Body
Issue/Question
What is the USD security policy on Incident Response Management
Environment
Cause
Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity
Resolution
Incident Response Management
Policy Statement: The University recognizes the importance of having an effective incident response capability to promptly detect, respond to, and recover from cybersecurity incidents. This policy outlines guidelines for establishing and maintaining an incident response management framework to mitigate the impact of security breaches and ensure the continuity of University operations.
Policy Implementation:
-
Incident Response Plan (IRP) Development:
- The University will develop and maintain a comprehensive incident response plan (IRP) that outlines roles, responsibilities, and procedures for responding to cybersecurity incidents.
- The IRP will define incident classification criteria, escalation procedures, communication protocols, and incident response team roles and responsibilities.
- Conduct Routine Incident Response Exercises
-
Incident Detection and Reporting:
- Mechanisms for detecting and reporting security incidents will be implemented throughout the University's information systems and networks.
- Incident detection tools, such as intrusion detection systems (IDS), security information and event management (SIEM) solutions, and endpoint detection and response (EDR) systems, will be deployed to monitor for signs of suspicious activity and unauthorized access.
-
Incident Response Team Activation:
- The University will establish an incident response team (IRT) comprising personnel from relevant departments, including IT, security, legal, and communications.
- The IRT will be trained, equipped, and empowered to coordinate incident response efforts, investigate security incidents, and implement remediation measures as necessary.
-
Incident Triage and Response:
- Upon detection of a security incident, the incident response team will conduct initial triage to assess the severity, scope, and impact of the incident.
- Response actions will be initiated promptly to contain the incident, mitigate further damage, preserve evidence, and restore affected systems and services.
-
Post-Incident Analysis and Reporting:
- Following the resolution of a security incident, the incident response team will conduct a post-incident analysis to identify root causes, lessons learned, and opportunities for improvement.
- Incident reports will be generated to document the incident response process, findings, remediation actions taken, and recommendations for enhancing incident response capabilities.
Compliance and Enforcement: All University departments and personnel responsible for incident response activities are accountable for adherence to this policy and actively participating in incident response management efforts.
Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of incident response management practices.
This policy provides a comprehensive framework for implementing CIS Control 17 within the University environment. It provides guidelines for establishing and maintaining an incident response management framework within the University environment, focusing on incident detection and reporting, team activation, response procedures, post-incident analysis, and continuous improvement to mitigate the impact of security breaches and ensure the continuity of University operations.
Please contact the Service Desk if you need further assistance