Texas A&M AgriLife Computer Incident Response Plan Last Revision: November 1, 2012 Version: 1.03 Prepared and approved by: Alan Kurk Director AgriLife Communications and IT
Executive Summary The purpose of this Computer Incident Response Plan (IRP) is to provide the AgriLife Agencies with a process that addresses computer security incidents. These are defined as incidents that threaten confidentiality, integrity or availability of agency information resources with high impact. Roles and responsibilities for incident response team members and definitions of incident severity levels and response procedures are outlined in this plan. This plan may be utilized in parallel to major disaster events where the agency disaster recovery plan has been enacted. The responsibility for declaring a computer incident is managed by the agency Information Security Officer (ISO) who is required to notify the agency Chief Information Officer (CIO). All activities in the plan will be directed by the ISO with appropriate coordination and notification to the CIO. Page 2
Table of Contents Executive Summary... 2 Purpose and Scope... 4 Objectives... 4 Accountabilities / Responsibilities..... 5 Incident Classifications..... 7 Incident Review Report Details..... 8 Page 3
Purpose and Scope The IRP applies to all computer systems and networks managed by the Texas A&M AgriLife Agencies. The IRP is required to ensure that all required actions are taken to protect the AgriLife Information resources and overall agency reputation. Objectives The objectives of this plan are as follows: Assess the overall impact of an incident Assess the financial, reputational and or technology implications of the incident Identify the scope of the vulnerability created by the incident Communicate findings Initiate appropriate procedures to contend with the incident Page 4
Accountabilities / Responsibilities The following describes key roles in the implementation of the IRP and their responsibilities. Chief Information Officer (CIO) The CIO will play a key role in verifying appropriate procedures are performed during an incident response. The CIO is responsible for performing and/or delegating the following tasks Establishing priorities based upon the incident Notifying agency directors Notify agency public relation contacts and administrative services director Notify Human Resources as required Notify legal counsel as required Overseeing post incident response review Information Security Officer The ISO for each respective AgriLife Agency will be primarily responsible for the following: Notifying the CIO and/or key team leads of incident Managing incident procedural process Determining if the incident is a critical classified event Update communications with CIO Managing required incident response tasks and data collection Verify the impacted systems and/or data is properly secured Develop recommendation to CIO to alleviate possible future events Page 5
Incident Response Team During an incident key members of the IRT will be engaged. Members activated will depend upon skill sets and are of function. Members of this team will be responsible for any response and or remediation efforts performed. Following are duties to be typically performed by this team: Assist in data collection effort Recommendation of course of action to remediate impacted systems Documenting incident remediation efforts Root cause analysis Be available for any reviews conducted by any third parties (i.e. Police, FBI, etc.) Provide guidance to ISO and CIO during the course of the incident remediation and assessment Initiates employee related investigations along with TAMU System Counsel Manages internal and external communications as necessary Handles external media relation inquiries Incident Response Team Members Name Office Phone number Alternate Phone Numbers(home/mobile) Position/Title Alan Kurk 979-845-9343 832-577-6331(H) CIO/IRM 832-577-6331(C) Chuck Braden 979-862-7254 979-571-8055(C) ISO Jay Carper 979-862-2283 979-530-2150(C) Email/AD Administrator Gene Curtiss 979-862-9096 979-209-4504(C) Enterprise Systems Mgr. Mike Alani 979-862-4485 979-574-9638(C) Sr. Network Engineer Tom Lyster 979-862-1439 979-224-1853(C) 979-731-8432(H) IT Coordinator College/Research Jim Segers 979-862-9341 979-255-6162(C) 936-825-3442(H) IT Coordinator - Extension John Chivvis 979-845-2601 979-575-0674(C) Assoc. Dir. AgriLife Communications. John Willis 979-862-1326 281-460-7416(C) Chief Architect Steve Schulze 979-845-7879 Asst. VC for Administration Page 6
Incident Classifications Incidents can occur in many different ways and have different levels of impact and scope. The following describes the various levels of incident classification: In order for the incident response plan to be initiated the incident must meet the definition of a critical event. If the incident does meet the standards for a critical event the ISO will assess at what level the event is classified per the below definitions. CRITICAL EVENT DESCRIPTION: Any incident defined as an unplanned or unauthorized change, disclosure or interruption of Texas A&M AgriLife information resources that could impact the reputation or viability of staff operations. LEVEL CLASSIFICATIONS High Level An incident that is difficult to control or alleviate in a short time period A large number of information resources have been compromised A significant loss of confidential data has occurred Significant financial or public relations impact is likely High Level Incident Procedures IRT LEAD: Identify procedures to contain incident / attack IRT LEAD: Provide real time update status to ISO and CIO ISO: Notify CIO ISO Begin Log of Incident Details and Remediation Actions ISO: If impacting employees in real time send communications to Agency Heads and Help Desk for internal notification initiation CIO: Notify HR and or TAMUS General Counsel based upon situation Medium Level: Incident is easy to control and remediate in a short time frame Minimal loss of confidential information Minimal impact to information resources Page 7
This is little to no risk of public relation for financial impact Medium Level Incident Procedures: IRT LEAD: Determine defensive action to remediate incident IRT LEAD: Notify ISO ISO: Begin log of Incident Details and Remediation Actions ISO : Report status to CIO Low Level: Signs of an attack are being seen but no actual threat or penetration to information resources has occurred Isolated computer virus that are remediated by anti virus software Low Level Incident Procedures: IRT LEAD: Monitor situation until potential threat subsides Incident Review Report Details All Incident reports of any level are to be filed by the ISO in the AgriLife IT CRM System (FirstCall). Within this event/ticket the following information should be contained once the incident has been fully remediated. WHO: Who was involved in the discovery and remediation of the incident? WHAT: What was the nature of the incident, cause, and damage and remediation effort? WHERE: What was the degree of impact? How many users? WHEN: Date and time frame of the event. HOW: How did the incident occur? What variables allowed it to occur? How can the incident of this type be avoided in the future. Page 8