Cyber-Security Incident Handling Standard

RIT has created a process for handling computer incidents to ensure that each incident is appropriately resolved and further preventative measures are implemented.

Scope

This standard applies to all RIT information resources.

Requirements

Any RIT person discovering an event or incident are required to follow the incident handling process below.

  • Anyone who discovers an event should report it to the appropriate IT support personnel or the ITS Service Desk immediately and await further instructions before continuing to use the computing device or media.
    • Anyone who becomes aware of the loss or theft of an RIT computing device or media should report the loss or theft to RIT Public Safety immediately.
  • IT support personnel should follow the internally published procedures provided by the Information Security Office to determine if the event could be a security incident.
  • If anyone suspects that an incident has occurred, they should:
    • Notify the RIT Information Security Office upon discovery.
    • In the event of the loss or theft of a computing device or media that contains RIT information, report the loss to Public Safety immediately.
    • Work with the Information Security Office on containment and forensics imaging (memory and disk, where necessary), following internally published procedures.
  • The Information Security Office may initiate an investigation if it becomes aware of an incident independently without being notified through the incident handling process.
    • The Information Security Office will notify IT support personnel as appropriate.
  • If necessary, the Information Security Office will invoke the RIT Critical Incident Management Process (CIMP).
  • The Information Security Office should initiate an investigation.
  • The investigation will determine if there is risk of harm (e.g., Private Information or credentials have been acquired by an unauthorized party), and then determine further steps.
  • All parties connected with the incident should cooperate with and assist the Information Security Office with the investigation according to procedures for incident handling.
    • The Information Security Office may conduct an investigation, in compliance with the Privacy Policy.
    • The Information Security Office will communicate appropriately with affected parties.
  • If an incident has the ability to spread to additional systems (e.g., involves credentials with administrative access to multiple computing devices, the threat is determined to be a worm, etc.), then personnel should assist in containment, including, but not limited to, providing forensic images (memory and disk) and baseline information as deemed necessary by the Information Security Office.
  • After providing requested information to the Information Security Office, personnel should attempt to remove the threat from (clean) the affected system or re-image the affected system and restore the system to service.
  • If eradication is unsuccessful, or the incident recurs after re-imaging, personnel should notify the Information Security Office and await further instructions.
  • The Information Security Office will communicate resolution and lessons learned to management, personnel, and/or end users, as appropriate.

Who does the standard apply to?

  • The standard primarily applies to administrators of RIT-owned or leased computing devices.
  • The standard also applies to users of personally-owned or leased devices should the incident involve RIT resources.

What is an incident?

Incidents include the following types of events:

  • Physical loss of a computing device (including storage devices)
  • Detection of unauthorized users accessing a computing device
  • Discovery of malware on a computing device
  • Discovery of critical vulnerabilities or improper configuration that could result in a breach of information

What do I have to do?

Group Action Needed
Everyone If the incident involves the loss or theft of a device containing Private, Confidential or Operationally Critical information, you should immediately file a report with Public Safety.
Self-supported users
  • If the device contains Private, Confidential or Operationally Critical information, contact your support organization immediately.
  • If the device does not contain Private, Confidential or Operationally Critical information, you can attempt to resolve the issue on your own.
Users supported by Systems Administrators
  • Contact the ITS HelpDesk if you cannot resolve the problem on your own. If they discover high risk threats, they will engage the Computer Incident Handling process.
  • Report any suspicious computer activity to your support organization. Anything from a drastic slowdown in computer performance to something as simple as the cursor moving around on its own constitutes suspicious activity.
System Administrators

Resources

  • Incident Handling Flowchart (rev. 11/16/15)
  • Report a Computer Incident If you suspect a cybersecurity incident, immediately report it by calling the RIT Service Center at 585-475-5000, or on the web at help.rit.edu. When reporting by phone after hours, there is a prompt to speak to the on-call person in an emergency. Follow the cybersecurity incident handling instructions as described on the Information Security Office website.
     

Effective Date: January 23, 2015
Standard History:

  • August 16, 2005
  • January 18, 2010
  • November 11, 2013