1. Purpose

    Winston-Salem State University (WSSU) will maintain an information security incident response plan to address management of information security incidents and improvements, including, but not limited to loss of data, breach of data confidentiality, disruption or damage to data or system integrity, and disruption or denial of availability of information processing services.
  2. Scope

    This standard applies throughout WSSU. All users have the responsibility to report any suspected incident and are required to fully cooperate with information security and Office of Information Technology (OIT) personnel during an incident or associated investigation. OIT information security personnel are responsible for responding to all security incidents and threats. Information security and appropriate OIT personnel will take any and all necessary actions, including but not limited to immediate confiscation and/or disabling of a computer resource or the temporary termination of computer access to protect, investigate, and ensure the security of WSSU information systems and networks.
  3. Standard

    An information security incident is any adverse event whereby some aspect of information security could be breached, leaving valuable or sensitive data at risk, damaged, unavailable, exposed or otherwise compromised.
    1. Incident Notification

      If anyone in the University identifies or suspects that a security incident is occurring or has occurred, or that a threat is imminent, that person should immediately report the problem. Security incidents and threats should be reported and handled as follows:
      1. Call the OIT Technical Support Services Desk at 336-750-xxxx.
      2. Do not take any action with the information resources (computer, data files, etc.) that are involved unless otherwise instructed to do so by information security or information technology personnel.
      3. Inform your immediate supervisor.
      4. Be available to answer questions and assist in the incident investigation as needed.
    2. Incident Assessment
      1. The Chief Information Officer and Information Security Manager, or their designee, will consider the following in determining the severity and appropriate response to an incident:
        1. How widespread is the incident?
        2. What is the impact to college operations?
        3. What data is at risk?
        4. How difficult is it to contain the incident?
        5. How fast is the incident propagating?
        6. What is the estimated financial impact to the University?
        7. How will this incident affect the University’s image?
        8. Is law enforcement involvement needed or required?
      2. Appropriate measures will be initiated by information security and information technology personnel to prevent additional loss or harm to information resources.
      3. The Information Security Manager will determine the nature, scope, and cause of the incident, and identify required corrective actions.
      4. Incidents will be classified as Red (Critical), Yellow (Significant), or Green (Minor).
        1. Red (Critical)

          Red severity incidents are defined as having a serious potential impact on WSSU information resources. Managers or users of resources involved will be explicitly instructed not to use the resources until receiving further instruction from information security or information technology personnel.

          Red incidents must be responded to within one hour of notification or observation. Information security or information technology personnel will direct restoration efforts. Communication will flow from the Chief Information Officer or Information Security Manager, or their designee(s), to keep the appropriate campus personnel apprised of the status of restoration efforts. Red incidents are characterized as follows:
          • Unauthorized disclosure, modification, destruction or deletion of restricted, sensitive, or critical information or data
          • Disruption of business continuity, critical business processes, or communication
          • Impact on long-term public perception of the college
          • Identity theft of an individual or group
          • Extending beyond the borders of local systems
          • Requiring interaction with entities external to WSSU
        2. Yellow (Significant)

          Yellow severity incidents are identified as having non-intrusive impacts on current services and represent passive attacks or monitoring of critical communication.

          Yellow incidents will be responded to within 24 hours of notification or observation. Information security or information technology personnel will direct restoration efforts. Communication will flow from the Chief Information Officer or Information Security Manager, or their designee(s), to keep the appropriate campus personnel apprised of the status of restoration efforts. Yellow incidents are characterized as follows:
          • Passive interception of critical plain-text communications
          • Disruption of non-critical business processes
          • Unauthorized use of information resources
          • Localized to a campus unit and/or confined to specific hardware or software systems
        3. Green (Minor)

          Green level incidents are identified as those that do not present an immediate threat to multiple hardware or software systems and do not involve sensitive, restricted, or critical data.

          Due to the minor nature of green incidents, appropriate response times and communications will be determined after initial investigation and based on priorities at the time. Green incidents are characterized as follows:
          • Impaired but functional system behavior
          • Slow response time
          • No disruption or service outage
    3. Investigation of Incidents

      The investigation portion of the incident is where a large amount of time and effort is spent. Activities occurring during this phase of the response can be summarized as follows:
      1. With the assistance of system owners, immediate actions are taken to contain the incident or to prevent further spread of the threat.
      2. Interviews are conducted with system owners, administrators, and users; and data is collected from audit trails, system logs, etc. in an attempt to determine the root cause of the incident. Following are potential root causes:
        1. System or component failure
        2. System or component configuration error
        3. Unauthorized access (intrusion)
        4. Policy violation
    4. Remediation of Incidents

      The outcome of the investigation and the root cause of the incident will determine the actual steps involved to remediate the incident. If the root cause was system failure or configuration error, then steps should be taken to eliminate or correct the problem and restore the systems so that normal operations may continue.

      If the incident was a result of illegal activity or against university policy, in addition to eliminating and/or containing the threat or vulnerability that allowed the incident to occur, the appropriate law enforcement agency or university departments or officials should be notified, and supplemental forensics activities should occur to gather and protect evidence collected as part of the investigative process.
    5. Documentation of Incidents

      Information about each security incident must be documented and maintained by OIT information security personnel. Documented information includes:
      1. Description of the computer or network resources involved
      2. Individual responsible for the resources
      3. Nature of the attack or incident
      4. Source of the attack or incident
      5. Resources compromised or placed at risk
      6. An assessment of actual harm or loss
      7. Estimate of time spent responding to the incident
      8. Description of corrective measures identified and implemented
    6. Notification of Users

      Persons whose accounts or personal information have been accessed or compromised as a result of an incident will be notified in a timely manner as determined by the nature of the incident.
    7. External Communication of Security Incidents

      No one, unless authorized by WSSU senior management, should speak publicly about a security incident at WSSU. The Chief Information Officer will work closely with the senior administration executives, public relations personnel, and legal counsel in the release of incident information to the public.