IT Security Incident Handling Standard
Date of Current Revision or Creation: October 1, 2021
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to provide guidance on the management, notification, and investigation of IT security incidents at Old Dominion University.
Definitions
Information Security Officer (ISO) - The Old Dominion University employee, appointed by the President or designee, who is responsible for developing and managing Old Dominion University's information technology (IT) security program.
Security Incident Handling Requirements identify the steps necessary to respond to suspected or known breaches to IT security safeguards.
Security Incident Response Team is a designated group of information technology professionals with the responsibility and authority for responding to information security incident reports.
Standards Statement
Old Dominion University's Security Incident Response Team has the overall responsibility and authority for managing all reported security incidents.
The ISO should be notified of all computer and network security incidents that may affect the confidentiality, availability and/or integrity of the information technology resources at Old Dominion University.
Incident Classification
Security incidents will be classified according to incident categories and severity of incident in order to determine the appropriate response. A security incident classification scheme will be maintained by the Information Security Officer or designee to describe security events and support incident tracking over time.
Incident Reporting and Detection
All members of the University community are responsible for promptly reporting suspected or known security incidents, including an observed or suspected security weakness in university systems.
In addition to reports from the University community, irregular events may be detected that indicate potential security incidents. Detection is a collaborative effort among university and departmental operational staff, IT support, and information security personnel. Controls to deter and defend against cyber-attacks should be identified to best minimize loss or theft of information and disruption of services. Proactive measures based on cyber-attack history and industry data should be used to defend against new forms of cyber-attacks.
When receiving a report of a suspected or confirmed security incident, the ISO or Security Incident Response Team will gather as much of the following information as possible:
- Name, affiliation, e-mail address, and phone number of people reporting the incident
- Description of the suspected security incident
- Information to help identify the source of the suspicious activity, like an IP address or an e-mail message with full headers
- Date(s) and time(s) of the suspicious activity
- Evidence of suspicious activity
In addition to documenting the initial report, the ISO or Security Incident Response Team will document the incident, initiate appropriate incident handling procedures, communicate with and provide feedback about the results to appropriate stakeholder once the incident has been handled and closed.
ODU has established procedures for IT security incident investigation, preservation of evidence, and forensic analysis. When a security incident involves legal action against a person or organization, or a personnel action against an employee, evidence must be collected, preserved, and presented to conform to the rules for evidence specified in the relevant jurisdiction(s).
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University Policy 3500 Policy on the Use of Computing Resources
- University Policy 3505 Information Technology Security Policy
- Incident Reporting Form
History
Date |
Responsible Party |
Action |
October 2008 |
ITAC/CIO |
Created |
October 2009 |
ITAC/CIO |
Reaffirmed |
October 2010 |
ITAC/CIO |
Reaffirmed |
October 2011 |
ITAC/CIO |
Reaffirmed |
March 2012 |
ITAC/CIO |
Rewritten |
December 2012 |
IT Policy Office |
Link updated |
August 2013 |
IT Policy Office |
Departmental name updated |
August 2015 | IT Policy Office/ISO | Three year review; updated links and definitions. |
December 2018 | IT Policy Office | Definitions and links checked |
October 2021 | CISO | Minor edits for clarification |