emergency Docs -> 1_Information Services
     Disaster Communication Plan.docx

d. Apply security patches to firmware and applications regularly

e. Use security software to protect data

f.  Provide Information Technology security training to all users.
 

Suspected Incident

When a suspected security incident or request for investigation has been identified the following shall occur:

  1. Detect the issue
    • Gather everything possible on the incident.
    • Keep a Log Book

Logging of information is critical in situations that may eventually involve federal authorities and the possibility of a criminal trial. The implications from each security incident are not always known at the beginning of, or even during, the course of an incident. Therefore, a written log should be kept for all security incidents that are under investigation. The information should be logged in a location that cannot be altered by others. Manually written logs are preferable since on-line logs can be altered or deleted. The types of information that should be logged are:

  1. Dates and times of incident-related phone calls. 
  2. Dates and times when incident-related events were discovered or occurred. 
  3. Amount of time spent working on incident-related tasks. 
  4. People you have contacted or have contacted you. 
  5. Names of systems, programs or networks that have been affected
  6. Users should immediately notify
    • IT Helpdesk

Ph: 406-496-4244
 

  • Isolate the system
    • Server/Desktop/Laptop Device
      • Disconnect network cable/turn off device WIFI
      • Do not power off or reboot the system
         
  1. Computer Support/Information Technology/Network Services – Analyze the issue
    • Investigate, Analyze information, determining entry point/when it started and the breadth of the incident

 

  • Confiscate Hardware
     
  • Notify the owner, if the owner is not already aware.
     
  • Patch the threat’s entry point.

 

 

  1. If the incident involves personally identifiable information/ financial account information

– Notify Incident Response Operational Team

  • Director Information Technology/CIO – Montana Technological University
  • Chief Information Security Officer – University of Montana
  • Assistant Director Information Technology – Network – Montana Technological University
  • Assistant Director Information Technology – Information Services – Montana Technological University
  • Director of Marketing – Montana Technological University
  • Chancellor – Montana Technological University
  • Executive Vice-Chancellor/Provost – Montana Technological University

 

- If breach has been confirmed, Report

          Use caution when releasing information

All release of information must be authorized by the Montana Tech Administration (UM CISO, Chancellor, Executive Vice Chancellor/Provost) as appropriate.  Also, incident specific information, such as accounts involved, programs or system names, are not to be provided to any callers claiming to be a security officer from another site. All suspicious requests for information (i.e., requests made by callers claiming to be a CSA for another site), should be forwarded to the University of Montana CISO. If there is any doubt about whether you can release a specific piece of information contact the University of Montana CISO and appropriate Montana Tech administrative head.

 

  1. Eradicate the problem
     
  2. Recover from the incident

 

  1. Post Incident Analysis

 

After an incident has been fully handled and all systems are restored to a normal mode of operation, a follow-up postmortem analysis should be performed. The follow-up stage is one of the most important stages for handling a security incident. All involved parties (or a representative from each group) should meet and discuss actions that were taken and the lessons learned. All existing procedures should be evaluated and modified, if necessary. All on-line copies of infected files, worm code, etc., should be removed from the system(s). If applicable, a set of recommendations should be presented to the appropriate management levels. A security incident report should be written by a person designated by the Montana Tech Director of Information Technology/CIO and distributed to all appropriate personnel.
 

  1. Implement necessary steps to prevent the incident from occurring in the future
Print Article

Related Articles (6)

Guidelines for use of the computing systems and facilities located at, or operated by Montana Tech
This procedure describes the steps which are to be taken for physical and computer security incidents which occur within the Montana Tech facility.
This policy describes the requirements and constraints for attaching a computer to the Montana Tech local area network (LAN). All devices connected o the Montana Tech network must meet minimum-security requirements.
In response to the increasing number of support requests made to Information Technology (IT) regarding personally owned computing devices (POCD), Montana Tech IT has established an official POCD support policy. The purpose of this policy is to define the support options available for personally owned computing devices.
Whether you call it borrowing, copying, sharing or "fair use," software piracy is illegal and puts Montana Tech's students, faculty and staff, as well as the college itself, at risk for legal action.
These guidelines outline the many do's and do not's of using special access accounts. Special access is defined as having the privilege and password to use domain administrator accounts.