Skip to main content

Incident response overview for cyber and disasters

Document purpose

This document outlines Boise State University’s approach to responding to information security incidents, including roles and responsibilities, incident response processes, related policies, and reporting requirements. It provides guidance for assessing incident scope and risk, coordinating appropriate responses, communicating with stakeholders, and reducing the likelihood of recurrence.

This protocol is intended as guidance rather than policy, recognizing that the diverse and evolving nature of university incidents may require flexibility to ensure an effective response.

Scope

This plan applies to all Boise State University information systems, institutional data, and networks, as well as any person or device accessing them.

The Chief Information Security Officer acts on behalf of the university community and may request cooperation from community members during incident investigations. The CISO will also collaborate as needed with other university offices, including General Counsel, Human Resources, and Public Safety.

Definitions

  • Event: An event is any deviation from normal IT operations, systems, or services. Events may be identified through automated monitoring, reports to the CISO, Compliance/Privacy, or other university offices, or during routine system reviews, including system degradation or outages. Not all events rise to the level of an incident.
  • Incident: An incident is an event that, as determined by CISO staff, violates the Acceptable Use Policy, Access Control Policy, Confidential Data Policy, or other university policies, standards, or the Code of Conduct, or that threatens the confidentiality, integrity, or availability of information systems or institutional data.
  • Regulated Data Classification: Incidents involving regulated data may be subject to additional reporting obligations and regulatory requirements.

Roles and responsibilities

The Incident Response Team will consist of :

  • IRP Director – has overall management responsibility for the IRP. This can be either the DCIO or the CISO. The first to respond will be the director, unless otherwise agreed upon to switch roles or as appointed by the CIO. The other acts as backup and is ready to rotate if the incident takes multiple days.
  • IRP Coordinator – is responsible to oversee assessment, recovery and reconstitution progress, initiate any needed escalations or awareness communications, and establish coordination with other assessment, recovery and reconstitution teams as appropriate.
  • IRP Team – Technical staff responsible for deploying recovery and reconstitution efforts as outlined by the IRP Coordinator.
  • IRP Communications Lead – Receives direction from director to provide and direct communications content to Campus Operations Emergency Management (OEM) and the Office of Communications and Marketing (OCM).
  • Mission Critical System Owner – is responsible for assisting in mission critical system recovery and reconstitution efforts as requested by the IRP Coordinator.
  • Endpoint Services – is responsible for managing the response and triangle of customer inquiries and client side incidents.
  • Legal Contact – General Council or designate with the responsibilities to provides advice as appropriate

At a minimum will consist of a Response Officer, Response Coordinator and at least one Technical Staff. Customer Care, OIT Communications and General Council staff members will be optional as determined by the Director. Team positions may be supplemented by other OIT staff as warranted by the Director.

Incident handling

Below are six elements for successful incident handling and the individuals responsible for taking the action. Multiple individuals or teams will be involved in performing the following:

  • Preparation: Inventorying assets, assessing risks, training staff, establishing the incident response team, and developing policies
  • Identification (Detection): Detecting incidents, analyzing alerts, determining severity, and logging all details
  • Containment: Limiting the spread of the incident (e.g. isolating systems)
  • Eradication: Removing the root cause of the threat (e.g. malware, unauthorized access)
  • Recovery: Restoring systems to normal operations, ensuring data integrity
  • Lessons Learned (Post-Incident): Reviewing the response, identifying gaps, and updating the plan

Incident response team

Team RolePersonnel
Response DirectorDeputy CIO
Chief Information Security Officer
Response CoordinatorExecutive Director, Cloud Services and Infrastructure
Deputy CISO
TeamOIT Staff as required
Optional Team Members:Assistant Director, Endpoint Services or designee
Director of OIT Communications or designee
General Counsel or designee

Updates

Created: January 2016

Last update: February 2026

Next review: February 2027