Old Dominion University
Information Technology Standard
05.1.0 IT Security Incident Handling Standard
Date of Current Revision or Creation: | October 1, 2021 |
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
-
Purpose
The purpose of this standard is to provide guidance on the management, notification, and investigation of IT security incidents at Old Dominion University.
-
Definitions
Information Security Officer (ISO) - The Old Dominion University employee, appointed by the President or designee, who is responsible for developing and managing Old Dominion University's information technology (IT) security program.
Security Incident Handling Requirements identify the steps necessary to respond to suspected or known breaches to IT security safeguards.
Security Incident Response Team is a designated group of information technology professionals with the responsibility and authority for responding to information security incident reports.
-
Standards Statement
Old Dominion University's Security Incident Response Team has the overall responsibility and authority for managing all reported security incidents.
The ISO should be notified of all computer and network security incidents that may affect the confidentiality, availability and/or integrity of the information technology resources at Old Dominion University.
Incident Classification
Security incidents will be classified according to incident categories and severity of incident in order to determine the appropriate response. A security incident classification scheme will be maintained by the Information Security Officer or designee to describe security events and support incident tracking over time.
Incident Reporting and Detection
All members of the University community are responsible for promptly reporting suspected or known security incidents, including an observed or suspected security weakness in university systems.
In addition to reports from the University community, irregular events may be detected that indicate potential security incidents. Detection is a collaborative effort among university and departmental operational staff, IT support, and information security personnel. Controls to deter and defend against cyber-attacks should be identified to best minimize loss or theft of information and disruption of services. Proactive measures based on cyber-attack history and industry data should be used to defend against new forms of cyber-attacks.
When receiving a report of a suspected or confirmed security incident, the ISO or Security Incident Response Team will gather as much of the following information as possible:
- Name, affiliation, e-mail address, and phone number of people reporting the incident
- Description of the suspected security incident
- Information to help identify the source of the suspicious activity, like an IP address or an e-mail message with full headers
- Date(s) and time(s) of the suspicious activity
- Evidence of suspicious activity
In addition to documenting the initial report, the ISO or Security Incident Response Team will document the incident, initiate appropriate incident handling procedures, communicate with and provide feedback about the results to appropriate stakeholder once the incident has been handled and closed.
ODU has established procedures for IT security incident investigation, preservation of evidence, and forensic analysis. When a security incident involves legal action against a person or organization, or a personnel action against an employee, evidence must be collected, preserved, and presented to conform to the rules for evidence specified in the relevant jurisdiction(s).
-
Procedures, Guidelines & Other Related Information
Federal and State Law
University Policy 3500 Policy on the Use of Computing Resources
University Policy 3505 Information Technology Security Policy
-
History
Date
Responsible Party
Action
October 2008
ITAC/CIO
Created
October 2009
ITAC/CIO
Reaffirmed
October 2010
ITAC/CIO
Reaffirmed
October 2011
ITAC/CIO
Reaffirmed
March 2012
ITAC/CIO
Rewritten
December 2012
IT Policy Office
Link updated
August 2013
IT Policy Office
Departmental name updated
August 2015 IT Policy Office/ISO Three year review; updated links and definitions. December 2018 IT Policy Office Definitions and links checked October 2021 CISO Minor edits for clarification