Abstract:  JSU must ensure a quick, effective, and orderly response to Cyber Security Incidents and establishes the organizational structure for incident response, defines roles and responsibilities, and lists the requirements for reporting incidents. Policy Number: 50000.022 Effective Date: 5/20/2020 Review/Revised Date: 4/20/2023 Category: Information Technology Policy Owner: CIO/Information Technology Policy Contact: CISO/Information Technology

Policy Statement

The purpose of this policy is to ensure a quick, effective, and orderly response to Security Incidents. It defines what is considered a cyber-event and what is considered a cyber-incident, establishes the organizational structure for incident response, defines roles and responsibilities, and lists the requirements for reporting incidents.

 

Definitions

• • Cyber Event– An event is an occurrence not yet assessed that may affect the performance of JSU’s information system and/or network. Examples of events include an unplanned system reboot, a system crash, and packet flooding within a network.
  • Cyber Incident– An incident is an assessed occurrence having potential or actual adverse effects on JSU’s critical information systems. A cyber incident is an incident or series of incidents that violate the security policy. Security incidents may include but are not limited to the following general categories of adverse events:

 

• • • Data Breach:  Public exposure of student records or Personally Identifiable Information
    • Data Compromise and Data Spills: Exposure of information to a person not authorized to access that information either through clearance level or formal authorization
    • Data Destruction or Corruption: Changing permissions on files so that they are writable by non-privileged users, deleting data files and or programs
    • Malicious Code: Computer viruses, worms, Trojan horses, logic bombs, spyware, adware, and backdoor programs
    • Malicious Attacks: DDOS, SQL Injections Attack, Ransomware
    • Privileged User Misuse: A trusted JSU employee attempts to damage the system or compromise the information it contains
    • System Contamination: Placing PII data into a system not approved for the subject data
    • Website Incident: Website defacement, insertion of potentially hazardous content, images, malicious code, or even deletion

Employee Adherence

This policy applies to all JSU employees, contractors, consultants, temporary and other workers, including all personnel affiliated with third parties who using JSU’s information systems and services.

 

Policy

General Cyber Incident Response Policy

• • • Security Events should be reported through appropriate management channels as quickly as possible.
    • All personnel and contractors using JSU’s information systems and services are required to note and report any observed or suspected Security Weakness or Vulnerability in JSU systems or services.
    • Management roles and responsibilities and procedures should be established to ensure a quick, effective, and orderly response to cyber events and incidents. Roles are assigned in the table below:
    • JSU’s Cyber Security Incident Response Team (CSIRT) lead by its designated cybersecurity officer or appropriate cyber security personnel detects and investigates security events to determine whether an incident has occurred, and the extent, cause and damage of incidents.
    • JSU’s CSIRT may coordinate its’ Cyber Incident Response efforts with external parties when necessary and when existing agreements place responsibility for incident investigations on the external party.
    • When conducting cyber security incident investigations, the JSU CSIRT is authorized to monitor relevant JSU IT resources and retrieve communications and other relevant records of specific users of JSU IT resources, including login session data and the content of individual communications without notice or further approval and in compliance with the Monitoring of IT Resources Policy.

 

Cyber Incident Response Process

In order to quickly and efficiently address a cyber-incident (listed in Table 1), the JSU’s Cyber Security Incident Response Team will manage each incident using the following incident management phases as outlined by NIST and SANS Institute’s incident management best practices:

 

Process Actions	Responsibilities
Preparation	compile a list or take inventory of all JSU assets, including but not limited to: servers, networks, applications, and critical endpoints and  Create a communication plan
Detection & Analysis	Monitor Traffic patterns for abnormalities configure security tool/IDS,IPS to identify abnormalities and send alerts
Containment	System administrators, Director and Management Team Computing & Communications, Network Administrators, Email Administrator
Eradication	Changing permissions on files so that they are writable by non-privileged users, deleting data files and or programs
Recovery	Computer viruses, worms, Trojan horses, logic bombs, spyware, adware, and backdoor programs

 

Preparation Phase Actions

• • To prepare for cyber incidents JSU’s CISO, Cyber Security Officer or a qualified designated employee will ensure that members of the CSIRT are trained regarding their incident response roles and responsibilities in the event of data breach as mentioned in the JSU Incident Response Policy on an annual basis at minimum.
  • Incident response drill scenarios and/or mock data breaches in table top exercises or other formats where appropriate will be used to evaluate the incident response plan and the employee’s knowledge of addressing cyber incidents on an annual basis at minimum.

 

Detection & Analysis Phase

• JSU’s CISO, Cyber Security Officer or a qualified employee on the JSU CSIRT will review available logs, emails, error messages etc… to determine if an incident has occurred. If the CISO, Cyber Security officer or other members of the JSU CSIRT team has determined or suspects that an incident has occurred the first point(s)of contact listed in Table 1 will be JSU’s CIO and CTO. The CIO and/or CTO will then notify and communicate details of the incident with the appropriate internal and external parties or stakeholders (ex. JSU’s President, Media Outlets, Law Enforcement).
• JSU’s CISO, Cyber Security Officer and/or members of the JSU CSIRT shall not communicate information regarding data breaches, or any other cyber incident with any internal or external parties (ex. Media platforms, Third Party Vendors) that are not key persons for assisting with eradicating, identifying, investigating an incident.
• JSU’s CISO, Cyber Security Officer and/or members of the JSU CSIRT shall capture and preserve evidence as soon as possible to be used for detection and investigation before proceeding with the containment process and eradication phase.
• JSU’s CISO, Cyber Security Officer and/or members of the JSU CSIRT shall take the appropriate actions as soon as possible. The JSU CSIRT may use some of the following actions as a starting point for containment remediation:
  • • Disable or remove compromised account access.
    • Block malicious IP addresses or networks.
    • Remove critical or compromised systems from the network.
    • Contact providers for assistance (g., internet service providers, SaaS vendors)
    • Whitelist network connections for critical servers and services.
    • Kill or disable processes or services.
    • Block or remove access for external vendors and partners, especially privileged access.

 

Table 1: Point of Contact for JSU Cyber Incidents

Eradication Phase

• JSU’s CISO, Cyber Security Officer and/or members of the JSU CSIRT shall take appropriate necessary actions in a timely manner, depending on the severity and type of incidents, to remove or eradicate threats to the University’s assets and systems, ideally while minimizing data loss.
• Eradication efforts may be performed by the JSU CSIRT, CISO, and Cyber Security Officer when possible or authorized arrangements with a cleared third party vendor(s) may be made for removing the threat and restoring affected systems to their previous state. The JSU CSIRT may use some of the following actions as a starting point for its eradication efforts:
  • • Rebuild or restore compromised systems and data to known-good state.
    • Reset account passwords.
    • Remove hostile accounts or credentials.
    • Delete or remove specific malware (May Use Third Party Vendor).
    • Activate and migrate to alternate locations, services, or servers.

 

Recovery Phase

• JSU’s CISO, Cyber Security Officer or a qualified designated employee of the CSIRT shall conduct testing, monitoring, and validating of the infected systems, applications, etc. while putting them back into production in order to verify that they are not re-infected or compromised.

 

Lessons Learned

• • JSU’s CISO, Cyber Security Officer or a qualified designated employee or members of the CSIRT will use lessons learned as documented in incident report forms to continue to update the necessary policies, to educate and to improve future incident response efforts.

 

Policy Compliance

• Any JSU employee found to have violated this policy may be subject to disciplinary action, up to and including revocation of access privileges, or termination of employment. In addition to University discipline, users may be subject to criminal prosecution under federal, state or local laws; civil liability; or both for unlawful use of any IT System. 

Related Standards, Policies, and Processes

• Password Policy 50000.016
• Information Security Incident Response Plan (IRP) Policy 50000.013