The purpose of this Computer Incident Response Plan (CIRP) is to provide the University with a plan that addresses the dynamics of a computer security incident. A computer security incident is one that threatens confidentiality, integrity or availability of University information assets with high impact, high threat involving high risk and great vulnerability. A security incident includes unintentional disclosure of sensitive or protected information such as Social Security Number or Protected Health Information as defined by the Health Insurance Portability and Accountability Act of 1996. The CIRP defines the roles and responsibilities for incident response team members, defines incident severity levels, outlines a process flow for incident management, and includes methodologies for conducting response activities.
The CIRP may be used simultaneously during certain disasters along with the University Technology Services Hurricane and Disaster Recovery Plan to address information security and production computer/network continuity.
This CIRP applies to all computer systems and networks connected to Tulane University’s network. The CIRP contains actions required to assure the protection of Tulane University’s reputation, information assets and the student’s, faculty’s, and staff’s information assets that reside under Tulane University’s control.
Definitions and Acronyms
CIRT – Computer Incident Response Team
VPIT – Vice President of Information Technology
ISO – Information Security Officer (Chief or designee)
PCAB – Presidential Cabinet
TS – Technology Services
WFMO – Workforce Management Organization
Policy for Technology Services
Computer security incidents will occur that require full participation of TS technical personnel as well as divisional leadership to properly manage the outcome. TS will establish computer incident response procedures that will ensure that appropriate leadership and technical resources are involved to
- Assess the seriousness of an incident,
- Assess the extent of damage,
- Identify the vulnerability created,
- Estimate what additional resources – if any – are required to mitigate the incident,
- Mitigate the incident,
- Perform proper follow-up reporting, and
- Adjust procedures so that responses to future incidents are improved.
3 Role and Responsibilities
Within this section, the roles and responsibilities for the VPIT, CIRT, ISO, and Supporting Groups are defined. In addition, this section addresses the various Technology Services functional areas within the University and their CIRT responsibilities.
3.1 Vice President of Information Technology - Chief Technology Officer
The VPIT will either involve or inform as the needs of the incident dictate. Communication of information during an incident will follow this flow to eliminate confusion and misinformation between groups.
The VPIT is responsible for executing or delegating the following:
- Setting priorities
- Notifying the University President and/or Board of Trustees of an incident declaration
- Disaster Declaration
- Participating with ISO in forensic investigation decisions
- Designating an Assistant VPIT or an alternate to cover the responsibilities of the VPIT role
- Notifying University Communications as appropriate for internal and external communication
- Owning of the ISO’s incident work plan(s)
- Defining and issuing ‘gag’ orders within Technology Services for particularly sensitive issues; the default guideline for communicating about a computer security incident is on a need to know basis
- Chairing the Post Mortem – Closeout Phase
3.2 Information Security Officer (ISO)
This position will update the VPIT on a regular basis during a critical incident. The ISO will obtain technical expertise based on the incident declared.
The ISO is responsible for the following:
- Beginning a case file for the incident. Used to ensure information is properly collected and documented
- Managing incident resources
- Determining if an incident is at a Critical Level and declaring it to be so
- Maintaining communications between CIRT and the VPIT
- Notifying WFMO as appropriate
- Notifying Legal as appropriate
- Notifying Campus Security as appropriate
- Reminding staff that communication is on a need to know basis or if the VPIT has defined a ‘gag order’ informing team members of the nature of the ‘gag’
- Communicating to the Technology Services Leadership Team that a critical incident has been declared and a CIRT has been formed
- Activating the CIRT and notifying the team of meeting locations and call-in telephone numbers
- Developing containment procedures
- Establishing a Post Mortem Team to determine the root cause and root effect of the incident
- Working closely with the VPIT and University General Counsel during forensic investigations
- Managing the incident work plan(s) and task assignments
- Raising dependency issues as they arise
- Designating a deputy ISO to cover the responsibilities that span more than 12 hours
- Coordinating hand-off meetings between shifts, and developing work plans that address tasks completed and outstanding
- Certifying that all systems are returned to operational quality with the cause rectified
- The secure destruction/retention of all materials at the end of an incident
- Identifying external personnel/resources as needed
3.3 Computer Incident Response Team (CIRT)
During an incident the ISO will assemble a team. Members will vary depending on the skill sets required to assist during an incident. Teams will vary in size depending on the need. This team will remain active until the incident is closed. This team will be responsible for both response and recovery. The core membership of the CIRT is defined in section 6.
Response Phase: The response duties of the team are to conduct a triage of the incident, assist in containment of the incident, collect evidence for the post mortem report and if necessary, conduct or assist in a forensic investigation.
Assisting in the collection of evidence during an incident investigation
Making recommendations to the ISO on remedial action on affected systems
The CIRT may be called up 24 hours a day, 7 days a week, 365 days a year during a critical incident
Recovery Phase: The response aspects of the team are centered on damage assessment, return to normal operations, rebuilding servers and systems, etc.
- Determining whether affected systems can be restored from backup tapes, or must be reinstalled
- Scrubbing all data before making it ready for reinstall
- Determining what data is lost and cannot be recovered or restored
- Reloading data on affected systems
- Restoring normal operations
- Sending final incident reports to parties with a need-to-know
- Discussing procedural changes and updates
- Discussing configuration issues
- Deciding whether to conduct an investigation to determine the root cause and root effects of the incident
- Discussing any task that were not completed
3.4 Public Safety
- Assist in interviews when necessary
- Assist WFMO during policy violations
- Coordinate with external law enforcement as required
- Liaison to Federal Bureau of Investigation (FBI) as requested by University General Counsel
3.5 General Counsel
- Provides guidance to the VPIT regarding legal and regulatory aspects of the incident and its public disclosure
- Advises WFMO regarding investigations involving employees
- Advises the VPIT and/or ISO regarding decision to simply protect its operations or to pursue civil or criminal actions
- Consults with the VPIT and/or ISO regarding involvement with law enforcement
- Advises the VPIT and/or ISO regarding involvement with regulatory agencies
- Reviews communications drafted by University Communications as required
- Liaison to external counsel
- Advises VPIT on personnel matters
- Initiates employee related investigations along with University General Counsel
- Participates in investigation interviews and furnishes legally permissible personal information as necessary
- Alerts the CIRT of any unusual employee behavior patterns during a critical incident or investigation
- Manages internal concerns and questions from the employee base that are not associated with an incident
- Coordinates internal employee communications along with University General Counsel and University Communications, as necessary
3.7 University Communications
- Provides external communications in consultation with University General Counsel
- Responds to all external media inquiries
- Liaison to external public relation firms
- Ensure internal communications are consistent with external communications
4 Incident Defined
A computer security incident is any adverse event that threatens the confidentiality, integrity, or availability of university information assets, information systems, and the networks that deliver the information. Any violation of computer security policies, acceptable use policies, or standard computer security practices is an incident.
Adverse events may include unauthorized access to systems and information, denial-of-service attacks, loss of accountability, or damage to any part of the system. If an incident has happened or there is suspicion of an incident, the ISO must be notified to help determine the level of the incident and next steps in response as defined in this document.
4.1 Incident Levels
Incident levels are defined here for clarity although with any potential incident the ISO must be notified to help determine next steps.As part of the initial incident response process, the ISO will need to make an assessment of the incident’s impact and assign an appropriate severity level. This severity level will be based upon the potential impact to the operations or reputation of Tulane University, and/or their students, faculty, and/or staff.
An incident’s severity level dictates the initial response and management activities associated with the event. As incident management activities continue, further assessment may effect a reassignment to a higher or lower severity level.
Critical Incident: Any unexpected or unauthorized change, disclosure or interruption to Tulane University’s information resources that could be severely damaging to our students, staff, faculty, and/or reputation. These incidents impact on the University’s ability to meet its mission objectives.
High Level: Successful penetration or denial-of-service attack(s) detected with significant impact on operations. These incidents are: very successful; difficult to control or counteract; compromise large number of systems; cause significant loss of confidential data, loss of mission-critical systems or applications; compromise admin/root, user account; result in illegal file server share access; and cause significant risk of negative financial or public relations impact.
Medium Level: Penetration or denial-of-service attack(s) detected with limited impact on operations. These incidents are: minimally successful, easy to control or counteract, compromise small number of systems, result in little or no loss of confidential data and no loss of mission-critical systems or applications. This includes widespread instances of a new computer virus or worm that cannot be handled by deployed anti-virus software that may require corporate-wide activations of CIRT and/or site-administrators. Also includes illegal mirrors and unapproved content (e.g. games, pornography, multi-media servers on corporate networks). These incidents have small risk of negative financial or public relations impact.
Low Level: These incidents involve: a significant level of network probes, scans and similar activities detected indicating a pattern of concentrated reconnaissance; intelligence received concerning threats to which systems may be vulnerable; penetration or DoS attacks attempted with no impact on operations; isolated instances of a new computer virus; or work that cannot be handled by deployed anti-virus software.
5 Escalation levels and Roles and Responsibilities
The roles and responsibilities of each of the teams involved in incident response vary with the particular escalation level that is active at any particular point in time. These roles & responsibilities are described below.
5.1 Low Level Incident
Normal system operations coupled with periodic and real time monitoring of the university’s information assets.
- Monitor all known sources for alerts or notification of a threat.
5.2 Medium Level Incident
The monitoring processes have detected early indications of an incident.
- Analyze monitoring data and determine early defensive action with notification to and input from ISO.
- Notify the local IT Director (where applicable) and Head of Division
- If users are affected, communication message via VP for Administrative Services.
Director / Manager
- Receive and track reported incident event information from System/Network Administrator.
- Escalate incident response to the next level if event information points to a genuine threat.
- Alert relevant business unit head and ISO of the threat (as appropriate).
- If users are affected, communication message via VP for Administrative Services.
5.3 High Level Incident
A threat has manifested itself.
- Identify countermeasures for containment of the incident.
- Provide on-going threat status to Director.
- Notify Dean if appropriate
- Notify CIRT of the manifestation of the threat.
- Report incident details and supporting system logs, audit records, etc. to CIRT.
- Start logging of events for possible disciplinary / legal proceedings.
- If users are affected, communication message via VP for Administrative Services.
- Report continuously to relevant business/academic units.
- Assume responsibility for directing the incident handling activities.
- Determine whether further escalation to the VPIT is required.
- Determine if countermeasures have reduced the risks to an acceptable level.
- Receive technical information from relevant system administrators.
- Take required actions.
- Provide feedback to ISO & IT Director of department (where applicable).
5.4 Critical Level Incident
The threat has become wide spread or is of high severity level.
- Support the CIRT
- Continue reporting status to Director
- Continue to monitor all event sources for alerts and notification of threats
- Monitor effectiveness of the countermeasures in reducing the threats
- Continue monitoring the incident
- Report continuously to the Dean or equivalent management
- Set up command center
- Alert University General Counsel and Risk Management
- Alert vendors/suppliers/external service providers (as appropriate)
- Determine if the countermeasures have reduced the risks to an acceptable level.
- Take required actions
- Provide feedback to ISO & IT Director of department (where applicable)
- Continue to monitor the event and report to the President or Presidential Cabinet if appropriate.
5.5 Post Incident
The threat has been removed. Full recovery is made. Normal operations have commenced.
- For high and critical level incidents, prepare incident report to be reviewed by VPIT, ISO and others as appropriate. The report should include:
- Incident log including findings of Technical work that can be used as evidence.
- Estimate of damage / impact
- Details of action taken during the incident
- Follow on efforts needed to eliminate or mitigate the vulnerability
- List of policies or procedures that require updating
- Details of efforts taken to minimize liabilities or negative exposure
- Recommendations for legal/disciplinary action against intruders.
- Document lessons learnt and take corrective action to prevent recurrence.
WFMO and General Counsel
- As necessary, initiate disciplinary action or legal proceedings against internal / external threat source.
- Should perform follow up to ensure any identified corrective action is implemented within a reasonable timeframe.
- Communicate final notice of completion of remediation to affected unit heads, WFMO and VPIT.
5.6 Incident Review Report Template
- Were controls applicable to the specific incident working properly?
- What conditions allowed the incident to occur?
- Could more education of users or administrators have prevented the incident?
- Were all of the people necessary to respond to the incident familiar with the incident response plan?
- Were any actions that required management approval clear to participants throughout the incident?
- How soon after the incident started was it detected?
- Could different or better logging have enabled earlier detection of the incident?
- Is the exact time the incident started known?
- How effective was the process of invoking the incident response plan?
- Were appropriate individuals outside of the CIRT notified?
- How well was the CIRP followed?
- Were the appropriate people available when the response team was called?
- Should there have been communication to other inside and outside parties at this time; and if so, was it done?
- Did all communication flow from the appropriate source?
- How well was the incident contained?
- Did the available staff have sufficient skills to do an effective job of containment?
- If there were decisions on whether to disrupt service to internal or external customers, were they made by the appropriate people?
- Are there changes that could be made to the environment that would have made containment easier or faster?
- Did technical staff document all of their activities?
Removal and Recovery
- Was the recovery complete — was any data permanently lost?
- If the recovery involved multiple servers, users, networks, etc., how were decisions made on the relative priorities, and did the decision process follow the incident response plan?
- Were the technical processes used during these phases effective?
- Was staff available with the necessary background and skills?
6 CIRT Core Team
- Vice President of Information Technology, CIO
- AVP, Infrastructure
- Chief Information Security Officer
- AVP, Enterprise Applications
- AVP, Academic Computing