14.02 Information Security Incident Response
Purpose
This policy provides guidance in determining the proper response to a misuse of Information Technology (IT) resources from within or outside the University. It documents where to report problems and when to involve university administration and legal representatives. It also documents the individuals designated for these responsibilities, and procedural details, which depend on the severity and source of the attack.
Scope
This policy applies to all faculty, staff, and students as well as any other individuals or entities who use data and business systems at the University of Northern Iowa. This policy applies to all university data, even if stored without the use of an IT resource. Further, this policy applies to all IT resources owned or leased by UNI; to any privately-owned equipment connected to the campus network and includes, but is not limited to, computer equipment, software, operating systems, tablets, phones, multimedia devices, storage media; and the campus network itself.
Policy Statement
The University of Northern Iowa acknowledges its obligation to ensure appropriate response in the event of a security incident involving data, business systems, and IT resources in its domain of ownership and control. Compromises in security can potentially occur at every level of computing from an individual's desktop computer to the largest and best-protected systems on campus. Incidents can be accidental incursions or deliberate attempts to break into systems and can be benign to malicious in purpose or consequence. Serious attacks on university IT resources will not be tolerated, and this policy provides a method for pursuing the resolution and follow-up for incidents.
Procedure
All Users will report incidents in which they believe an IT resource is compromised or is under attack by:
-
- Reporting the incident to the Information Security Officer <security@uni.edu> or their designee. If the Information Security Officer is unavailable or otherwise not able to respond, the incident should be reported to IT senior leadership.
- Taking action at the direction of the Information Security Officer or their designee to contain the problem, and block or prevent escalation of the attack, if possible.
- Preserving evidence, as directed by the Information Security Officer or their designee, where it is deemed appropriate.
- Remediating changes, and repair the resulting damage with appropriate consultation with IT-Information Security.
- Restoring the service to its former level, if possible.
Short-Term Attack and/or with Minor Potential Impact
Attacks that are judged to be minor in impact or short term in duration, and originate inside the University, will be validated and if confirmed, reported to the appropriate university administrator(s) after one warning from the Information Security Officer. The warning to the source explains that they are in violation of the University policy 14.04, Acceptable Use of Information Technology Resources, and are being given one chance to modify their behavior. If the initial attack is relatively more serious, the warning is to be waived and a report made to the appropriate judicial representative. This is a judgment call to be made by the Information Security Officer.
A judicial report will result in a permanent record of the attack, and a sanction(s) commensurate to the seriousness of the attack. The intent is to provide an opportunity for members of the University community to learn that we take these matters seriously and will not overlook inappropriate and potentially damaging behavior. Repeated attacks will result in escalation to procedures regarding incidents having long term and/or major damage.
Attacks which originate outside the University will be reported to the appropriate service provider by the Information Security Officer or designated staff if of sufficient seriousness to warrant action on their part. The service provider will be given detail regarding the attack in order that the attacker may be dealt with according to the service provider's terms of use. It is not economically feasible for the University to pursue additional action against attackers (or their service provider) for minor incidents.
When the source of a minor attack cannot be determined, due to a lack of evidence or faulty evidence, then it may be in the best interest of the University to close the investigation. If necessary, the University will notify individuals if confidentiality of their data was compromised in accordance with state and federal laws, rules, and regulations.
Long-Term Attack and/or Major Potential Impact
In the case when an Information Security incident is determined to possibly cause a moderate or serious potential impact, the responsibility for acting to resolve the incident and to respond to any negative impact rests exclusively with the University rather than individuals, colleges, departments, or units. Duties regarding the incident will be assigned as necessary by university leadership. If necessary, the University will notify individuals if confidentiality of their data was compromised in accordance with state and federal laws, rules, and regulations.
In consultation with the Information Security Officer, once the entity responsible for the system or network determines that an attack is of "major" consequence or damage, or the attack continues for a long duration (on-going or greater than one day), operational steps must be taken to preserve evidence. Major damage might be the loss or corruption of institutional data, an extended outage of a critical service or application, or other high-impact/high-cost damage.
An ongoing attack originating inside the University will be reported to appropriate campus service providers as soon as it is detected. If needed, that group will perform tracing through network analysis to pinpoint the source of the attack. Alternatively, if the attack is detected through networking analysis, it will be reported to the Information Security Officer and the entity responsible for the system as soon as possible after its detection.
If the source of the attack was outside of the University, IT will perform tracing through network analysis with the cooperation of the University's Internet Service Providers, and/or other external service providers. When external service providers are involved, an appropriately high problem severity level and rapid escalation procedures will be observed in order to trace the attack source and reach a resolution quickly.
The Information Security Officer will inform the University Chief Information Officer (CIO) of the attack in a timely manner. The appropriate university administrator(s) and university leadership will also be informed, based on the source of an attack that originates inside the University.
University legal representatives, in consultation with the CIO and university administration, will make a judgment regarding the seriousness of the attack and the appropriate legal action. In all cases, the University will analyze the impact and pursue punishment for the attacker if the source can be pinpointed with sufficient evidence to prove wrongdoing and there is justifiable cost to recover. In other situations, the University will determine appropriate action depending on the circumstances.
In the unlikely event that a long-term event, attack, or a major or critical system attack goes undetected, evidence is lost, and the attack cannot be traced to a source, then there is little to be done with the exception of recovery or repair of the damage and restoration of service.
Usage of Terms
AVAILABILITY – Availability is the ability to assure that systems work promptly and service is not denied to authorized users. A loss of availability is the disruption of access to or use of information or an information system.
CONFIDENTIALITY – Confidentiality ensures that confidential information is only disclosed to authorized individuals. A loss of confidentiality, for the purposes of this policy, is the unauthorized disclosure of information.
DATA CUSTODIAN– Data custodians are senior university officials who have planning, management, and policy-level responsibility for data within their functional areas. A data custodian has the authority to authorize or deny access to data. For example, the Registrar, Director of Human Resource Services, Director of Business Operations, and Director of Admissions, Department Heads, Deans, Vice Presidents, and the University President would all be data custodians. University administrators may act as data custodians for departments under their authority.
INTEGRITY – Integrity is the appropriate maintenance of information and systems. A loss of integrity is the unauthorized modification or destruction of information.
IT RESOURCE – IT resource may include, but is not limited to, computers, software, servers, network utilization, storage utilization, virtual machine capacity, tablets, phones, multimedia devices, storage devices, wireless spectrum, and any other in-demand resource managed by IT staff.
INFORMATION SECURITY INCIDENT – An accidental or malicious act with the actual and/or potential loss of confidentiality, integrity, and/or availability of a university IT resource such that one or more of the following is likely true:
-
- Loss of mission capability to an extent and duration that an IT resource is unable to perform its primary functions, or the effectiveness of the functions is noticeably reduced
- Damage to university assets
- Direct financial damages and/or fines
- Indirect financial damages
- Harm to individuals
- Negative impact on the University’s reputation
POTENTIAL IMPACT – Potential impact is the level of adverse effect a loss of confidentiality, integrity, or availability could be expected to have on university operations, university assets, or individuals.
UNIVERSITY DATA – University data are information that supports the mission and operation of the University. It is a vital asset and is owned by the University. Some university data are shared across multiple units of the University as well as outside entities.
USER – User includes any faculty, staff, student, developer, contractor, vendor, or visitor as well as any other individual or entity using information, university data, and/or IT resources of the University of Northern Iowa.
Information Technology, approved August 27, 2018
University Council, approved November 12, 2018
President and Executive Management Team, approved December 10, 2018