Incident Response

1.0 Purpose

This document describes the procedures that should be followed by an individual reporting an information security incident. 

2.0 Scope

This procedure covers Northland Pioneer College’s (NPC) information resources, including all departments and divisions.  It is to serve as a reference for any user reporting an incident, including outside sources, when applicable.

3.0 Definitions

3.1 Arizona’s Data-Breach Notification Law ~ A.R.S. §§ 18-551 and 18-552 - provides Arizona residents with information about data breaches involving their personal information.

3.2 Employee - someone who has an employer/employee relationship with NPC and receives compensation for their work.

3.3 Family Educational Rights and Privacy Act (FERPA) - U.S. law that protects the privacy of student education records. It gives parents (and students over 18) the right to access, review, and request corrections to these records, and limits who can share them without consent.

3.4 Gramm-Leach-Bliley Act (GLBA) - U.S. law that requires financial institutions to protect customers’ personal financial information and explain how it is collected, shared, and safeguarded. It also gives consumers the right to limit some sharing of their data.

3.5 Information Security Group (ISG) - comprised of the Chief Information Officer, Chief Human Resources Officer, Vice President of Learning and Student Services, or their designated representative, along with other selected members on an ad-hoc basis.

3.6 Information Security Incident - any event that threatens the confidentiality, integrity, or availability of information or information systems.

3.7 Personally identifiable information - refers to any information that can be used, either on its own or combined with other details, to identify a specific person.

4.0 Procedure

Reports are to be made to the Information Security Group (ISG). For incidents related to NPC’s electronic software and/or data, it is the responsibility of NPC’s Technology Advancement and Support (TAS) division.

Having an effective incident response is essential in mitigating damage and loss due to an information security incident. Proper handling of such incidents protects NPC’s information resources from future unauthorized access, use, or damage.

Recognize an incident

An Information Security Incident is a suspected disclosure of personally identifiable information, whether it is in physical or electronic form. 

NPC is required to comply with the Gramm-Leach-Bliley Act (GLBA). NPC follows the privacy provisions of the GLBA due to its compliance with the Family Educational Rights and Privacy Act (FERPA). However, the GLBA holds institutions to additional provisions related to administrative, technical, and physical safeguarding of customer information (electronic and physical forms).

An "Information Security Incident" could:

• Be the result of the misuse of confidential information (social security numbers, grades, health records, financial transactions, etc.) of an individual(s).
• Jeopardize the functionality of NPC’s Information Technology (IT) infrastructure.
• Provide unauthorized access to NPC resources or information – both physical or electronic.

Examples of Information Security Incidents include:

• Illegal or unauthorized access to physical records or printed documents
• Illegal access of NPC computer system
• Use of NPC IT resources to illegally access any non-NPC computer system
• Use of NPC IT resources to harass or threaten someone
• Suspicion that a computer has been infected with a virus or worm that may lead to data leakage (keystroke logger, password cracker, etc.)
• The loss or theft of a NPC laptop containing confidential data

Steps in response to an incident

Employees should monitor their data and immediately report any suspected incidents to their direct supervisor, and in the case of technology-related incidents to the Support Center for direction.  The NPC Support Center can be reached at (928) 524-7447.

The primary objective NPC wants to achieve in response to an incident is to preserve as much of the volatile evidence as possible. Because of this, the ISG wants the individual reporting the incident to do as few things to the affected system or location as possible before the ISG can secure the system or location for analysis.

In response to a computer incident, employees have been instructed as follows:

• Shut down your computer if:
  • You believe that data is actively being removed from the system;
  • You believe that the system is attacking, or being used to stage attacks on other systems.
• The individual reporting the incident must start the Incident Checklist (linked in this document and also located on the TAS SharePoint page), and send as much of the following information as can be gathered to the Information Security Group (ISG), at infosec@NPC.edu. All of the information may not be easily identifiable, in which case the space may be left blank and the ISG will determine it:
  • The name of the detector of the incident, along with methods of contact
  • The names and contact information of any other individuals involved with the incident
  • The name and IP address of the computer (if applicable)
  • The physical location of the incident (filing room, office, or computer system)
  • The type of incident that is believed to have occurred:
    • Unauthorized access to a physical location
    • Removal or illegal access of records (physical or electronic)
    • Denial of Service
    • Unauthorized Use or Access Compromise of College Data
    • Misuse of IT Resources
    • Malicious Code (viruses or worms)
    • Other
• A brief description of how the incident was detected
• The purpose of the system (desktop, lab computer, web server, etc.)
• How critical the data (physical or electronic) is believed to be to NPC business
• If the location or computer contains "private" data, the type of data it contains (SSNs, credit card information, student grades/addresses, medical information, governmental research data, etc.)

After reporting the incident, the ISG may contact the individual reporting the incident for further information. The ISG (or their designee) will be dispatched to analyze the system or location to determine the extent of the compromise, the potential breach of data, and to clean up the problem.

Examples of Various Incident Scenarios and Actions:

• Illegal access to a file room or student records – End users have been instructed to contact their direct supervisor and will assess what records may have been accessed. ISG will be notified and provide direction.  Campus Safety and Facilities personnel may be involved to determine how the room or records were accessed, and to ensure physical security.
• Malware infected computer – End users have been instructed to contact the Support Center to open a ticket.  A technician will immediately be dispatched to assess the computer and take necessary steps to clean the computer and determine if there is a possibility the malware could replicate or spread.  If determined, the computer will be isolated from the network and cleansed.  A network/system scan using PDQ Deploy can determine if the malware is installed on any other network computer.
• Crypto Locker:  End users have been instructed to turn off the computer and contact the Support Center.  A technician will immediately be dispatched to physically remove the computer from the network, and bring it back to the shop. The technician will then power up the computer “off network” to determine the extent of data loss. At that point, the ISG and Department Head will be notified to decide whether to pay the ransom, if data retrieval is vital to NPC.  If there is a possibility it could replicate or spread, a network scan using PDQ deploy will be attempted to determine if the Crypto-ware is installed on any other network computer.    If identified on other computers, technicians will be dispatched immediately.  If the infection is widespread, TAS could be forced to shut down central servers to protect them until remediation can occur.
• Suspected compromised account: End users have been instructed/trained to change their password immediately and notify TAS. A technician and/or ISG will follow up to learn why the end user suspects their account is compromised.  If deemed that the account may have been compromised for some time, an evaluation of user activity will be conducted, checking login/logoff reports to ensure that no systems or data containing personal identifiable information was accessed and/or removed.

Incident Response Checklist and Form