109 Information Security Incident Reporting, Response, and Recovery
The following table shows who is responsible for ensuring compliance with the policy requirements listed below.
Requirement | All Users | System Owners | System Custodians/ Administrators | Departments, Schools, Units |
---|---|---|---|---|
Suspected security events and incidents will be immediately reported to IT Service Desks or the OIS (p. 2). | ✔ | ✔ | ✔ | ✔ |
WashU community members will notify OIS of all computer and network security incidents (p. 2). | ✔ | ✔ | ✔ | ✔ |
When an incident involves law enforcement or has legal ramifications, the scene and evidence within the system will be documented and preserved (p. 2). | ✔ | ✔ | ✔ | ✔ |
Summary of Policy
End-User Incident Reporting (109.01)
The OIS will investigate incidents and work with WashU community members to complete the incident reporting documentation.
Incident Response Roles and Responsibilities (109.02)
The OIS must be notified of all computer and network security incidents that may affect the confidentiality, integrity, or availability (CIA) of computer equipment or information at WashU.
Incident Response Planning (109.03)
The Incident Response Plan details the mission and process for the WashU organizational response to incidents, establishes incident alert thresholds, and identifies metrics for measuring and maturing the effectiveness of the plan.
Incident Response Testing and Training (109.04)
The OIS Incident Response Team will routinely practice and test incident response plans to determine its capacity to respond, adjust plans as necessary, and train incident-response personnel. Testing will involve coordination among those with incident response roles and responsibilities and those responsible for related plans (e.g., Business Continuity and Disaster Recovery).
Incident Handling (109.05)
The OIS will follow the incident response plan to perform the following duties during and after an incident.
Requirements for Incident Preservation of Forensic Evidence (109.06)
After consultation with the Office of General Counsel (OGC), OIS may, among other actions, disconnect, monitor, or take possession of devices as part of the incident response process. OIS will notify appropriate leadership.
Incident Reporting Requirements for Regulations and Contracts (109.07)
OIS will work with Area Specific Compliance Offices (ASCOs) to ensure that all other reporting requirements are fulfilled.
Incident Recovery (109.08)
OIS will establish an incident recovery plan and execute the plan after an incident has been contained and mitigated.
Full Text of Policy
Policy 109 Information Security Incident Reporting, Response, and Recovery
The policy communicates a planned and systematic approach to incident handling from reporting to recovery and analysis.
Related Information
209 Information Security Incident Response and Recovery
This standard establishes processes related to incident detection, response, and containment.