Policy 109 Information Security Incident Reporting, Response, and Recovery

Purpose

The Information Security Incident Reporting, Response, and Recovery policy establishes the process and expectations for identifying, containing, investigating, mitigating, and recovering from security incidents. The policy describes the measures taken by the Office of Information Security (OIS) and cooperating departments to prevent security incidents from affecting the Confidentiality, Integrity, and Accessibility (CIA) of Washington University in St. Louis (WashU) information resources. 

Applicability and Audience 

This policy applies to all information resources that are owned, leased, vended, contracted, or operated by the university. This includes hardware, software, systems, and data. 

All members of the WashU Community should be aware of this policy, including faculty, staff, students, and any agent engaged for contracted services to the university with access to WashU information, systems, and networks. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.  

Information Security Roles and Responsibilities (100.01)

Policy 

109.00 Introduction  

A security incident refers to a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices (NIST 800-61 Rev. 2). Incidents may involve any number of attacks—phishing, ransomware, denial of service, malware, theft, unauthorized access and use, etc. An incident may also arise when a user intentionally or unintentionally provides or exposes sensitive or protected information to others, loses a device, or neglects to revise access to files containing protected or confidential data as necessary (i.e., privilege creep).  

According to the United States Computer Emergency Readiness Team (CERT) a security incident can have the following definitions:  

  • Violation of a security policy or procedure 
  • Attempts to gain unauthorized access  
  • Unauthorized denial of resources  
  • Unauthorized use of electronic resources  
  • Modification without the owner’s knowledge, instruction, or consent  
  • Theft or displacement of university IT property or data  
  • Malicious code  

Whatever the cause or nature of the incident, it is critical that the OIS responds quickly and effectively. A planned and systematic approach to incident response allows for both swift mitigation of potential damage and analysis of the incident to continuously improve response plans.

109.01 End-User Incident Reporting 

All members of the WashU community share a responsibility to protect our information resources. Part of that responsibility involves immediately reporting suspected security events and incidents to their IT Service Desk or the OIS. WashU community members will notify the OIS of all computer and network security incidents. The OIS will investigate incidents and work with WashU community members to complete incident reporting documentation.

109.02 Incident Response Roles and Responsibilities   

At WashU, computer and network security incidents are handled by the OIS incident response team in coordination with departments, schools, and offices.  

The OIS must be notified of all computer and network security incidents that may affect the confidentiality, integrity, or availability (CIA) of computer equipment or information at WashU.  

WashU departments and schools may use their own incident handling procedure as a supplement to this process under the direction of the OIS. The OIS will notify the Area Specific Compliance Office (ASCO) and the Chief Privacy Officer of incidents that involve protected information and will formalize a post-incident response process, documenting lessons learned.  

If the Computer Security Incident Response Team determines that the incident should involve law enforcement or has legal ramifications, it is important to preserve the scene, document the situation, and to preserve evidence that may reside within the system. There are forensic processes that must be followed during an investigation. The involvement of the OIS and a trained computer forensics expert is highly recommended. Outside experts may be called upon as necessary.  

Please refer to the Incident Response Plan for detailed descriptions of incident response roles and responsibilities.

109.03 Incident Response Planning  

The Incident Response Plan details the mission and process for the WashU organizational response to incidents, establishes incident alert thresholds, and identifies metrics for measuring and maturing the effectiveness of the plan. Response and recovery plans will be regularly tested and updated to incorporate lessons learned. Please refer to Incident Response Plan documents and associated guidance for additional details.

109.04 Incident Response Testing and Training

The OIS will provide incident response training to WashU community members according to assigned roles and responsibilities. Training will begin as soon as a person assumes incident-response roles and responsibilities, will continue as required to accommodate changes to WashU information systems, and will be provided at regular intervals to ensure ongoing preparedness. Incident response training will incorporate simulated events to facilitate responsiveness in crisis situations.  

The OIS Incident Response Team will routinely practice and test incident response plans to determine its capacity to respond, adjust plans as necessary, and train incident-response personnel (as defined in Policy 100, Section 100.01 Roles and Responsibilities). Testing will involve coordination among those with incident response roles and responsibilities and those responsible for related plans (e.g., Business Continuity and Disaster Recovery).

109.05 Incident Handling

The OIS will follow the incident response plan to perform the following duties during and after an incident:  

  • Detect incidents (i.e., investigate detection notifications, respond to user reports of incidents). 
  • Oversee the execution of the response plan during and after incident.  
  • Contain incidents.  
  • Mitigate incidents. 
  • Analyze detected incidents to understand attack targets and methods. 
  • Collect and correlate event data from multiple sources and sensors. 
  • Preserve evidence. 
  • Perform forensics. 
  • Interpret and understand the impact of incidents.  
  • Categorize incidents according to the response plan.  
  • Share information with internal parties according to the response plan. 
  • Coordinate with local and federal agencies according to the response plan. 
  • Coordinate with stakeholders (e.g., General Counsel, Public Affairs, Emergency Management, HIPAA Privacy Office, Chief Privacy Officer, Office of University Compliance) according to the response plan. 
  • Consider lessons learned and update the response plan. 
  • Provide relevant information to insurance team. 
  • Coordinate with public affairs to manage public relations. 
  • Manage internal communications and follow an escalation protocol based on severity of incident.

109.06 Requirements for Incident Preservation of Forensic Evidence  

After consultation with the Office of General Counsel (OGC), OIS may, among other actions, disconnect, monitor, or take possession of devices as part of the incident response process. OIS will notify appropriate leadership.  

109.07 Incident Reporting Requirements for Regulations and Contracts 

All security incidents must be reported to OIS. OIS will work with Area Specific Compliance Offices (ASCOs) to ensure that all other reporting requirements are fulfilled.  For specific information about reporting requirements for events and incidents involving protected health information (PHI), please contact the HIPAA Privacy Office. For incidents involving other types of protected data please contact the Area Specific Compliance Office and the Chief Privacy Officer.

109.08 Incident Recovery  

OIS will establish an incident recovery plan and execute the plan after an incident has been contained and mitigated. Recovery and business continuity plans will include processes for assisting WashU departments and schools with the following:  

  • Communicating recovery activities with internal and external stakeholders, executives, and management teams  
  • Incorporating lessons learned and updating recovery strategies  
  • Managing and coordinating public relations  
  • Repairing WashU’s reputation

Policy Compliance 

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance could lead to disciplinary action as determined by management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct. 

Internal Audit will independently review and assess compliance with this policy, reporting findings and recommendations to senior management and the Board of Trustees. 

Related Policies, Standards, and Guidelines  

Incident Response Plan  

Standard 209: Information Security Incident Response and Recovery  

References 

National Institute of Standards and Technology (2018) Cybersecurity Framework 

National Institute of Standards and Technology (2012) Special Publication 800-61: Computer Security Incident Handling Guide, Rev. 2.   

Policy Review 

This policy will be reviewed by the OIS at a minimum of every three years.  

Policy Number and Title: 109 Information Security Incident Reporting, Response, and Recovery  

Owner: Office of Information Security  

Approved By: Cyber Security Executive Advisory Committee
Original Approval Date: November 17, 2023

Current Version Publication Date: April 18, 2024