Administrative Regulation:  Incident Response

Regulation Number:  7.1.6

_____________________________________________________________________________________

Purpose:

This Incident Response Administrative Regulation (this “Admin Reg”) outlines the process for responding to potential or actual information security incidents at the College. This Admin Reg defines roles, responsibilities, and procedures related to incident identification, investigation, remediation, and reporting. Standardization of incident response plans aids the College in effectively containing and resolving incidents to ensure confidentiality, integrity, and availability of Institutional Resources are maintained.

Definitions:

Capitalized terms not defined in this Admin Reg have the meaning set forth in the Information Security Policy.

Scope:

This Admin Reg applies to all Institutional Resources and any person, entity, or device that gains or attempts to gain access to Institutional Resources.

Information Security Incidents:

Information security incidents are events that have the potential to compromise the confidentiality, integrity, or availability of Institutional Resources.

The Incident Response Plan should be followed when the following types of events occur:

  • Any unauthorized access to Institutional Resources, including any potential data breach;
  • Any such incident involving a member of the College community, including, but not limited to, students, faculty, staff, guests, volunteers, partners, and visitors; and/or
  • Any such incident involving services provided by third parties to the College, such as contracted vendors, partner institutions, etc.

If it is not clear whether a specific situation constitutes an information security incident, report the situation and the Office of Information Technology (“OIT”) will make the determination.

Reporting:

All Authorized Users are responsible for reporting any event that might compromise information security to OIT and/or the Authorized User’s direct supervisor.

  • Call IT Helpdesk at 307-532-8002 or log a Halo ticket through MyEWC portal
  • Report an incident in person at the IT Office (AC 105)- lower-level Activities Center

Other means, such as automatic detection tools and logs kept pursuant to the Monitoring and Logging Administrative Regulation, also enable monitoring and reporting of suspicious activity.

Incident Response:

The College responds to incidents in accordance with the following phases. The phases outlined below are only meant to serve as a general overview of the incident response, as OIT and system owners and administrators work together to develop detailed plans specific to various Institutional Resources.

  1. Preparation

Effective incident response is facilitated by proactive planning for the possibility of incidents. Pursuant to the Information Security Policy and this Admin Reg, the College maintains, and works to continuously improve internal processes, procedures, and tools, with the goal of enabling immediate and effective response should an incident be detected across any IT Resource. OIT and President’s Executive Team will work together to prepare and evaluate incident response plans.

  1. Detection and Analysis

Once an incident has been reported to OIT, OIT is charged with coordination for the duration of the incident, except in situations where OIT determines the specifics of the incident warrant law enforcement involvement. Once a determination has been made that an incident has occurred, investigation of the incident and/or forensic analysis related to the incident must be initiated by and coordinated through OIT.

Once a potential incident is detected, the following actions will be taken:

  1. The College President assigns an Incident Coordinator who will be the primary point of contact for the duration of the response and recovery effort. In the absence of the College President, the Vice President of Administrative Services shall make the assignment.
  2. The Chief Information Officer (“CIO”), in conjunction with OIT and any other appropriate Personnel, will review the known details of the incident and classify and prioritize the incident based on relevant factors (i.e., functional impact, information impact, recoverability, etc.).
  3. If the incident involves Confidential (Level 2) or Highly Sensitive (Level 3) data, the Incident Coordinator will assemble an Incident Response Team (“IRT”) as set forth below.
  4. The Incident Coordinator, in consultation with the College President and legal counsel, will initiate notifications required by law or contract and as necessary to initiate additional incident response activities. Depending on the circumstances, notifications may be made to the following:
  • Local law enforcement (Torrington PD, 307-532-7001) (Douglas PD, 307-358-3311)
  • Homeland Security (307-777-4663)
  • FBI (Cheyenne Office, 307-632-6224)
  • Cyber Insurance Company
  • Wyoming Community College Commission (307-777-7763)
  • Wyoming Department of Enterprise Technology Services (307-777-5840)
  • Federal Student Aid (support@cpssaid.ed.gov)
  • Federal Trade Commission (ftc.gov)
  1. Assemble an Incident Response Team

If applicable, under the guidance of the CIO, the Incident Coordinator will assemble an IRT that will be responsible for mitigation, investigation, and remediation of the incident. The makeup of this team will vary depending on the classification of the incident, the type of incident, and the Institutional Resources impacted by the incident.

  1. Containment

The goal of the containment phase is to prevent any further damage or incidents associated with the initial incident. OIT will work to identify, and isolate or otherwise mitigate, the affected system(s) or resource(s) to “contain the spread” as effectively as possible.

  1. Eradication

All vulnerabilities that were exploited will be identified and mitigated. Any malware or other inappropriate materials or components will be removed. Investigation of the incident will remain on-going, and if additional systems or resources are determined to be affected, the detection, analysis, containment, and eradication activities will be completed for the affected systems or resources.

  1. Recovery

Systems or resources will be returned to their operational state, and tests will be completed to ensure all systems and resources are functioning normally. Additional monitoring mechanisms will be implemented, as necessary, to facilitate detection of future related activity.

  1. Incident Documentation

The IRT will complete an incident report to document details of the incident and the investigation. Each incident report must minimally contain:

  • A description of the incident;
  • Information about the results of the investigation (attacker, cause, etc.);
  • Impact on service, financial damage, violation of privacy, and other related effects;
  • Actions taken;
  • Notification decisions and completed notifications; and
  • Remediation plan information.
  1. Debriefing/Notification

Meetings with relevant stakeholders will be held to discuss the incident report and any takeaways. Incident response plans and other policies and procedures (e.g., Risk Management and Vulnerability Management) will be updated, as applicable, to facilitate ongoing security and future incident response capabilities. Additionally, stakeholders should opine on whether applicable law requires any external parties to be notified of the incident.

The College is bound by laws and regulations as it relates to the handling of data that is collected, maintained, and used by the College. Those include the Family Educational Rights and Privacy Act (“FERPA”), the Health Insurance Portability and Accountability Act (“HIPAA”), the Gramm-Leach-Bliley Act (“GLBA”), Wyo. Stat. § 40-12-502(d)(iii) & (iv), the Payment Card Industry Data Security Standard (“PCI DSS”), contractual obligations, and any other regulations that may be put into force by federal or state governing authorities. Any changes and/or additions to regulations may override the above-referenced acts, and this Admin Reg will be reviewed annually for recent changes.

 

References:

Information Security Policy

Information Classification Administrative Regulation

Monitoring and Logging Administrative Regulation

Risk Management Administrative Regulation

Vulnerability Management Administrative Regulation

 

Revision History:

Original Adoption Date: 1/29/24

Revision Date(s):

Date Reviewed, no change: