Incident Response Planning: Education Partnerships and Solutions
Explore the comprehensive training program on Incident Response Planning for IT professionals at UT Dallas. Understand the key terms, scope of the plan, and the importance of establishing a collaborative environment to minimize the impact of security incidents.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Incident Response Planning Information Security Office February 2019 Education Partnerships - Solutions
Purpose for Training Establish common goals and terminology related to Incident Response Planning. Understand the role of all IT professionals in support of Incident Response Planning. Create a collaborative environment so the cost and disruption of incidents can be minimized for the benefit of all UT Dallas stakeholders. Education Partnerships - Solutions
Intended Audience This training is designed for all IT professionals including software developers within the UT Dallas community who access, install, support, troubleshoot, or otherwise manage UT Dallas Information Systems and/or University Data. Education Partnerships - Solutions
Scope of Plan The ISO develops and maintains the formal Incident Response Plan. The plan describes the process to recover from an Adverse Security Event or Security Incident. Per the Information Security and Acceptable Use Policy (UTDBP3096), the plan applies to all UT Dallas Information Systems and all University Data, regardless of where the data is located. Unique and unforeseen circumstances may result in deviations from the plan; such conditions may be leveraged to improve future versions of the plan. Education Partnerships - Solutions
Key Terms and Definitions Adverse Security Event An anomalous security event (or set of events) that may have negative consequences and requires further investigation. Security Event Any log entry, alert, or other atomic data related to University Data or University Information Systems relevant to security. User Any individual granted access to UT Dallas Information Systems, including guests and contractors. UT Dallas Information Systems All computer and telecommunications equipment, software, data, and media, owned or controlled by UT Dallas or maintained on its behalf. Education Partnerships - Solutions
Key Terms and Definitions, Continued Security Incident This is an Adverse Security Event which has been confirmed to be a violation of University policy, or otherwise threatens the information systems maintained by the University and has a significant potential to lead to any of the following: o Inappropriate access to confidential data o Loss of intellectual property or monetary funds o Negative impact to the University s reputation o Other criteria as specified within incident response procedures When Confidential Data is potentially at risk, including data governed by FERPA / HIPAA / PCI DSS, Adverse Security Events must be treated as Security Incidents. Education Partnerships - Solutions
Key Terms and Definitions, Continued University Data This Policy uses the term University Data to refer to data for which UT Dallas has a responsibility for ensuring appropriate information security or would be liable for data exposure, as defined by applicable law, UT System policy, regulations, or contractual agreements. University Data may include information held on behalf of UT Dallas or created as a result and/or in support of UT Dallas business (e.g. financial records, personnel records, officially maintained student records, and/or records of official UT Dallas committees), including paper records. This definition does not imply, address, or change intellectual property ownership. Education Partnerships - Solutions
Incident Response Service Levels Severity Effort Communication Investigation of an Adverse Security Event should begin as soon as practical with regard to other priorities and investigations. If possible, investigation should begin within 24 hours of becoming aware of the event. The analyst is expected to relay information about this incident to affected parties, either directly or through the University issue tracker. Adverse Security Event Team involvement will usually involve a single analyst. No escalation to management is required. Investigation of a Security Incident should begin within one hour of an analyst learning of the incident. Team involvement will include the formation of an incident response team. The team lead or designated analyst is expected to directly communicate with affected parties or external departments. This is especially true of the owners whose business processes are interrupted by containment procedures. Security Incident The incident should be escalated to an ISO manager. The CISO and GRC team within the ISO will also be notified when the incident involves Confidential Data. Education Partnerships - Solutions
Strategies and Goals Consistency The ISO responds to incidents in a consistent manner by documenting both a high level plan and any related procedures. Communication The ISO communicates and coordinates with all relevant parties during the incident response process. Information is both collected from, and disseminated to, these parties to ensure both security and business needs are met. Comprehension The ISO conducts root cause analysis and uses the resulting data to make enterprise security improvements. Education Partnerships - Solutions
Phases of Incident Response Preparation Understand UT Dallas Information Systems and University Data to assess their potential risk of compromise. Adequate defenses and monitoring tools should be implemented. Practice exercises should be performed. Response This phase begins upon incident detection. During response, incident analysis is conducted, resulting in both containment and eradication of the incident. Ensure proper recovery of services. Review Initiated by having incident responders and other key personnel meet (sometimes involving personnel outside of the ISO). Identify both the successful and problematic parts of the incident response process. Learn how to improve for the future. Education Partnerships - Solutions
Key Players Information Security Office Office of Information Technology Distributed IT groups across campus University Attorney University Police Department Office of Institutional Compliance Office of Audit and Consulting Services Office of Budget and Finance Office of Communications University President UT System Administration State of Texas Department of Information Resources Education Partnerships - Solutions
Incidents That Should Be Reported To ISO: Hacking All attempts to intentionally access or hard information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms. Includes brute force, SQL injection, cryptanalysis, and denial of service attacks. Misuse Use of entrusted organization resources or privileges for any purpose or manner contrary to that which was intended. Includes administrative abuse, policy violations, and use of non- approved assets. May have malicious or non-malicious intent. Social Engineering Deception, manipulation, intimidation, designed to exploit humans and therefore information assets to which they have access. Includes pretexting, phishing, blackmail, threats, and scams. Physical Deliberate threats that involve proximity, possession, or force. Includes theft, tampering, snooping, sabotage, local device access, and assault. Error Anything done (or left undone) incorrectly or inadvertently. Includes omissions, misconfigurations, programming errors, trips and spills, malfunctions, incorrectly addressed communications, and incorrect attachments to emails. Education Partnerships - Solutions
Incidents That Do Not Need To Be Reported To ISO: Malware Removed by Automation Malware is any malicious software, script, or code run on a device that alters its states or function without the owner s informed consent. Examples include viruses, worms, spyware, keyloggers, and backdoors. Thanks to the deployment of automated scanning and recovery tools, automatic resolution of malware does not need to be shared with the ISO each time it is resolved. Malware Removed Manually In the event that IT professional needed to visit a machine one or more times to resolve malware, this is considered routine operations and does not need to be shared with the ISO each time malware is resolved. Environmental Natural disruptive events, including disruptions to power, water, and environmental systems, are disruptive to the Availability objective of the information security profession. However, at UT Dallas these incidents are primarily serviced by Environmental Health & Safety, Police Department, Facilities, and various other specialists on campus. Therefore, they are considered routine operations and do not need to be shared with the ISO each time they occur. Education Partnerships - Solutions
Contact Information Questions or concerns? Feel free to contact our office for more information! issupport@utdallas.edu 972-883-6810 Education Partnerships - Solutions
