11.2.6 Incident Response Procedures

Proposed: 07/08/2015
Adopted: 08/07/2015
Last Reviewed: 07/31/2018
Effective: 08/07/2015








All authorized users have an interest in the security of the computer resources at Middle Georgia State University, and share in the responsibility for protection of those resources, prevention of problems, and incident detection and response. The purpose of this document is to describe the general procedures that will be followed in response to a security incident involving University resources. Cooperation of personnel with these procedures is mandatory. A security incident is defined as a threat to the legitimate use and/or operation of any University computing resource, or the actual occurrence of any situation identified as a potential risk to those resources. Threats may be internally or externally generated.

Incident Response Team

Security incidents will be responded to by a specially-formed team of individuals from across the University, the Incident Response Team (IRT). This team will be comprised of technical resources with the appropriate skills to identify, assess, respond to and communicate the effects of security incidents. IRT members will be designated by the Chief Information Officer, to take any and all necessary actions, including immediate confiscation and/or disabling of a University computer resource or the temporary termination of a computer account, to protect, investigate, and ensure the security and proper use of the computer resources. Full cooperation with the IRT is required of all authorized users of Middle Georgia State University computer resources.

Security Incident Response

Generally speaking, security incidents will be responded to by removing or deactivating the threat or cause of the problem as soon as possible and as completely as possible while investigative and corrective actions are taken. In addition, appropriate measures to support investigation of the incident will be taken. Cooperation of authorized users with these steps is required. Specifically, incident response procedures will include the following practices as appropriate.

  1. Internal notification. All users and units are responsible for reporting any discovered unauthorized access attempts or other improper usage of University computing and network resources. If a security incident is discovered or reported, a user must take immediate action to ensure the protection of University resources and notify the following individuals: a. the unit head; and b. the office of Technology Resources (471.2720).
  2. Protection. If not already executed, appropriate measures will be taken as soon as possible after the discovery and identification of an incident to prevent additional loss of or harm to University resources. These measures will be completed by a member of the IRT, in concert with the owner or administrator of the resource affected and his department head.
  3. Investigation. Appropriate measures to determine the nature, scope and cause of the incident will be taken. These should be a cooperative effort between the IRT and the owner or administrator of the computer or network resource. It should be understood that investigation of an incident is intended to uncover information that will help to
    1. resolve the problem at hand; and
    2. help the University to improve its practices and prevent or minimize the occurrence of such incidents in the future.
    As such, the full cooperation of all parties is expected and required.
  4. Correction. Once the nature and scope of the incident is understood, the appropriate corrective actions to be taken must be identified and completed. These should include requirements for system administration activities in the future that will prevent a recurrence of similar problems.
  5. Documentation of incident. Information about each security incident must be logged and maintained by the Incident Response Team. Information to be recorded includes:
    1. a description of the computer or network resource(s) involved;
    2. individual responsible for the resource(s);
    3. nature of the attack or incident;
    4. source of the attack or incident;
    5. University resources compromised or placed at risk;
    6. an assessment of actual harm or loss;
    7. a general estimate of time spent responding to the incident; and
    8. a description of corrective measures taken.
  6. Notification. Persons whose accounts are known to have been accessed or compromised as a result of a breach or the response to a breach will be notified in a timely manner and as appropriate of the actions taken.

External Notification of Security Incidents

Release of information regarding a security incident beyond the offices and individuals named above must be coordinated through the Office of External Affairs and Office of Legal Affairs. If the security incident involves an attack from a known outside entity, that entity should be contacted by a representative of the IRT with notification that the incident occurred and a request for information on what measures will be taken to prevent subsequent incidents.