Information Security Incident Response Team

Purpose

To outline the organizational structure and delineation of roles and responsibilities and to supplement Western Michigan University’s security infrastructure to investigate and minimize the threat of damage resulting from a breach of restricted/confidential or internal data of the University.

Incident response working group

The existing Campus Information Security Committee will serve as the working group and is the response team's steering committee. They are charged with establishing the basic policies and procedures that will be employed by the team and may be called upon to oversee team activities. This group appoints the pool of incident officers and incident response team members.

Incident officer

The CIO, or his designee, is the incident officer. He will oversee and direct the response team's actions as well as act as the single point of contact for the given incident. The incident officer will also be responsible for ensuring that specific information is communicated to management in a timely fashion. 

Information security incident response team - definition and charge

The security incident response team is a group of individuals who have been trained in incident management, each having distinct response roles. The team works under the direction of the incident officer.

The team is tasked with the following responsibilities:

  • Processes IT security complaints or incidents.
  • Assesses threats to IT resources.
  • Alerts IT managers of imminent threats.
  • Determines incident severity and escalates it, if necessary, with notification to CTO and president’s senior staff.
  • Coordinates security incidents (level 2 or 3) from discovery to closure.
  • Reviews incidents, provides solutions/resolutions and closure.

Response team membership

Each incident could require various campus constituents and personnel to be available for investigation and remediation. The incident officer will select from the organizational units deemed technically proficient to provide their expertise to the particular incident. The following University organizational units may be convened depending on the incident reported.

Purpose: unit

  • Campus PCI compliance officer: accounting services
  • Direction and oversight for IT issues: CIO
  • Expertise within departmental IT environment: local system administrators
  • Forensic expertise: public safety
  • Response team direction and oversight: incident officer
  • Networking security expertise: network operations
  • Overall direction for campus emergency response plan: emergency management
  • Programming expertise: IT applications
  • Public communications and responding to press inquiries: university relations
  • Regulation and policy expertise: internal audit; general counsel's office; IT security officers
  • Regulation and policy expertise as it pertains to an employee data incident: human resources
  • Regulation and policy expertise as it pertains to a student data incident: accounting services; VP of student affairs
  • Regulationa and policy expertise as it pertains to financial aide, registration or admission data of a student:enrollment management
  • System and hardware expertise: IT operations

Summary of responsibilities for key personnel

Incident response working group

  • Assist in development and promotion of policy and procedures.
  • Select and train incident response team members and officers.
  • Develop a representative inventory of critical incidents.
  • Develop procedures to follow during an incidence response.
  • Recommends updates to the incident response plan.
  • Maintains systems for discovering security incidents involving Western Michigan University information resources.
  • Documents security incidents in a tracking system.

Information security incident response team

  • Follow the leadership of the incident officer
  • Develop a plan of action for a given incident and carry out the procedures of the plan.

Supporting groups

  • Provide technical and other assistance to response team as requested

Document action

Reviewed by: Campus Information Security Committee, Jan. 2009
Revised by: Campus Information Security Committee, Jan. 2009
Revised by: Gramm Leach Bliley Act Compliance Committee, Oct. 2012