Introduction
Portland State University’s Office of Information Technology must be able to respond to computer security-related incidents in a manner that protects its own information and helps to protect the information of others that might be affected by an incident.
As such, Portland State University’s Office of Information Technology has established this Computer Security Incident Response Plan to address computer security incidents including theft, misuse of data, network or facility intrusions, hostile probes, and malicious software.
Purpose and Applicability
This plan applies to all Portland State University systems, system administrators, and users of privileged systems or data.
Standards and Procedures
Planning
The Information Security Team (SEC) and Information Security Operations Coordination Team (SEC-OPS) will work together to establish and maintain Standard Operating Procedures (SOP) for security incidents, including but not limited to common indicators of compromises and reporting SOPs, and to publish, communicate, and educate responsible parties on these practices.
When a suspicious event has occurred
The user, administrator, or supervisor who discovers suspicious activity should investigate briefly. If suspicion is well-founded or indeterminate, the discoverer should notify a member of the SEC Team of the suspicious event immediately and start an event log while capturing any pertinent details to assist the investigation. If there is any reason to suspect Personally Identifiable Information (PII) has been released or compromised immediately contact the SEC Team which will also notify the Data Protection Officer (DPO). The discoverer must provide a verbal or written report to the SEC Team within one working day of the initial suspicion.
Handling an incident
The SEC Team will designate an incident handler and supervise or conduct subsequent investigation and remediation and will enter the incident into the event log. The incident handler, and any other principals will work with the security team to evaluate the incident, classify the incident, identify if PII is involved, formulate a response plan (or engage any event-specific SOP), and review any response plan. The CISO will provide oversight of response, keep appropriate management apprised of the investigation, and assist with coordination. A written preliminary report must be submitted by the incident handler to the SEC Team (i.e. an email to the SEC Team) within two working days.
Sharing information on an incident
All information about the discovery, investigation, or remediation of an incident should be shared only on a need-to-know basis, with institutional risk management and the incident management team, and within trusted communities of information security practitioners to ensure the integrity of the investigation and any significantly impacted system or data until the response plan has been completed. Any inquiries from external entities about a specific incident should be routed to the SEC Team.
Classifying an Incident by Severity
In general, severity is dictated by the number of records impacted, the type of records, and the effects on system availability. In some cases, single or small record sets may have a high impact or high availability impacts to low significance systems may also achieve a high severity.
Incident severity levels are a way of categorizing the impact and urgency of an incident on our organization and the community. Leveling helps prioritize incident response efforts, allocate resources, establish a consistent approach to managing cybersecurity incidents, and better communicate effectively with all stakeholders.
Level 3
An incident is level 3, or low severity, if the data are public or unimportant or systems affected are not critical to the operation of any business units.
Level 2
An incident is level 2, or medium severity, if an event affecting important systems or restricted or confidential data is suspected to have occurred with a scope limited to 200 or fewer identities and affected systems are critical to the operation of two or fewer business units.
Level 1
An incident is level 1, or high severity, if an event affecting important systems or restricted or confidential data is suspected to have occurred with a scope greater than 200 identities or affected systems are critical to the operation of two or more business units.
Designation as a disaster
In certain extraordinary incidents of any severity where a system may be unavailable for an extended time due to the requirements of an investigation or the nature of the incident, the CISO or CIO may declare the incident to also be a disaster and engage the available disaster recovery plans or mechanisms available for the affected system.
Final report
Within five working days of the resolution of an incident classified at Level 1 by the CIO or SEC Team consensus, a written final report must be submitted to the SEC Team by the incident handler and relevant subject-matter experts. In cases where incident resolution is expected to take more than thirty days, a status report must be submitted weekly or as agreed upon by the CISO and/or CIO. The CISO or CIO may also request a report at their discretion for any incident.
After the incident
The incident handler, SEC Team, and other principals will review the final report, review the response plan and root cause analysis, and determine if new risks are identified or updates to policy, practices, or revision of the incident response plan is needed to prevent or respond more efficiently to future security incidents.
Process Flow
Methods for Notifying the Information Security Team
Notification of suspicious activity may be submitted in the following ways:
- Email the OIT Helpdesk at help@pdx.edu or call 503-725-4357.
- Requests will be escalated to a member of the SEC Team by the Helpdesk.
- Email the SEC Team at help-security@pdx.edu.
Related Policies, Procedures, and Information
Indicators of Compromise SOP
Definitions
| Term | Definition |
|---|
| Event Log | A series of case files of suspicious or security events maintained by the SEC Team. |
| Incident Handler | The person responsible for managing communication and coordinating resources when responding to a Security Incident. This will typically be a person from the SEC Team, but if not then the assignment will be made in consultation with the individual’s supervisor. Until an Incident Handler has been identified, the first responder should serve the role to the best of their knowledge, skills, and abilities. |
| Information Security Team (SEC) | The Information Security Team (SEC) comprises the Chief Information Security Officer (CISO), Information Security Analyst (ISA), and Information Security Officer (ISO). |
| Information Security Operations Coordination Team (SEC-OPS) | The Information Security Operations Coordination Team comprises OIT staff who have a security focus or element within their job duties. They coordinate with the SEC Team for operations related to information security. |
| Personally Identifiable Information (PII) | PII is any representation of data that can be used to identify a specific individual either directly (e.g., name, ssn, address) or indirectly (using a combination of data elements such as gender, race, birthdate, etc.). Technology has expanded the scope of PII considerably and data elements such as IP address, login IDs, social media posts, digital images, geolocation, and biometric can also be classified as PII. |
| Risk Register | A ranked register of identified risks and their treatment status maintained by the SEC Team. |
| Security Incident | Any adverse event that threatens the security of information resources. Adverse events include compromises of integrity, denial of service, compromise of data (sold or used in an unauthorized fashion), loss of accountability, or damage to any part of the system. |
| Suspicious Event | Any anomalous event or event enumerated in the “Indicators of Compromise” SOP which may indicate a security incident. |
Testing / Maintenance
The Computer Security Incident Response Plan will be reviewed annually by the Information Security Team.
Point of Contact
Contact help-security@pdx.edu for questions or concerns about this Plan.