Procedure P4-004N: IT Security Incident Management

Purpose and Scope‌

1. Purpose.

   The purpose of this IT Security Incident Management Procedure is to outline the requirements of an IT Security Incident management plan as a means of minimizing the impact of IT Security Incidents, protecting University Assets, and ensuring a swift and coordinated response.

2. ‌Scope.

   The scope of this procedure is all University administrative units, including colleges, divisions, departments, and centers, and all members of the University community, including students, staff, faculty, other permanent or temporary employees, contractors, research collaborators, vendors, and third-party agents.

   This procedure supports Section N, titled IT Security Incident Management, of the University of Utah Information Security Policy 4-004.

‌Definitions

The definitions provided in Policy 4-004 apply for this procedure. In addition, the terms below apply for the limited purpose of this procedure.

1. ‌Incident Response Team (IRT) – An authorized group of IT professionals responsible for preparing for and responding to IT emergencies.‌

2. ‌Information Security Office (ISO) – The University’s information security department, which reports to the chief information security officer (CISO).

‌Procedure

1. ‌All members of the University community shall immediately report any suspected or detected IT Security Incidents to their respective help desk.

2. ‌The chief information security officer (CISO) or their designees shall direct IT Security Incident response efforts.

3. ‌The Incident Response Team (IRT) shall coordinate with University administrative units and entities at the direction of the Information Security Office (ISO) regarding IT Security Incident handling and communication.

4. ‌IT managers, IT Technicians, and Users managing Assets shall take the following actions in reaction to suspected or detected IT Security Incidents:

   1. ‌Immediately disconnect the Information Systems from the network; do not run any applications, antivirus/anti-malware scans, or other tools; and do not power off the Information Systems.

   2. ‌Contact the ISO and discontinue use until further instruction from the ISO.

   3. ‌Outside of business hours, IT managers and IT Technicians shall submit a high-priority ticket to the ITS Service Desk (801-587-6000) to start the Security Operations Center (SOC) escalation process.

5. ‌The ISO shall create and maintain an IT Security Incident response plan.

   1. ‌The IT Security Incident response plan shall include, at a minimum, the following:

      1. ‌roles and contact information;

      2. ‌identified primary and alternative communication channels;

      3. ‌detection, reporting, and analysis processes;

      4. ‌evidence collection and retention processes;

      5. ‌containment and eradication processes;

      6. ‌recovery processes; and

      7. ‌post-IT Security Incident communication and review processes, including documentation and lessons learned.

6. ‌The ISO shall test and update the IT Security Incident response plan on at least an annual basis.

   ---

   Sections IV- VII are for user information about this procedure.

   ---

‌Policies/ Rules, Procedures, Guidelines, Forms and other Related Resources‌

1. Policies/ Rules.

   1. Policy 4-004: University Information Security Policy

2. Procedures, Guidelines, and Forms. [ reserved ]

3. Other Related Resources.

‌References‌

[ reserved ]

‌Contacts‌

The designated contact officials for this Regulation are:

1. Policy Owner(s) (primary contact person for questions and advice): Chief Information Security Officer

2. Policy Officer(s): Chief Information Officer

   See Rule 1-001 for information about the roles and authority of policy owners and policy officers.

‌History‌

Revision History.

1. Current version. Revision 0.

   1. Approved by Chief Information Security Officer with effective date of November 6, 2024.

2. Renumbering

   1. Not applicable