Incident Response Planning
Information Security OfficeFebruary2019
Education – Partnerships - Solutions
Purpose for Training
Education – Partnerships - Solutions
Establish common goals and terminologyrelated to Incident Response Planning.Understand the role of all IT professionalsin support of Incident Response Planning.Create a collaborative environmentso the cost and disruption of incidents can be minimized for the benefit of all UT Dallas stakeholders.
Intended Audience
This training is designed forall IT professionalsincluding software developers within the UT Dallas community whoaccess, install, support, troubleshoot, or otherwise manageUT Dallas Information Systems and/or University Data.
Education – Partnerships - Solutions
Scope of Plan
Education – Partnerships - Solutions
The ISO develops and maintainstheformal Incident ResponsePlan.The plan describes the process to recover from an Adverse Security Event or Security Incident.Perthe Information Security and Acceptable Use Policy (UTDBP3096),the plan applies to all UT Dallas Information Systems and all University Data, regardless of where the data is located.Unique and unforeseen circumstances may result in deviations from the plan; such conditions may be leveraged to improve future versions of the plan.
Key Terms and Definitions
Education – Partnerships - Solutions
Adverse Security EventAn anomalous security event (or set of events) that may have negative consequences and requires further investigation.Security EventAny log entry, alert, or other atomic data related to University Data or University Information Systems relevant to security.UserAny individual granted access to UT Dallas Information Systems, including guests and contractors.UT Dallas Information SystemsAll computer and telecommunications equipment, software, data, and media, owned or controlled by UT Dallas or maintained on its behalf.
Key Terms andDefinitions,Continued
Education – Partnerships - Solutions
Security IncidentThis is an Adverse Security Event which has been confirmed to be a violation of University policy, or otherwise threatens the information systems maintained by the University and has a significant potential to lead to any of the following:Inappropriate access to confidential dataLoss of intellectual property or monetary fundsNegative impact to the University’s reputationOther criteria as specified within incident response proceduresWhen Confidential Data is potentially at risk, including data governed by FERPA / HIPAA / PCI DSS,Adverse Security Eventsmust be treated asSecurity Incidents.
Key Terms andDefinitions,Continued
Education – Partnerships - Solutions
University DataThis Policy uses the term University Data to refer to data for which UT Dallas has a responsibility for ensuring appropriate information security or would be liable for data exposure, as defined by applicable law, UT System policy, regulations, or contractual agreements.UniversityData may include information held on behalf of UT Dallas or created as a result and/or in support of UT Dallas business (e.g. financial records, personnel records, officially maintained student records, and/or records of official UT Dallas committees), including paper records. This definition does not imply, address, or change intellectual property ownership.
Incident Response Service Levels
Education – Partnerships - Solutions
Strategies and Goals
ConsistencyThe ISO responds to incidents in a consistent manner by documenting both a “high level”planand any related procedures.CommunicationThe ISO communicates and coordinates with all relevant parties during the incident response process. Information is both collected from, and disseminated to, these parties to ensure both security and business needs are met.ComprehensionThe ISO conducts root causeanalysisand uses the resulting data to make enterprise security improvements.
Education – Partnerships - Solutions
Phases of Incident Response
Education – Partnerships - Solutions
PreparationUnderstandUT Dallas Information Systems and University Data to assess theirpotential risk of compromise. Adequate defenses and monitoring tools should be implemented. Practice exercises should be performed.ResponseThis phase begins upon incident detection. During response, incident analysis is conducted, resulting in both containment and eradication of the incident. Ensure proper recovery of services.ReviewInitiated by having incident responders and other key personnel meet (sometimes involving personnel outside of the ISO). Identify both the successful and problematic parts of the incident response process. Learn how to improve for the future.
Information Security OfficeOffice of Information TechnologyDistributed IT groups across campusUniversity AttorneyUniversity Police DepartmentOffice of Institutional ComplianceOffice ofAudit and Consulting ServicesOffice of Budget and FinanceOffice of CommunicationsUniversity PresidentUT System AdministrationState of Texas Department of Information Resources
Key Players
Education – Partnerships - Solutions
Incidents ThatShould Be Reported To ISO:
HackingAll attempts to intentionally access or hard information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms. Includes brute force, SQL injection, cryptanalysis, anddenial of serviceattacks.MisuseUse of entrusted organization resources or privileges for any purpose or manner contrary to that which was intended. Includes administrative abuse, policy violations,and useof non-approvedassets.Mayhavemalicious or non-malicious intent.Social EngineeringDeception, manipulation,intimidation,designed to exploit humans and therefore information assets to which they have access. Includes pretexting, phishing, blackmail, threats,and scams.PhysicalDeliberate threats that involve proximity, possession, or force. Includes theft, tampering, snooping, sabotage, local device access,and assault.ErrorAnything done (or left undone) incorrectly or inadvertently. Includes omissions, misconfigurations, programming errors, trips and spills, malfunctions, incorrectly addressed communications,and incorrectattachments toemails.
Education – Partnerships - Solutions
Incidents ThatDo Not Need To Be Reported To ISO:
Malware Removed by AutomationMalware is any malicious software, script, or code run on a device that alters its states or function without the owner’s informed consent. Examples include viruses, worms, spyware, keyloggers,and backdoors.Thanks to the deployment of automated scanning and recovery tools, automatic resolution of malware does not need to be shared with the ISO each time it is resolved.Malware Removed ManuallyIn the event that IT professional needed to visit a machine one or more times to resolve malware, this is considered routine operations and does not need to be shared with the ISO each time malware is resolved.EnvironmentalNatural disruptive events, including disruptions to power, water, and environmental systems, are disruptive to the “Availability” objective of the information security profession. However, at UT Dallas these incidents are primarily serviced by Environmental Health & Safety, Police Department, Facilities, and various other specialists on campus. Therefore, they are considered routine operations and do not need to be shared with the ISO each time they occur.
Education – Partnerships - Solutions
Contact Information
Education – Partnerships - Solutions
Questions or concerns?Feel free to contact our office for more [email protected]
0
Embed
Upload