1.0 - Purpose
This document describes the procedures that should be followed by an individual reporting an information security incident. Having an effective incident response is essential in mitigating damage and loss due to an information security incident. Proper handling of such incidents protects the College’s information resources from future unauthorized access, use, or damage.
2.0 – Scope
This procedure covers the College’s information resources, to include all departments and divisions. It is to serve as a reference for any user reporting an incident, including outside sources, when applicable. Reports would be made to the Information Security group (ISG), comprised of the Chief Information Officer, Chief Human Resources Officer, Vice President of Learning and Student Services, or their designated representative, along with other selected members on an ad-hoc basis. For incidents related to the College’s electronic software and/or data, is the responsibility of the College’s Technology Advancement and Support (TAS) division.
3.0 – Procedure
Recognize an incident
An Information Security Incident is a suspected disclosure of personally identifiable information, whether it is in physical or electronic form.
NPC is required to comply with the Gramm-Leach-Bliley Act (GLBA). NPC follows the privacy provisions of the GLBA due to its compliance with the Family Educational Rights and Privacy Act (FERPA). However, the GLBA holds institutions to additional provisions related to administrative, technical, and physical safeguarding of customer information (electronic and physical forms).
The Family Educational Rights and Privacy Act (FERPA) is a comprehensive federal law governing education records ~ 20 U.S.C. § 1232g; 34 C.F.R. Part 99.
An "Information Security Incident" could:
- Be the result of the misuse of confidential information (social security numbers, grades, health records, financial transactions, etc.) of an individual(s).
- Jeopardize the functionality of the College’s Information Technology (IT) infrastructure.
- Provide unauthorized access to College resources or information – both physical or electronic.
Examples of Information Security Incidents include:
- Illegal or unauthorized access to physical records or printed documents
- Illegal access of a College computer system
- Use of College IT resources to illegally access any non-College computer system
- Use of College IT resources to harass or threaten someone
- Suspicion that a computer has been infected with a virus or worm that may lead to data leakage (keystroke logger, password cracker, etc.)
- The loss or theft of a college laptop containing confidential data
Steps in response to an incident
Employees should monitor their data and immediately report any suspected incidents to their direct supervisor, and in the case of technology-related incidents to the Support Center for direction. The NPC Support Center can be reached at (928) 524-7447.
The primary objective the college wants to achieve in response to an incident is to preserve as much of the volatile evidence as possible. Because of this, the ISG wants the individual reporting the incident to do as few things to the affected system or location as possible before the ISG can secure the system or location for analysis.
In response to a computer incident, employees have been instructed as follows:
- Shut down your computer if:
- You believe that data is actively being removed from the system;
- You believe that the system is attacking, or being used to stage attacks on other systems.
- The individual reporting the incident must start the Incident Checklist (linked in this document and also located on the TAS SharePoint page), and send as much of the following information as can be gathered to the Information Security Group (ISG), at infosec@NPC.edu. All of the information may not be easily identifiable, in which case the space may be left blank and the ISG will determine it:
- The name of the detector of the incident, along with methods of contact
- The names and contact information of any other individuals involved with the incident
- The name and IP address of the computer (if applicable)
- The physical location of the incident (filing room, office, or computer system)
- The type of incident that is believed to have occurred:
- Unauthorized access to a physical location
- Removal or illegal access of records (physical or electronic)
- Denial of Service
- Unauthorized Use or Access Compromise of College Data
- Misuse of IT Resources
- Malicious Code (viruses or worms)
- A brief description of how the incident was detected
- The purpose of the system (desktop, lab computer, web server, etc.)
- How critical the data (physical or electronic) is believed to be to College business
- If the location or computer contains "private" data, the type of data it contains (SSNs, credit card information, student grades/addresses, medical information, governmental research data, etc.)
After reporting the incident, the ISG may contact the individual reporting the incident for further information. The ISG (or their designee) will be dispatched to analyze the system or location to determine the extent of the compromise, the potential breach of data, and to clean up the problem.
Examples of Various Incident Scenarios and Actions:
- Illegal access to a file room or student records – End users have been instructed to contact their direct supervisor and will assess what records may have been accessed. ISG will be notified and provide direction. Campus Safety and Facilities personnel may be involved to determine how the room or records were accessed, and to ensure physical security.
- Malware infected computer – End users have been instructed to contact the Support Center to open a ticket. A technician will immediately be dispatched to assess the computer and take necessary steps to clean the computer and determine if there is a possibility the malware could replicate or spread. If determined, the computer will be isolated from the network and cleansed. A network/system scan using PDQ Deploy can determine if the malware is installed on any other network computer.
- Crypto Locker: End users have been instructed to turn off the computer and contact the Support Center. A technician will immediately be dispatched to physically remove the computer from the network, and bring it back to the shop. The technician will then power up the computer “off network” to determine the extent of data loss. At that point, the ISG and Department Head will be notified to decide whether to pay the ransom, if data retrieval is vital to the college. If there is a possibility it could replicate or spread, a network scan using PDQ deploy will be attempted to determine if the Crypto-ware is installed on any other network computer. If identified on other computers, technicians will be dispatched immediately. If the infection is widespread, TAS could be forced to shut down central servers to protect them until remediation can occur.
Suspected compromised account: End users have been instructed/trained to change their password immediately and notify TAS. A technician and/or ISG will follow up to learn why the end user suspects their account is compromised. If deemed that the account may have been compromised for some time, an evaluation of user activity will be conducted, checking login/logoff reports to ensure that no systems or data containing personal identifiable information was accessed and/or removed.