GDL-3000.07I: Cybersecurity Incident Response Guidelines

Guidelines Summary

Intended Audience: University personnel responsible for responding to Cybersecurity Incidents
Guideline Owner: Information Security Office

Introduction

The University’s Information Security Office (ISO) is responsible for developing procedures to respond to Cybersecurity Incidents. The procedures make up the University’s Cybersecurity Incident Response Plan (IRP). System business owners and system administrators are responsible for creating System Incident Response Plans (SIRPs) tailored to their needs.

IRP Creation and Maintenance

The University’s Information Security Office (ISO) is responsible for creating the University’s IRP and updating it annually. The plan must be reviewed by the ITS Standards and Guidelines Committee and approved by the University’s Chief Information Officer (CIO).

To ensure the IRP is available during an emergency, it should be stored in electronic format on-site and in a cloud location, and in hard copy on the University campus. Electronic copies should be accessible to all potential members of an Incident Response Team (IRT).

IRP Content and Testing

The IRP should contain at least the following elements:

  1. Names and contact information for core members of the IRT.
  2. Procedures to characterize an incident including incident risk classification (minor/major), type categorization (e.g., account compromise or ransomware attack), and data classification (e.g., public, sensitive, or confidential).
  3. Procedures for reporting and handling a suspected incident including detection and initial reporting of the incident, IRT activation, containment steps, detailed investigations (analysis), and remediation and recovery steps.
  4. Incident documentation requirements including tracking logs used during the incident and lessons-learned documentation post-incident.
  5. Incident communication procedures.
  6. IRP testing procedures.
  7. Playbooks for common incident types.

To improve responses to Cybersecurity Incidents, the ISO will provide a template to system business owners and system administrators for creating system-specific IRPs. Link to template: FRM-3000.07I: WWU System Incident Response Plan (SIRP) Template.                     

The University IRP and any SIRPs should be tested annually using a tabletop or functional exercise.
 

For the complete guideline, click "Full Document" tab at top of page.

Full Document

Intended Audience: University personnel responsible for responding to Cybersecurity Incidents
Guideline Owner: Information Security Office

1. Definitions

Cybersecurity Incident

Any attempted or actual unauthorized access, use, disclosure, modification, or destruction of an information technology (IT) system or of data. A cybersecurity incident typically compromises the confidentiality, integrity or availability of IT systems and data. Cybersecurity Incidents are violations of campus policy, laws and/or regulations.

Cybersecurity Incident Response Plan

A document covering all aspects of managing a University Cybersecurity Incident.

System Custodian

An individual responsible for the technical management of a University-owned system such as a workstation, server, router, switch, printer, controller, or other network-attached device. They implement the best practices defined by the System Steward and perform operational duties.

System Steward

An individual responsible for the service management of a University-owned system such as a workstation, server, router, switch, printer, controller, or other network-attached device. They may create and enforce management and access policies. They are often referred to as Business Owners or Service Owners.

System Incident Response Plan

An Incident Response Plan specific to a particular business system with detailed procedures for response and recovery.

2. Acronyms

IRP

Cybersecurity Incident Response Plan

IRT

Incident Response Team

ISO

Information Security Office

SIRP

System Incident Response Plan

3. Introduction

The University’s Information Security Office (ISO) is responsible for developing procedures to respond to Cybersecurity Incidents. The procedures make up the University’s Cybersecurity Incident Response Plan (IRP). System Stewards and System Custodians are responsible for creating System Incident Response Plans (SIRPs) tailored to the systems they manage.

4. ISO IRP Creation and Maintenance

OCIO 141.10: 11

The University’s Information Security Office (ISO) is responsible for creating the University’s IRP and updating it annually. The plan must be reviewed by the ITS Standards and Guidelines Committee and approved by the University’s Chief Information Officer (CIO).

To ensure the IRP is available during an emergency, it should be stored in electronic format on-site and in a cloud location, and in hard copy at the University campus. Electronic copies should be accessible to all potential members of an Incident Response Team (IRT).

5. IRP Elements

OCIO 141.10: 11(2)

The IRP should contain at least the following elements:

  1. Names and contact information for core members of the IRT.
  2. Procedures to characterize an incident including incident risk classification (minor/major), type categorization (e.g., account compromise or ransomware attack), and data classification (e.g., public, sensitive or confidential).
  3. Procedures for reporting and handling a suspected incident including detection and initial reporting of the incident, IRT activation, containment steps, detailed investigations (analysis), and remediation and recovery steps.
  4. Incident documentation requirements including tracking logs used during the incident and lessons-learned documentation post-incident.
  5. Incident communication procedures.
  6. IRP testing procedures.
  7. Playbooks for common incident types.

6. System Security Incident Response Plans

To improve responses to Cybersecurity Incidents, the ISO will provide a template to System Stewards and System Custodians for creating system-specific IRPs. Link to template: FRM-3000.07I: WWU System Incident Response Plan (SIRP) Template.

7. IRP Testing

OCIO 141.10: 11(2)

The IRPs should be tested annually using a tabletop or functional exercise. Lessons learned during testing should be used to update the IRP.

8. Authority

  1. University policy POL-U3000.07  Securing Information Systems
  2. Washington State Office of the Chief Information Officer (OCIO) 141.10  Securing Information Technology Assets Standards
  3. Western Washington University  Comprehensive Emergency Management Plan

9. References

  1. NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations  
  2. OCIO 141.10: Securing Information Technology Assets
  3. OCIO 143:  IT Security Incident Communication
  4. NIST SP 800-61 revision 2 (Computer Security Incident Handling)
  5. NIST SP 800-84 (Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities)
  6. WWU Cybersecurity Incident Response Plan  (To request a copy, email informationsecurity@wwu.edu.)
  7. Information Technology Services (ITS) Form FRM-3000.07I: WWU System Incident Response Plan (SIRP) Template

Change Log

Revised

Version

Author

Approver

Change

11/05/2021

1.0

Beth Albertson

ITS Standards & Guidelines Committee

Original Version