Boise State University Cyber Incident Response Plan
Updated June 2017
This plan strives to clarify responsibilities and actions required to respond, report and review major cybersecurity events at Boise State University.
Roles and Responsibilities
The Cyber Incident Response Team (CIRT) will consist of the Chief Information Security Officer as the (CRO), Deputy CIO, Cybersecurity Technical Staff (CTS), Communications staff and General Council staff as required. These positions may be supplemented by other OIT staff as warranted.
Cyber Response Officer (CRO): Person who is accountable for the organization’s cybersecurity operations with the following incident responsibilities:
- Serving as the primary point of contact, both internal and external to the University, for significant cyber incidents
- Overseeing the entire cybersecurity incident response process
- Managing the overall response activities for all cyber incidents
- Decision-making regarding which courses of action will be taken
- Notifying and briefing the CIO and management as appropriate
- Accessing the situation and assisting in incident resolution
- Providing options and recommendations to management on how to respond
- Coordinating activities and communicating within the CIRT
- Developing and maintaining documentation relating to the incident
Deputy CIO: Person responsible for technology operations and resource allocation with the following incident responsibilities:
- Collaborate with the CRO for additional resource allocation as required
- Assisting the CRO in gathering information if required
- Collaborate with the CRO in decision-making when operations is impacted
- Providing support or backup for the CRO when needed
Cybersecurity Technical Staff (CTS): Lead Investigator, Network and Security staff and other members of the OIT organization with the following incident responsibilities:
- Initial assessment of incidents and providing resolution recommendations to the CRO
- Assisting the CRO in gathering information
- Helping the CRO in response and remediation
- Providing other technical support to the CRO as needed
Customer Care Staff: Help Desk and other members with the following incident responsibilities:
- Escalating reported incidents to Network and Security team for analysis
- Assisting CRO or designate with gathering information
- Providing other support to the CRO as needed
Communication Staff: OIT Communications members with the following incident responsibilities:
- Preparing internal and external updates or releases at the request of the CIO and executives
- Determining when it is appropriate to share information outside the organization
Legal Contact: General Council or designate with the following incident responsibilities:
- Provides advice as appropriate
Cyber Incident Response Team (CIRT): at a minimum will consist of the following:
- Cyber Response Officer
- Deputy CIO
- Cybersecurity Technical Staff
- Note – Customer Care, OIT Communications and General Council staff members will be optional as determined by the CRO. (CTS positions may be supplemented by other OIT staff as warranted by the CRO and Deputy CIO.)
Overview: Incident Handling
Below are five elements for successful incident handling and the individuals responsible for taking the action. Multiple individuals or teams will be involved in performing the following:
- Identify the problem (Customer Care and/or Users)
- Assess if this a security incident (CTS and CRO)
- Respond to the incident (CRO and CTS)
- Report in accordance with the incident response plan (CRO and CTS)
- Review the overall effectiveness of the response procedures (CIRT)
The Cyber Incident Response Plan will be activated by the CRO when a cyber security incident significantly threatens or harms the Confidentiality, Integrity or Availability of Boise State University’s information resources and/or its users.
Possible causes of significant cyber incidents include the following:
- Attempts to gain unauthorized access to a system or its data
- Unwanted disruption or denial of service (DoS or DDoS)
- Unauthorized access to critical computers, servers, routers, firewalls, etc.
- Changes to system hardware or software without approval
- Virus or worm infection, spyware, malware
The next step is to determine if the anomalous activity is an actual security incident. The Senior Network Security Engineer (Lead Investigator) along with the CRO will assess the situation. Other members of the CTS may be called to assist in the initial assessment.
Questions the initial assessment needs to address include:
- What are the symptoms?
- What may be the cause?
- What is being impacted?
- How widespread is it?
- What part of the system or network is impacted?
- Could this impact our business partners?
The CRO or designee will document all relevant incident information. The following types of information should be documented:
- Characteristics of incident
- Date and time incident was detected
- List of symptoms noticed
- Scope of impact
- How widespread
- Number of users impacted
- Number of machines affected
- Nature of incident
- Denial of Service
- Malicious code
- Unauthorized access
Once it is determined that Boise State has a significant cyber incident, the process for responding has several steps and may involve several people. The Cyber Incident Response Plan including the CIRT will be activated by the CRO (upon approval or delegated authority of the CIO). The CTS will respond under the direction of the CRO. It is important to be familiar with these procedures.
- Briefing of Executives
The CRO will notify the CIO and Deputy CIO when the Cyber Incident Response Plan has been activated. The CIO (or CRO if CIO is unavailable) will notify and brief executives of the incident and the Communications and Legal staff may be activated for the CIRT. Briefing is a critical step in response, providing management with an assessment of the situation to help determine the necessary courses of action. As more information becomes available throughout the response process, additional briefings should take place that will help management determine if it is necessary to take additional steps, such as bringing in more resources, sharing information or involving law enforcement.
- Initial Response
It is important to determine the origin of the incident, where possible, identify what systems have been compromised and what data may have been accessed. This information will help determine the necessary course of action. The first step the CTS should take is to isolate the problem, which may mean disconnecting the equipment from the network or if no network exists, the Internet. Additionally, the CIRT should examine the equipment and check the appropriate logs, such as the firewall and system logs for signs of unauthorized access. Performing a vulnerability scan is helpful to identify vulnerabilities that may have led to the incident. It may be necessary to bring in an outside expert to provide assistance.
If the incident warrants potential legal action or notifications, it is essential to preserve the evidence in the its original form if possible. Detailed logs of all actions will be kept to accurately document information for the investigation. General Council may provide advice and assist with contacting law enforcement, if necessary. Proper industry investigative and forensics procedures for collecting evidence will be implemented by the CIRT.
The CRO will register the incident with the State Office of the Chief Information Officer in case State cybersecurity insurance resources are required at any point for remediation. The State Department of Administration Risk Management and Boise State Risk Management may also be contacted by the CRO depending on the severity of the incident.
Once the cause is determined, the CTS is responsible for appropriate remediation and restoration. The CRO will regularly update the CIO on incident mitigation progress.
Basic recovery steps may include the following:
- Remove vulnerabilities and install or update routers or firewalls to prevent future unauthorized access.
- Reinstall clean versions of the operating system.
- Install vendor security patches.
- Change all passwords.
- Conduct a vulnerability scan of the compromised machine/system before reconnecting to the network
- Reconnect to the network.
- Monitor the system closely.
- Document recovery procedures to submit to the CRO or designate for logging.
The CRO or designee compiles the logs of actions taken. The report should include the following:
- Dates and times when incident was detected
- List of symptoms
- Scope of impact
- Step-by-step actions
A final Cyber Incident report will be provided to the CIO who will brief University executives at his/her discretion.
Once the incident has been handled, a debriefing will help management examine the effectiveness of the response procedures and determine any necessary procedure or policy changes. Review helps to identify strengths and weaknesses in the response plan. The CIRT should analyze the incident for lessons learned.
Discussion should include:
- Was the problem discovered in proper fashion?
- Was the response appropriate?
- Was enough information obtained?
- Did the steps go well?
- How was the organization affected?
- Is the organization still vulnerable?
Based on the incident review, the CIRT may make recommendations for future improvements, including information sharing, amending policies, procedures or plans as appropriate. The CIO will determine what incident information will be shared and with whom.
Training and Awareness
The CRO is responsible for managing the cyber incident response plan. This individual will work with management to ensure all users are trained in their response role. Response drills will be conducted at least annually to test incident response readiness
Cyber Incident Response Team (CIRT):
|Cyber Response Officer (CRO)||Doug Ooley
|Deputy CIO (Backup CRO)||Brian Bolt
|Cyber Technical Staff (CTS)||Eric Kollmann (Lead Investigator)
|Optional CTS:||Tory Jamison or designee
John Muir or designee
Other OIT technical staff as required
|Optional CIRT Members:||Customer Care – Mark Fitzgerald or designee
OIT Communications – Shad Jessen or designee
General Council – Matt Wilde or designee
Computer Science Department – Subject Matter Experts