Information Technology Incident Response and Testing Plan

Definition

An Information technology (IT) incident is an event(s) which threaten the integrity, confidentiality, and/or availability of College systems, networks, and/or data. It includes, but is not limited to:

• Loss, suspected loss, or disclosure of data through technical or behavioral means (hacking, malware, phishing, inadvertent unauthorized disclosure over the phone or in person, etc.);
• Technological attacks against College networks or systems including unauthorized scanning, snooping, etc.;
• Any suspected virus or malware infection;
• Theft or misplacement of any College-owned computing device and/or personal device used to access or store College data;
• Misuse of College-owned systems or networks in violation of other policies, including the Acceptable Use of Academic Technologies and Information Technologies Resources policy;
• Events that threaten the performance and/or availability of College resources.

Response

In the event of an IT incident, priorities will be as follows:

• Protect human safety
• Protect College resources
• Contain damage/prevent further loss
• Preserve evidence
• Rectify damage
• Restore services

For CCS Community members

Upon detection of (or suspicion of) an IT incident, do the following:

• Immediately contact the ITS Helpdesk (https://helpdesk.collegeforcreativestudies.edu, 313-664-7818) as well as the immediate supervisor or other available person in chain of authority.
• Communicate as clearly as possible details including name, contact information, what you suspect is happening, type of device, location, IP Address, and any information or data you suspect was lost/compromised.
• Do not turn off or unplug any device unless human safety dictates otherwise or you’re instructed to do so by response personnel.
• If you reasonably suspect loss of data is ongoing, you may unplug the device’s network connection if applicable, but be sure to communicate this when notifying response personnel.
• Do not communicate with anyone about the incident other than response personnel, your supervisor as appropriate, or members of the College’s Privacy and Security Committee without authorization.
• Communication with the media is restricted to the College’s Marketing and Public Relations staff, executive leadership, and legal counsel. Refer any/all media inquiries to: Megan Mesack, Executive Director of Marketing and Communications at 313-664-7666.

Technical Staff

Technical staff shall respond with the following priorities and requirements:

• Document/log all actions taken and decision making process at each step from notification to resolution.
• Secure physical location of any breach to avoid further loss.
• Assess the immediate situation. If ongoing loss is not suspected, the priority is to preserve evidence. Do not turn off devices, reboot, remove media, etc. If ongoing loss is suspected, do the minimal possible to stop it (e.g. disconnect network connection vs. turn device off).
• Notify ITS Director and/or Assistant Director if not already done.
• Assess need for forensic evidence (logs, packet traces, etc.).
• Collect and store any forensic evidence needed.
• Regain control of any compromised system.
• Analyze the event – how did it happen, what could be lost, what else could be compromised, etc. Estimate time/steps to recovery.
• Correct any vulnerabilities that may have allowed the incident to happen or progress.
• Remediate the system(s) as necessary and prepare to return to service.
• Verify system integrity and restore services if safe to do so.
• ITS Director and/or Assistant Director will notify the members of the Privacy and Security Committee describing the nature of the incident and response. Notification may also include other executive leadership and legal counsel as the situation warrants.
• A written incident and response report will be prepared and submitted to the Privacy and Security Committee as soon as possible after the incident but within 10 days of resolution.

Public and/or Individual Notification of Breach

In the event of a data breach, executive management will consult with legal counsel as necessary to determine the type, nature, and scope of public or individual notification. Such notification will be performed via authorized personnel or legal representatives only, and will be in accordance with applicable legal and regulatory standards.

Security Monitoring and Incident Prevention

The College will test for and work to prevent IT incidents by various means including but not limited to:

• Active scanning of any connected systems;
• Passive scanning of network traffic;
• Network monitoring;
• Analysis of network packets including encrypted packets;
• Penetration testing;
• Behavioral/social testing including authorized phishing attempts, use of outside contractors to attempt to gain access to protected information, etc.

All such testing will be performed by the ITS department and/or authorized vendors in accordance with oversight from the Privacy and Security Committee.