1.0 Policy Purpose
An effective incident response process helps ensure the secure operation of Brown University Information Technology Resources, minimizes the negative consequences of Information Security Incidents, and improves the institution’s ability to promptly restore operations affected by such Information Security Incidents. It further ensures Information Security Incidents are promptly reported to the appropriate officials, and that they are consistently and adequately managed.
This policy formalizes the requirements for reporting and responding to Information Security Incidents at Brown University.
2.0 To Whom the Policy Applies
This policy applies to all Brown University faculty, staff, students, contractors, and any other individual using Brown University Information Technology Resources or Data, including any Information Technology Resources and Data managed by other organizations that use said Information Technology Resources to provide services to the University (e.g., an application hosted by a software vendor).
3.0 Policy Statement
All users of Information Technology Resources are responsible for promptly reporting potential information security incidents to the OIT Service Center.
3.1 Incident Response Process.
The Information Security Incident response process is initiated when the Information Security Group (ISG) receives a report of a suspected Information Security Incident. Reported Information Security Incidents will be routed to the ISG for handling as follows:
3.1.1 Triage
Triage is initiated when the Brown ISG receives a report of a suspected Information Security Incident. The Chief Information Security Officer (CISO), or their designee, will determine whether sufficient evidence exists to conclude that a suspected Information Security Incident has occurred and will preliminarily classify the severity of the Information Security Incident.
- While the CISO has the discretion to activate the Information Security Incident Response Team (ISIRT) for any reported or suspected Information Security Incident, the CISO must activate the ISIRT for suspected Critical Impact severity incidents.
3.1.2 Identification and Analysis
Identification & Analysis: The ISG, or ISIRT if activated, shall collect enough Data about the actual or suspected Information Security Incident to confirm that an incident has occurred, and prioritize the next steps in handling the incident. Actions in this stage include:
- Determine whether an Information Security Incident has occurred. As soon as the ISG believes an Information Security Incident has occurred, begin to document the investigation and acquire, preserve, and secure evidence.
- Investigate the initial suspected Information Security Incident report; analyze the precursors and indicators, and look for correlating information (e.g., log analysis, forensic analysis).
- Perform background research about the suspected incident, attack vectors, similar events, and potential solutions (e.g., search engines, threat intelligence subscriptions, knowledge base).
- Determine the scope of the Information Security Incident and confirm the classification of the Information Security Incident using the severity levels referenced in section 3.3 of this policy.
- Report the Information Security Incident and results of the initial investigation and classification to the Vice President for Information Technologies and Chief Information Officer (VPIT/CIO) for informational purposes. For moderate and critical severity events, results of the initial investigation must also be made to the Chief Risk Officer (CRO).
3.1.3 Containment
The ISG, or ISIRT if activated, in conjunction with any additional institutional departments, shall minimize damage caused by the confirmed Information Security Incident, including minimizing financial loss, theft of information, or service disruption. Actions in this stage include:
- Confine and mitigate the incident to prevent further disruption and/or propagation to other Information Technology Resources.
- Conduct any additional investigation and/or analysis as needed.
- Continue to acquire, preserve, secure, and document evidence.
- If necessary, the CISO will provide information regarding service disruption, and the potential need to activate business continuity plans, to the VPIT/CIO and Brown leadership to assist in communications to users.
3.1.4 Eradication
The ISG, or ISIRT if activated, in conjunction with any additional institutional departments, shall eliminate the threat caused by the Information Security Incident. Actions in this stage include:
- Identify and mitigate all vulnerabilities that were exploited.
- Remove malware, inappropriate materials, or other components and return affected Information Technology Resources and systems to a secure posture.
- If more affected hosts are discovered, repeat the Identification & Analysis and Containment steps as needed.
- If necessary, the CISO will provide information regarding eradication activities to the VPIT/CIO and Brown leadership to assist in communications with users.
3.1.5 Recovery
The ISG, or ISIRT if activated, in conjunction with any additional institutional departments, shall restore Information Technology Resources and systems quickly and securely. Actions in this stage include:
- Redeploy securely configured Information Technology Resources to an operational state and confirm that the resources are functioning normally.
- If necessary, the CISO will provide information regarding service restoration activities to the VPIT/CIO and Brown leadership to assist in communications with users.
- If necessary, implement additional monitoring to look for future related activity.
3.1.6 After-Action Review
The ISG shall assess the incident response process following a confirmed security incident to identify lessons learned and to better handle future Information Security Incidents. Actions in this stage include:
- Review any corrective actions put in place during the initial incident response process for continued applicability.
- Document the incident response process for metrics and internal Brown tracking purposes.
- Create an After-Action Report; the CISO will determine the appropriate dissemination of the After-Action Report.
- Document and disseminate any lessons learned. The CISO will determine whether or not an After-Action-Meeting is required to discuss how the incident response process worked during the event and any lessons learned. They may mandate at least one member representing each ISIRT team attend.
3.2 Severity
The severity of an Information Security Incident is a subjective measure of its impact on or threat to the operation or integrity of the University and its Data or Information Technology Resources. The severity level determines the priority for handling the incident, who manages the incident, and the extent of the institutional response. The ISG, or ISIRT if activated, has significant discretion in classifying the severity of an Information Security Incident. The following factors are considered in determining the severity of an incident:
- Scope of impact (how many people, departments, or systems does it affect?)
- Criticality of the Information Technology Resources affected (how important are they to the continuing operation of Brown University?)
- Type, sensitivity, and quantity of the Data stored on or accessed through the affected Information Technology Resources
- Probability of propagation (how likely is it that the malware or negative impact will spread or propagate to other systems, especially to other systems off campus?)
- The potential legal, financial, and reputational impacts of the incident
3.3 Severity Classification
The ISG shall classify Information Security Incidents according to the Severity and Impact chart that is part of the ISIRT handbook.
3.3.1 Critical Impact
An Information Security Incident may be classified as a Critical Impact if one or more of the following conditions are met:
- It poses a significant and immediate threat to human safety
- It threatens Level 3 Data as described at Data Risk Classification Levels, or Information Technology Resources that contain Level 3 Data
- It has the potential for substantial to total disruption to a large number of Information Technology Resources, Data, and/or people (for example, the entire institution is affected)
- It poses a potentially substantial reputational, financial risk or legal liability to Brown University
3.3.2 Moderate Impact
An Information Security Incident may be classified as a Moderate Impact if one or more of the following conditions are met:
- It threatens Level 2 Data, or Information Technology Resources that contain Level 2 Data
- It adversely impacts a moderate number of Information Technology Resources, Data, and/or people
- It poses a potentially moderate reputational, financial risk or legal liability to Brown University
3.3.3 Low Impact
An Information Security Incident may be classified as a Low Impact if one or more of the following conditions are met:
- It threatens Level 1 Data, Information Technology Resources that contain Level 1 Data, or Data that poses little or no risk to individuals and/or the institution
- It adversely impacts a very small number of Information Technology Resources, Data, and/or people
- It poses a potentially small reputational, financial risk or legal liability to Brown University
3.3.4 No Incident
This classification is used for events reported as a suspected Information Security Incident but upon investigation, no evidence of a security incident is found. The No Incident classification is used for events that:
- Pose no threat to University Data
- Pose no impact on Information Technology Resources or individuals
- Pose no reputational, financial risk or legal liability to Brown University
3.4 Communications
Communication is an essential part of effective Information Security Incident response and often must occur quickly to reduce confusion and maximize efficiency during the incident response process. Once an Information Security Incident is confirmed, the ISG and/or ISIRT, through the CISO, will coordinate internal communications and information sharing so that the appropriate information is timely shared with the appropriate parties to respond to the Information Security Incident.
- At all stages of Information Security Incident response, the CISO will provide information regarding response activities to the VPIT/CIO and Brown University leadership to assist in communications to affected users.
- Under the guidance of the Office of the General Counsel and the VPIT/CIO, the CISO shall coordinate communication with Brown Public Safety and other law enforcement agencies and governmental authorities as necessary to respond to the incident.
- All external communications with the media or the public related to any Information Security Incident must follow Brown University policies and be coordinated through the VPIT/CIO, the Office of the General Counsel, and the Office of University Communications.
4.0 Definitions
For the purpose of this policy, the terms below have the following definitions:
Data: Data is any Data or information, regardless of electronic or printed form or location, that is created, acquired, processed, transmitted, or stored on behalf of Brown University. This includes Data processed or stored by Brown University in hosted environments in which Brown University does not own or operate the technology infrastructure.
Information Security Incident (also referred to as “incidents” or “incident” within this document): Any attempted or successful unauthorized access, use, disclosure, modification, or destruction of Information Technology Resources or Data; interference with Information Technology Resources; or a violation of the Acceptable Use of Information Technology Resources Policy. An Information Security Incident may include, but is not limited to, any of the following:
- a breach, attempted breach, or other unauthorized access of an Information Technology Resource originating from within the Brown network or an outside entity
- exposure of Level 2 or Level 3 Data
- any disruption or attack impacting Information Technology Resources, or
- a loss or theft of an Information Technology Resource.
Information Technology Resources: Brown University-owned facilities, technologies, and information resources used for Brown University processing, transfer, storage, and communications. Included, without limitations, in this definition are computer labs, classroom technologies, computing and electronic devices and services, email, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all inclusive but rather reflects examples of equipment, supplies and services. This also includes services that are Brown University-owned, leased, operated or provided by Brown University or otherwise connected to Brown resources, such as cloud and Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or any other connected/hosted service.
Information Security Incident Response Team (ISIRT): A group of skilled technology personnel designated to respond to any Brown University Information Security Incident. The ISIRT is led by the CISO. Depending on the nature of the underlying Information Security Incident, other Brown University technology staff members may be asked to participate in the ISIRT.
5.0 Responsibilities
All individuals to whom this policy applies are responsible for becoming familiar with and following this policy. Brown University supervisors and employees with student oversight duties are responsible for promoting the understanding of this policy and for taking appropriate steps to help ensure and enforce compliance with it.
Users of Information Technology Resources: All users of Brown University Information Technology Resources are responsible for promptly reporting potential Information Security Incidents.
Chief Information Security Officer (CISO): The CISO is responsible for:
- Providing leadership in establishing the ISG’s incident response capability and internal procedures.
- Reviewing the initial report of a suspected Information Security Incident, issuing a preliminary incident severity classification, and directing initial investigation/analysis according to the procedures outlined in this document.
- Activating the ISIRT where needed.
- Leading the ISIRT during incident response activities, and serving as the ISIRT’s primary point of contact.
- Acting as the single point of contact to communicate and coordinate with the VPIT/CIO and other Brown leadership as appropriate during incident response activities.
- Providing leadership in defining incident tracking and evidence preservation procedures.
- Providing leadership in establishing a system to regularly report metrics on incident response activities, to include information such as Information Security Incident categories and severity level, a brief description of the Information Security Incident (including the types of Information Technology Resources and Data levels affected by the incident), and a brief statement of the resolution of the Information Security Incident.
Manager of Security Operations: If the CISO is unavailable for incident response activities, the Manager of Security Operations shall fulfill the CISO’s role and responsibilities.
Information Security Incident Response Team (ISIRT): The ISIRT provides technical expertise to centrally manage Information Security Incidents, provide specialized incident response services, and coordinate with external response services. The ISIRT will develop procedures to identify and manage Information Security Incidents. Depending on the nature of the underlying Information Security Incident, other Brown technology staff members may be asked to participate in the ISIRT. Additional responsibilities of the team leaders and members of the ISIRT are specified in the ISIRT charter.
6.0 Consequences for Violating this Policy
Failure to comply with this and related policies is subject to disciplinary action, up to and including suspension without pay, or termination of employment or association with Brown University, in accordance with applicable (e.g., staff, faculty, student) disciplinary procedures, or for non-employees, may result in the suspension or revocation of the third party’s relationship with Brown University.
Individuals are also subject to federal, state, and local laws governing many interactions that occur on the Internet. These policies and laws are subject to change as state and federal laws develop and change.
7.0 Related Information
Brown University is a community in which employees are encouraged to share workplace concerns with Brown University leadership. Additionally, Brown’s Anonymous Reporting Hotline allows anonymous and confidential reporting on matters of concern online or by phone (877-318-9184).
The following information complements and supplements this document. The information is intended to help explain this policy and is not an all-inclusive list of policies, procedures, laws and requirements.
7.1 Related Policies
7.2 Related Procedures
- ISIRT Handbook (for ISIRT team use only)
7.3 Related Forms
N/A
7.4 Frequently Asked Questions
N/A
7.5 Other Related Information
Policy Owner and Contact(s)
Policy Owner: Vice President for Information Technology and Chief Information Officer
Policy Approved by: President
Contact Information:
Policy History
Policy Issue Date:
Policy Effective Date:
Policy Update/Review Summary:
N/A