This is incident response plan for Minnesota State Colleges and Universities
Top of Form
Bottom of Form
Guideline 220.127.116.11 Information Security Incident Response
Part 1. Purpose: This guideline establishes the minimum requirements for Information Security Incident Response within Minnesota State Colleges and Universities (System). Information Security Incident Response controls and minimizes the impact of an information security incident by establishing a process to report and address the incident
Part 2. Applicability. This guideline applies to all system information resources, and to all uses of those resources. This guideline establishes minimum requirements for incident response. Institutions may adopt additional requirements, consistent with this guideline and board policy 5.23.
Part 3. Guidelines.
Subpar t A. Each system college, university and the system office shall adopt an Incident Response Plan addressing the requirements set out in this guideline. Incident Response Plans shall include reasonable and appropriate methods to control and remediate information security incidents affecting critical information technology resources that are controlled by an institution..
Subpart B. Information Security Incident Definition. An information security incident for the purposes of this guideline means a situation that presents a significant or imminent threat to the security of system information technology resources or information resources; it includes, but is not limited to the following:
1. Unauthorized access or compromise of information resources or information technology resources with perceived malicious intent;
2. A significant threat or actual loss of not-public data via information technology resources;
3. A reasonable basis to believe that system information technology resources are being used for criminal activity.
Subpart C. Plan Components. The Incident Response Plan should include appropriate procedures to address the issues outlined below for security incidents.
1. Detection and Reporting. The method(s) of detecting and reporting an incident should be identified, as well as the path of information flows.
2. Initial Classification and Notification. Each incident should be evaluated to ensure it is handled with the appropriate urgency, and the correct individuals are notified for the type of incident being investigated. External processes may be initiated when necessary.
3. Containment. Initial steps to immediately stop the spread of the incident.
4. Eradication. Steps taken to remove the cause of the incident.
5. Recovery. Steps taken to return the computer systems to a full production mode.
6. Incident Closure. Complete all documentation and review the incident to determine how the systems, processes, or incident response plan could be improved to prevent recurrence in the future, or decrease recovery time.
Subpart D. Team Composition. Incident response teams should be prepared for a variety of security incidents, and include members who can provide expert advice for potential needs. Team members will be activated as necessary depending on the nature of the incident, and external resources may be used to fulfill some roles. The resources outlined below must be identified in the plan.
1. Incident Handler. The individual, versed in the applicable Incident Response Plan, who is designated as responsible for implementing the plan, activating team members as necessary, coordinating communications, and keeping administration informed of developments as necessary and appropriate.
2. Technical Contacts. Individuals familiar with the applicable computing environment, and who have the knowledge and access necessary to make any required changes to the systems or network.
3. Office of the General Counsel. Per the Breach Notification