Information Technology

Cybersecurity – Incident Response Plan

Preface

Much of the data stored or transmitted via Reed's computing equipment is classified as sensitive. Unauthorized access to such data may constitute a violation of federal statutes such as the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and other laws designed to protect privacy. A breach in data security that compromises personal information can lead to identity theft, putting members of the Reed community at risk and exposing the college to litigation. Unauthorized access to other sensitive data, though not usable for identity theft, may nonetheless have serious legal, financial, or reputational implications for the college.

Purpose

This plan outlines steps, roles, and responsibilities for effectively addressing cybersecurity incidents to minimize damages and maximize availability of services to support the academic mission of Reed College.

Scope

This plan applies to all information systems, networks, and data owned or managed by Reed College.

Objectives

• Minimize the impact of cybersecurity incidents.
• Ensure the timely restoration of affected systems and services.
• Protect the confidentiality, integrity, and availability of data.
• Comply with legal and regulatory requirements.

Definitions

• Incident: An event that compromises the confidentiality, integrity, or availability of information or information systems.
• Breach: An incident that requires notification to affected individuals, where the protected data of the affected individual was, or is reasonably believed to have been, accessed by an unauthorized person. 
• Incident Response Team (IRT): The team responsible for managing and responding to cybersecurity incidents.
• NIST: The National Institute of Standards and Technology is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness.
• Vulnerability: A weakness in a system or process that can be exploited by a threat.
• Threat: A potential cause of an incident, such as malware, a hacker, or a natural disaster.
• CISO: Chief Information Security Officer
• SOC: Security Operations Center
• HIPAA: The Health Insurance Portability and Accountability Act of 1996, is a US federal law that sets national standards for protecting sensitive patient health information.
• PCI DSS: Payment Card Industry Data Security Standard, is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
• TITLE IX:  
• OCR: Office of Civil Rights, ensures equal access to education through enforcement of civil rights in US schools. 
• FERPA: Family Educational Rights and Privacy Act
• GDPR: General Data Protection Regulation, is a European Union law focused on protecting personal data and individual privacy rights.
• CCPA: California Consumer Privacy Act, is a state law that grants California residents specific rights regarding their personal information held by businesses.
• OCPA: Oregon Consumer Privacy Act, is a state law that grants Oregon residents specific rights regarding their personal information held by businesses.

Incident Response Team (IRT)

• CISO: Incident Response Team Lead managing the incident response process, coordinating activities, and communicating with stakeholders.
• Incident Commander: Designated by CISO to manage and coordinate communication.
• Cybersecurity Engineer: Analysis and containment.
• SOC Analyst: Detection and analysis.
• Data Steward of the affected data: Advises on scope and impact of systems and data involved in the incident. Also responsible for validation of post-incident system restoration.
• System administrators of the affected services: Containment and restoration of services.
• Network Engineer: Containment and restoration of network services.
• Vice Presidents/Deans and Directors of units where the incident occurred will also be involved in the process.
• Other Team members and internal/external subject matter experts will be added as needed.

Incident Classification

Incidents will be classified based on their severity and impact:

• Critical: Severe impact on business operations, data loss, or system downtime. Requires immediate action.
  • Examples: Ransomware attack, data breach involving sensitive information, denial-of-service attack on critical systems.
• High: Significant impact on business operations or potential data loss. Requires urgent action.
  • Examples: Malware infection, unauthorized access to sensitive systems, widespread service disruption.
• Medium: Limited impact on business operations or potential data compromise. Requires timely action.
  • Examples: Suspicious activity, policy violation, attempted intrusion.
• Low: Minimal impact on business operations. Requires monitoring and investigation.
  • Examples: Minor malware infection, vulnerability scan alert, unusual network activity.

Once impact and urgency are assessed, priority is calculated according to the following table:

Incident Response Process

The incident response process is based on NIST 800-61 and consists of the following phases:

1. Preparation:
   • Develop and maintain this Incident Response Plan.
   • Establish an Incident Response Team (IRT) and define roles and responsibilities.
   • Identify critical assets and systems.
   • Implement security controls and tools (e.g., intrusion detection/prevention systems, firewalls, antivirus software).
   • Conduct regular security awareness training for employees.
   • Establish communication channels and escalation procedures.
   • Perform regular backups and test recovery procedures.
   • Conduct regular risk assessments.
2. Identification:
   • Detect and identify potential security incidents through various means, including:
     • Security monitoring systems (IDS/IPS, SIEM)
     • User reports
     • System logs
     • Vulnerability scans
     • Law enforcement notifications
   • Document all relevant information, including:
     • Date and time of the incident
     • Location of the affected system(s)
     • Description of the incident
     • Potential impact
     • Initial assessment of severity
3. Containment:
   • Take immediate action to limit the scope and impact of the incident.
   • Containment strategies may include:
     • Isolating affected systems or networks
     • Disabling compromised accounts
     • Blocking malicious traffic
     • Taking affected systems offline
     • Preserving evidence for further investigation
4. Eradication:
   • Eliminate the root cause of the incident to prevent its recurrence.
   • Eradication steps may include:
     • Removing malware
     • Patching vulnerabilities
     • Reconfiguring systems
     • Restoring from backups
     • Identifying and addressing the source of the attack
5. Recovery:
   • Restore affected systems and services to normal operations.
   • Recovery steps may include:
     • Rebuilding systems
     • Restoring data from backups
     • Testing systems to ensure functionality
     • Implementing additional security measures
     • Monitoring systems for any signs of further compromise
6. Post-Incident Activity:
   • Document the incident and the response actions taken.
   • Conduct a post-incident review to identify lessons learned and improve the incident response process.
   • Update the Incident Response Plan as needed.
   • Implement corrective actions to prevent similar incidents in the future.
   • Consider legal and regulatory reporting requirements.

Communication Plan

• Comply with legal and regulatory requirements regarding data breach notifications.

• • Internal Communication:
    • Establish clear communication channels for reporting incidents and disseminating information within the organization.
    • Define roles and responsibilities for internal communication.
    • Ensure that all employees are aware of the incident reporting procedures.
    • Updating IT status pages for Community awareness.
  • External Communication:
    • Ensure that all external communications are coordinated and approved by the designated spokesperson in Reed’s communications and marketing department
      • Develop a plan for communicating with external parties, including:
        • Vendors
        • Law enforcement
        • Regulatory agencies
        • Media
        • Alumni

Plan Maintenance

• This Incident Response Plan will be reviewed and updated at least annually, or more frequently as needed, to reflect changes in the organization's environment, technology, or threat landscape.
• Regular testing and exercises, such as tabletop simulations, will be conducted to ensure the effectiveness of the plan and the readiness of the IRT.
• The plan will be readily available to all IRT members and other relevant personnel.

Reporting and Documentation

• All security incidents must be reported to the IRT immediately.
• The IRT will document all incident-related activities, including:
  • Incident details (date, time, location, description)
  • Impact assessment
  • Response actions taken
  • Timeline of events
  • Evidence collected
  • Root cause analysis
  • Post-incident review findings
• A centralized system will be used for incident tracking and documentation.

Legal and Regulatory Compliance

• The incident response process will comply with all applicable legal and regulatory requirements, including:
  • Data breach notification laws (e.g., FERPA, GDPR, CCPA, OCPA)
  • Privacy laws (Oregon Consumer Privacy Law)
  • Industry-specific regulations (e.g., HIPAA, PCI DSS, TITLE IX, OCR)
• Legal counsel may be consulted as needed to ensure compliance.

Training and Awareness

• All employees will receive regular security awareness training to help prevent incidents and recognize potential threats.
• The IRT members will receive specialized training on incident response procedures, tools, and techniques.
• Training will be updated regularly to address evolving threats and vulnerabilities.

Revision History