Incident Management

The purpose of Incident Management (IM) is to accurately document known risk and remediate accordingly to allow Shepherd University to resume normal operations as quickly as possible. IM is the process responsible for managing the lifecycle of all data information security (DIS) incidents irrespective of their origination.

Incident Management Goals:

• Standardized processes and procedures are used for efficient and prompt response, analysis, documentation, ongoing management and reporting of incidents.
• Improve transparency and communication of (DIS) incidents to IT Services staff.
• Professional approach to quickly resolve and communicate incidents when they occur.
• Minimize the adverse impact on Shepherd University operations.
• Effectively address the situation to stabilize and restore normal operations.
• Communicate appropriately and promptly to stakeholders.

Responsible Office: Information Technology Services
Date Issued: July 19, 2021
Revision: 2
Date Last Revised: 7/29/2021

An IT (DIS) incident is any activity involving Shepherd IT Systems that:

• violates the law
• constitutes harassment
• violates regulatory requirements
• violates Shepherd University policy
• compromises Shepherd University data, or that of any person (pii)
• involves the unexpected disruption of Shepherd University services

It is an IT security incident if someone:

• Obtains unauthorized access to a Shepherd University IT system
• Uses Shepherd University IT resources to compromise into any non-University computer system
• Uses Shepherd University IT resources to harass or threaten someone
• Accesses your computer or your data stored on Shepherd University IT resources without permission or authority
• Violates any state, federal, or local law or regulation using Shepherd University IT resources
• Protected data is exposed either purposefully or inadvertently to an unauthorized party

Please see IT Security Policy, BOG policy #35 for additional guidance on information security principles, access control, personnel practices, and administration.

Reporting IT Incidents 

Any observed event which appears to satisfy the definition of an IT Security Incident must be reported to the Coordinator of the Information Security Program and Director of Information Technology Services. The requestor who reports the event, including complaints relayed on behalf of students, should document and report any relevant information regarding the event, including, but not limited to dates, times, persons, resources or systems involved, serial numbers, device types, MAC addresses, and IP addresses. This information should be sent by email to itworkorder@shepherd.edu ; subject line “GLBA Incident” as soon as possible. The incident system will generate a response email assigning a ticket number for tracking purposes. Users are encouraged to report any event that could be considered an incident.

Situations which are suspected to be crimes must be reported immediately to the appropriate law enforcement agencies by the person who possesses first-hand knowledge of the facts related to a suspected crime.  Shepherd students, faculty and staff on campus must report crimes to the Shepherd University Police Department. Persons off campus should report crimes to their local law enforcement agency.

Those events which are suspected to be both a crime and an IT Security Incident should be reported first to the appropriate law enforcement agencies, and then a notification that a police report has been filed should be sent the Coordinator of the Information Security Program and Director of Information Technology Services.

Response

Reported events become IT Security Incidents only after they have been received and evaluated by the Coordinator of the Information Security Program. In order to facilitate the accurate and productive response, all IT Security Incidents must be assessed and classified by the Coordinator of the Information Security Program. As the IT Security Incident progresses, its classification may be reevaluated and changed as necessary. If an IT Security Incident falls under multiple classifications, the classification with the highest severity will dictate the response.

The Coordinator of the Information Security Program will determine if the IT Security Incident warrants a formal response. IT Security Incidents that do not warrant a formal response will be reassigned to the appropriate Information Technology Services staff for remediation handling. If deemed appropriate by the Coordinator of the Information Security Program, a Cyber Incident Response Team (CIRT) will be formed and may be comprised of, but not limited to, members from Executive Leadership, Information Technology Services staff, Shepherd University Police Department, and departmental managers as appropriate. All reported events or IT Security Incidents must be documented throughout the response process.

The Coordinator of the Information Security Program subject to applicable law and University policies, may use the following resources for IT Security Incident detection and/or response:

• System and application logs
• Passive network traffic monitoring (e.g., IDS, and other network packet analyzers)
• Active scanning of systems suspected of violating Shepherd University policy or systems exhibiting symptoms of compromise
• Other resources as determined appropriate by the Coordinator of the Information Security Program and as allowed by Shepherd University policy and applicable law
• Confiscation of Shepherd University issued computers, devices, and/or systems to support analysis activities

Business Continuity 

Responding to an IT Security Incident it may become necessary to suspend/alter/change any targeted or dependent services/systems in order to:

• Protect students, faculty, staff, IT resources, other systems, data and Shepherd University assets from threats posed by the involved services/systems
• Protect the service/system in question
• To preserve evidence and facilitate the IT Security Incident response process

In the case of mission critical applications, the Coordinator of the Information Security Program will follow the formally documented Communication Plan in an effort to consult with the appropriate staff before carrying out a suspension.

Any equipment not owned by Shepherd University that is using campus IT resources and is found to be the target, source, or party to an IT Security Incident may be subject to immediate suspension of services without notice until the issue has been resolved or the subject system is no longer a threat.

In all cases, it is the Coordinator of the Information Security Program or CIRT who determines if and when a service suspension may be lifted.

In order to facilitate proper and timely handling of IT Security Incident responses, it is necessary that network-connected devices be identified and located as soon as possible. Shepherd University Information Technology Services maintains an inventory of network-connectable devices.

Created 7/19/2021