Purpose

The purpose of this Incident Response Plan is to provide guidelines for Rockhurst University Computer Services to effectively respond to and manage computer security incidents. This plan outlines the key steps and responsibilities involved in incident response, including root cause analysis, forensic analysis, and lessons learned.

Scope

This plan applies to all computer security incidents that occur within Rockhurst University Computer Services. It encompasses incidents related to unauthorized access, data breaches, malware infections, network intrusions, and any other security-related events that may impact the confidentiality, integrity, or availability of university systems and data.

Incident Response Process

  1. Detection and Reporting:
  1. Computer Services staff, end-users, or security monitoring systems should promptly report any suspected or observed security incidents to the designated incident response team.
  2. Incidents can be reported via email, phone, or an incident reporting system established by Computer Services.
  1. Incident Triage and Assessment:
  1. The incident response team will triage and assess reported incidents to determine their severity and potential impact.
  2. Initial assessment will involve gathering necessary information about the incident, such as the affected systems, the nature of the incident, and any initial indicators of compromise (IOCs).
  1. Incident Containment and Mitigation:
  1. Upon assessing the incident, the incident response team will take immediate steps to contain and mitigate the incident's impact.
  2. This may involve isolating affected systems from the network, disabling compromised accounts, or implementing temporary security measures to prevent further unauthorized access or data loss.
  1. Root Cause Analysis:
  1. Once the incident is contained and mitigated, the incident response team will conduct a root cause analysis to determine the underlying cause(s) of the incident.
  2. The analysis will involve examining the systems, logs, and other relevant evidence to identify vulnerabilities, configuration errors, or human factors that contributed to the incident.
  3. The findings from the root cause analysis will be documented for further remediation and prevention.
  1. Forensic Analysis:
  1. In more severe or complex incidents, a forensic analysis may be conducted to gather evidence, preserve data integrity, and support potential legal proceedings.
  2. Forensic analysis may involve the collection and examination of system logs, network traffic, disk images, or other digital artifacts to reconstruct the incident timeline, identify the attacker(s), and gather additional evidence.
  1. Incident Resolution and Recovery:
  1. Based on the root cause and forensic analysis, appropriate measures will be taken to resolve the incident and restore affected systems to a secure and operational state.
  2. Recovery activities may include system patching, malware removal, data restoration from backups, and the implementation of additional security controls.
  1. Lessons Learned:
  1. After the incident is resolved, the incident response team will conduct a lessons learned session to evaluate the effectiveness of the response and identify areas for improvement.
  2. The lessons learned session will involve reviewing the incident handling process, response actions, and communication procedures.
  3. Recommendations for process enhancements, training needs, or technical improvements will be documented and incorporated into future incident response planning.

Responsibilities

  • Incident Response Team:
    1. The incident response team, consisting of designated members from Rockhurst University Computer Services, will be responsible for coordinating and executing incident response activities according to this plan.
    2. Team members will have specific roles and responsibilities defined within the incident response plan.

Policy Compliance

  • Failure to comply with this plan may result in delayed incident response, increased impact, or recurring incidents.
  • All Computer Services staff and relevant stakeholders are required to familiarize themselves with this plan and adhere to the prescribed incident response procedures.

Plan Review

  • This incident response plan will be reviewed periodically and updated as necessary to reflect changes in technology, best practices, or regulatory requirements.
  • Any proposed changes to this plan must be reviewed and approved by [appropriate authority].

By following this Incident Response Plan, Rockhurst University Computer Services aims to effectively respond to security incidents, minimize damage, and enhance the overall security posture of the university's computer systems and data.