Any member of the University community who suspects the occurrence of an IT security incident must report incidents in one of the following manners:
Upon notification, discovery, or suspicion of an incident, the Information Security Officer will launch an investigation. The Information Security Officer will determine whether the incident is a false positive or a real incident. In the event that the incident is real and actionable, the Information Security Officer will determine severity level. In the event that the Information Security Officer cannot make a determination of an incident severity level, he will contact the Assistant Vice President for Information Technology for guidance.
Each Incident Severity Level has its own set of procedures, including escalation and response times, action items, and personnel involvement. At any time during an incident investigation, the severity can be raised or lowered, based upon newly discovered information.
The Information Security Officer (or designated member of the CSIRT) will open a helpdesk ticket containing information about the security violation. Upon conclusion of the incident the Information Security Officer (or designated member of the CSIRT) will finalize and close out any open help desk tickets related to the incident. Related incident tracking logs will also be finalized and stored appropriately.
If the severity of the incident requires, or is otherwise requested by an appropriate administrator such as the Assistant Vice President for IT, the Information Security Officer (or designated member of the CSIRT) will compile a post-incident report utilizing the information logged during the incident as a basis of the report. The report will also include a summary of lessons learned and any recommended changes to be made to the environment to prevent future recurrence of the incident.