Boise State University Information Technology Incident Response Policy
The purpose of this policy is to define general requirements for responding to an information security incident.
I. Policy Statement
The IT Incident Response Policy and subordinate procedures define standard methods for identifying, containing, eradicating and documenting response to computer-based information security incidents. Information Security incidents occurring on the University network or attached devices will be managed centrally by the University Information Security Officer (ISO) and will include other campus resources as determined by the ISO. Centralized notification and control of security incident investigation is necessary to ensure that immediate attention and appropriate resources are used to respond to events that could potentially disrupt the operation of the University or compromise University data.
An incident is defined an as adverse event in an information systems and/or network device or the threat of the occurrence of such an event. Events may be characterized as unauthorized use of another’s user account, unauthorized use of system privileges, or execution of malicious code. Events characterized as environmental (such as natural disasters, electrical outages, heat damage) are not within the scope of this policy. The most identifiable types of event are:
Malicious code attacks-Attacks by programs such as viruses, Trojan Horse programs, worms, and scripts to gain privileges, capture passwords, and/or modify audit log to hide unauthorized activity.
Unauthorized access-Includes unauthorized users logging into a legitimate account, unauthorized access to files and directories, or operation of “sniffer” devices.
Disruption of services-Includes erasing of programs or data, mail spamming, denial of service attacks, or altering system functionality.
Misuse-Involves the use of computer resources for purposes other than those defined in the Information Technology Resource Use policy (BSU 6460-C).
Espionage-Stealing information to subvert the interests of a corporation or government entity.
Hoaxes-Generally an email warning of a non-existent virus.
Campus-wide Outage – A campus-wide outage is a fault, event, or other unforeseen issue causing failures to all or large portions of the campus communication and computing infrastructure, services, and devices or key communication and computing resources such as a DNS failure or a loss of campus Internet access.
B. Incident Severity
Incidents will be classified by the ISO based on the perceived impact on University resources:
Critical—Severe risk to the University network and/or external systems over the internet. May be characterized by widespread risk of compromise of multiple systems or high risk of compromising sensitive information. Criteria for determining if an incident is critical include but are not limited to: health and safety of personnel, legal issues, possible harm to the University’s reputation, a campus-wide outage.
Medium—Medium risk to the University network and low risk to external systems over the internet. May be characterized by risk of compromising more than one system, no risk to sensitive data, or isolation to a single system.
Low—Low risk to the University network and no risk to external systems over the internet. May be characterized by compromise of a system that does not host or process critical/sensitive information, does not pose a risk to other systems or types of devices.
C. Computer Security Incident Response Team (CSIRT)
The ISO with the advice and assistance of college and departmental IT representatives will have the capability to establish a CSIRT to respond to security incidents.
D. Incident Reporting
Any individual or organization internal or external to Boise State can notify the ISO of an activity or concern.
This policy applies to all Boise State employees, contractors, vendors and agents.
All users of Boise State IT resources are responsible for compliance with this policy.
A. Incident Response Procedure: The ISO maintains internal procedures for Incident logging, tracking, and reporting. The current Information Technology Incident Response Procedure is available.
B. Non-Compliance with this Policy: Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
*Adapted with permission from Georgia State University and Yale University.