The following guidelines are intended to support the North Idaho College Policy 3.08.04 Computer Security Incident Response.  This guideline outlines incident response procedures and further define roles and responsibilities during incident response.

---------------

Incident Response Workflow and Responsibilities

Identification

Potential incidents are identified using information from various sources, including but not limited to:

• Contact from affected or impacted parties
• Contact from network, system and/or application administrators
• Contact from external third parties
• User alerts and/or Service Desk requests
• Monitoring of NIC networks, systems and/or applications for anomalies, intrusions, and/or unusual behavior that could reasonably raise suspicious of potential compromise

Examples of incidents covered by this standard include but are not limited to:

• Breach or improper disclosure of NIC information
• Compromise of information integrity, e.g., damage or unauthorized modification of data
• Compromise of information availability, e.g., denial of service attack
• Theft of or damage to physical information assets
• Denial of service attack that impacts NIC business or services or external parties
• Misuse or abuse of NIC services, information or assets
• Infection of systems by unauthorized or malicious software
• Unauthorized access attempts that impact NIC business or services or external parties
• Unauthorized changes to NIC information assets
• Trigger of intrusion detection alarms beyond “normal” levels

Once identified, incidents are reported to helpdesk@nic.edu or other appropriate reporting methods, which triggers the incident response plan.

Assessment and Classification

Once a potential problem has been identified, the Incident Response Team will analyze the situation and attempt to confirm whether it is the result of a security incident. If yes, then the team will determine the severity of the incident and classify the incident as Critical, High, Medium or Low. Incident severity and classification is based on whether an incident poses a threat to NIC or external resources, stakeholders, and/or services. The determination may include, but is not limited to, the following factors: 

• Does the incident involve unauthorized disclosure of high-risk or confidential information?
• Does the incident involve serious legal issues?
• Does the incident cause serious disruption to critical services?
• Does the incident involve active threats?
• How widespread is the incident?

Incidents classified as critical or of high severity are referred to the Information Security Management Team. All other incidents are handled by the Incident Response Team in accordance with established practices. Further assessment may effect a reassignment to a different level of severity by the team.

Classification Levels

Critical: Any unexpected or unauthorized change, disclosure or interruption to information assets that could be damaging to the campus community or NIC reputation. Examples: A major attack against the NIC’s IT infrastructure; an incident with major impact on operational activities; significant loss of confidential data and/or mission-critical systems or applications.

High: Campus-wide and potentially public impact. A successful breach has occurred and/or a threat has manifested itself. There is significant risk of negative financial or public relations impact. A large number of systems or accounts are affected. A very successful attack that is difficult to control or counteract because no countermeasures, resolution procedures or bypass exist. Level 1 data may be involved.

Medium: The threat and impact is limited in scope, e.g., department-wide not campus-wide. Early indications of a possible attack or intrusion detected with minimal risk of negative financial or public relations impact. A small number of systems or accounts are affected. A nominally successful attack that is easy to control or counteract, although countermeasures may be weak. Level 2 data may be involved.

Low: An incident with no effect on system operations. Intelligence received concerning threats to which systems may be vulnerable. Penetration or denial of service attacks attempted with no impact. No critical infrastructure is affected. Solutions or countermeasures are readily available. Procedures are available and well-defined to resolve the problem. No protected information is involved.

Notification and Containment

Once an incident has been positively identified, the Incident Response Team will work with appropriate personnel to isolate the affected equipment in order to prevent secondary threats, attacks on other internal systems, and potential legal liability, including blocking network access.

A compromised system or account that is actively causing widespread problems or affecting NIC networks or computers will be blocked from the network immediately following established practices. Other immediate actions may include removal from service and/or forensic analysis if appropriate using established protocols. The Incident Response Team may recommend additional containment measures in addition to those outlined in related procedures for this standard.

Depending on the nature of the incident, the Incident Response Team may be required to work with law enforcement. If served with a warrant or subpoena for information related to security incidents, the Incident Response Team will consult with NIC Legal Counsel to ensure compliance with federal and state regulations and applicable policies and practices.

Some incidents require notification of affected parties or individuals under contractual commitments or in accordance with applicable laws and regulations. Notification may not be required in incidents in which the NIC can reasonably conclude that disclosure or misuse of the compromised information is unlikely, and appropriate measures are taken to safeguard the interests of affected parties.

Using established practices, NIC will comply with federal and state requirements to notify any individual whose unencrypted personal information has been or is reasonably believed to have been disclosed by the NIC to an unauthorized person.

Copies of security breach notifications sent to affected individuals will be posted on the North Idaho College website. Beyond that, information shared with the media or general public regarding a security incident must be coordinated through NIC’s Communications and Governmental Relations Department.

Eradication

On receiving notice of an incident, the party responsible for the affected information asset is responsible for resolving the issue. This includes but is not limited to changing passwords, reformatting media, updating or reinstalling software, running scans and taking appropriate remediation action, and/or taking other steps as needed to remove the threat and prevent similar compromises in the future.

Individuals are expected to follow any specific protocols or recommendations cited in the notice and to document any actions they take to resolve the problem. This includes following established protocols for proper evidence collection, handling and storage; problem identification, remediation and mitigation; incident reporting and documentation, etc.

Once a system is secured, the responsible party must notify helpdesk@nic.edu so the Incident
Response Team can take appropriate measures to document and resolve the incident.

Documentation

The Incident Response Team will create and maintain a confidential written record for each incident in NIC’s secure electronic trouble ticket system until the incident is finally resolved. At minimum, the record must include the incident date and time, incident type and severity and impact, who or what reported the incident, detailed description of what occurred, supporting evidence if available, source and target of the attack, affected campus resources, response actions taken and by whom, evidence collected, suspected cause(s), total hours spent and other costs (if applicable). Records will be used to report the number and type of incidents as needed and to identify incident response trends over time.

Individuals involved in any investigation or corrective measures are responsible for documenting their actions, communications and findings related to the incident. This information must be submitted to helpdesk@nic.edu so it can be incorporated into the confidential ticket.

Improvement

Individuals and units involved the incident response process may have recommendations to improve system/network configuration, security practices, business processes or the incident response process.  Recommendations will be collected and documented by the Incident Response Team.

At the conclusion of major incidents, the Incident Response Team will hold a debriefing to review lessons learned and to recommend changes to this standard and related procedures if appropriate.

Communication

Communication with affected parties involved in the incident occurs at each stage in the incident response cycle. Specific communication responsibilities are identified in the Roles and Responsibilities section of this standard.

Escalation

While isolated incidents may be resolved with minimal involvement outside the initial response team, some incidents may require escalation to notify appropriate entities, to obtain investigative information or assistance, and/or to ensure an appropriate public response by NIC.  Four escalation levels are outlined in this standard:

• Initial
• Unit Level
• NIC Level
• External

Initial and unit level escalation may be undertaken by the Incident Response Team as the case indicates; NIC level and external escalation are at the discretion and delegation of the Information Security Management Team.

Escalation - Initial

Initial escalation may be necessary when an incident has the potential to affect network services or other conditions on a limited but not isolated scale. Entities involved in the initial escalation may include, but are not limited to

• NIC Helpdesk
• Affected IT group(s), e.g., Network Administration, Collaboration Support, Central Systems, etc.
• Affected group(s) outside IT Central Services, e.g. Colleague Users, Office 365 Users, etc.
• LAN Coordinator, System Administrator, and/or Application Manager
• User

Escalation - Unit Level

Unit level escalation may be necessary when an incident has the potential to affect network services, high risk and/or confidential data, NIC business services or other conditions NIC-wide. Unit level escalation may also be necessary in the event of a refusal or official non-compliance with recommended eradication methods.

Entities involved in unit level escalation may include, but are not limited to:

• Information Authority/Owner
• Campus Compliance Officer
• Information Security Management Team
• Information Security Coordinator
• Other management within the affected units

Escalation - NIC Level

NIC level escalation is at the discretion or delegation of the Information Security Management Team.  Entities involved in unit level escalation may include, but are not limited to:

• NIC Legal Counsel
  • before contacting law enforcement
  • if a breach of contract has occurred
  • if a warrant or other valid legal request has been received
  • to authorize a litigation hold or other investigation
• Communications and Government Relations
  • if a security breach notification is required
  • if a case is likely to affect public confidence
  • before responding to media-initiated contact
• NIC Security
  • if physical safety is threatened
  • if NIC property has been stolen
  • if investigation reveals evidence of a crime
  • if external law enforcement needs to be contacted
  • if investigators need information or record retention that requires a warrant to obtain
• Executive Management
  • if a case is likely to affect public safety, enterprise services, and/or public confidence
  • if a security breach notification is required
• President’s Office
  • if a security breach notification is required
  • if a breach of Level 1 or Level 2 data has occurred

Escalation - External

External escalation is at the discretion or delegation of the Information Security Management Team. External entities which may be involved and examples of when those entities may be contacted include but are not limited to:

• Internet Service Providers
  • to report abuses and provide evidences (e.g., logs) for incidents originating off-campus
  • to obtain transaction records or other evidence
• Telecommunication Carriers
  • to obtain call records or other evidence
• Third party providers or contractors
  • to report, verify and coordinate incident response activities
  • to obtain transaction records or other evidence
• Local, state of federal law enforcement agencies
  • to report criminal activity
  • to obtain search warrants or other assistance
  • to obtain other assistance

Roles and Responsibilities

Incident Response Operations Team

• Membership will vary depending on the nature of the incident but at minimum will include members of the IT Policy/Abuse Team and the Information Technology Department as needed
• Coordinates incident response activities, involving others as needed
• Receives complaints sent to helpdesk@nic.edu
• Creates, updates, maintains and resolves confidential tickets to document each incident
• Requests additional information if necessary
• Determines the nature, scope and severity of the incident
• Blocks and restores network access or authorizes others to do so as appropriate
• Identifies the potential source of the problem and the responsible NIC entity or user
• Notifies the responsible entity or user and consults with them on actions to be taken
• Monitors progress of the investigation
• Escalates incidents as appropriate
• Facilitates communications
• Creates summary reports for management
• Conducts lessons learned to determine if any changes are required
• Provides training to campus staff involved in incident response

Incident Response Management Team

• Coordinates Incident Response Team assignment and ensures it has the necessary resources
• Coordinates investigation, assessment, tracking, resolution and reporting of security incidents classified as Critical or High, including evidence collection and preservation
• Determines if a reportable security breach occurred and enacts security breach protocol
• Determines if a NIC production service should be taken offline until incident resolution after consultation with appropriate campus entities if possible
• Determines if an incident may result in media inquiries or legal action and escalates to Communications and Governmental Affairs, Legal Counsel and/or Campus Police if appropriate
• Keeps executive management informed as appropriate
• Reviews and analyzes summary reports to identify trends and lessons learned

Campus Compliance Officers (FERPA, HIPAA, PCI, ADA, etc.)

• Participates in the Incident Response Team for incidents involving a compliance issue
• Investigates, documents and reports violations in accordance with established practices
• Coordinates required notifications in accordance with established practices
• Makes recommendations to prevent similar incidents and/or improve the response process
• Advises management on applicable policies and procedures, including potential sanctions
• Participates in lessons learned as requested

Technical Staff (Network, System and Application Administrators, LAN/WAN Coordinators)

• Monitors networks, systems and/or applications for anomalies, intrusions, and/or unexpected events or unusual behavior that could reasonably raise suspicious of potential compromise
• Reports potential violations to helpdesk@nic.edu
• Assists in investigating incidents involving networks, systems and applications under their control
• Collects and preserves evidence and provide support as needed throughout the investigation
• Documents any breaches, especially those involving high-risk or confidential data
• Conducts forensic investigations as required or appropriate
• Works to contain, remediate, resolve and document security incidents
• Identifies root cause, including responsible individual, if possible
• Documents findings and actions taken and reports back to the Incident Response Team
• Participates in lessons learned as requested
• Makes recommendations to prevent similar incidents and/or improve the response process

Users

• Reports suspected violations to helpdesk@nic.edu
• Follows instructions from the Incident Response Team to preserve evidence, prevent further damage, and/or to otherwise aid the investigation as directed
• Users whose actions result in an incident may be subject to disciplinary action and may be required to review policies or undergo training

It is the responsibility of all NIC faculty, staff, students and affiliates to report potential incidents, IT policy violations and breaches of college information security to helpdesk@nic.edu

Data Steward/Custodian

• Supports the Incident Response Team in reporting, investigating, assessing and resolving potential policy violations and security incidents
• Determines if an enterprise production service may be taken off-line

Information Security Coordinators

• Supports the Incident Response Team in reporting, investigating, assessing and resolving potential policy violations and security incidents
• Serves as escalation point to ensure cooperation by users and technical staff in their area

Management

• Supports the Incident Response Team in reporting, investigating, assessing and resolving potential policy violations and security incidents
• Determines if localized production services may be taken off-line
• In consultation with the Information Security Officer, notifies affected users when a security breach requiring notification originates from an individual or system under their control
• Applies sanctions and discipline in accordance with existing policy and practice in coordination with Human Resources, Academic Personnel or Office of Student Affairs
• Participates in lessons learned as requested
• Makes  recommendations to prevent similar incidents and/or improve the response process

Employment Equity/Human Resources/Academic Personnel/Office of Student Rights and Responsibilities

• Investigates alleged policy violations and security incidents stemming from actions taken by individual staff, faculty and students to determine if disciplinary action is appropriate
• Authorizes activities affecting accounts or files of individuals under investigation or found to be responsible for a policy violation or security incident, including but not limited to,
  • Temporary suspension of accounts
  • Early termination of accounts
  • Retention and review of electronic or other files
• Advises management on applicable policies and procedures, including potential sanctions
• Participates in lessons learned as requested

Legal Counsel

• Authorizes litigation holds and notifies affected parties regarding their responsibilities
• Interprets the law and advises on potential legal or other risks to the NIC
• Reviews search warrants or other legal requests for validity prior to campus response
• Serves as escalation point for advice on legal matters outside the purview of the team

NIC Resource Officer

• Investigates incidents involving potential criminal activity, including theft of NIC property
• Assists in obtaining search warrants, subpoenas, and other legal documents as requested
• Coordinates contact with outside law enforcement agencies
• Serves as escalation point for incidents involving immediate threat to physical safety

Public Affairs

• Coordinates communications and contacts between the NIC and the media
• Serves as escalation point if a security breach notification is required
• Serves as escalation point if an incident is likely to affect public confidence

Executive Management

• Serves as escalation point if a security breach notification is required
• Serves as escalation point if an incident is likely to affect public confidence

Lost or Stolen Computing Devices

If a computing device, which includes departmental laptops, USB drives, cell phones, or other devices that may contain sensitive data, or personal computing devices with sensitive NIC data, is lost or stolen:

1. Contact the NIC Security Office.

Report the lost or stolen device to NIC Security 208-769-5905. Please be ready to provide a full description of the event (time, place, etc.).

2. Contact the Business Office.

For NIC-owned devices, report the incident to the Business Office – 208-625-2304

3. Change your passwords.

Be sure to change your NIC Account passwords and any other password that may have been exposed.

5. (Mobile device only) Contact your mobile device service provider for a remote wipe.

Contact the mobile device service provider and request that the contents of your device be wiped remotely.

Compromised Computing Device

If your NIC-owned or personal device containing sensitive NIC data is exhibiting symptoms of malware (the most common data security incident), or you suspect the computing device has been accessed without authorization (your user name and password have been lost or compromised, you respond to a phishing scam or suspect someone else has attempted to access your device without your permission):

1. Keep Detailed Notes

Depending on the severity of the incident, you may have to provide details about the incident, including how you first responded, to other staff, management, Legal Counsel, or Internal Audit.

2. STOP using the device.

If you suspect the device is infected with malware, STOP. Keep the system intact as changes can destroy valuable data related to the incident. Do not turn off the device, run anti-virus software, or attempt to back up data.

3. Contact the IT Department or the NIC Help Desk.

Contact the IT Department as soon as possible. If an IT Administrator is unavailable, call the IT Help Desk at 208-769-3280 Do not email the helpdesk or submit a request for Online Help / Live Chat Support from a potentially-compromised device.

When calling the IT Help Desk, be prepared to provide information about the nature of the incident (e.g., response to a phishing scam), approximate date and time the incident occurred, your email address, and campus phone number.

 Data Breach Notification

Pursuant to Idaho State Laws on Identity Theft:

If, after investigating a suspected security breach, the Information Technology Department determines, in coordination with other college officials, that there was unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information and is reasonably believed to result in loss or injury, the Information Technology Department organize the notifications of affected individuals by written notice to the last known home address of the individual, by e-mail, by telephone, or by substitute notice as allowed:

NIC will also, within twenty-four (24) hours of such discovery, notify the office of the Idaho attorney general.

"Personal information” is defined as an individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:

1. Social Security number
2. Driver's license number or a State identification card number
3. Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.

Electronic Discovery

When a civil lawsuit is filed, the parties engage in a pre-trial process called "discovery" in which each party to the lawsuit may request documents and other evidence from the other parties or compel the production of evidence using subpoenas or other legal instruments.  Any potentially relevant evidence may be subject to discovery, even if that evidence is not admissible at trial. 

Although Electronically Stored Information (ESI) has been subject to discovery for several decades, until recently there were no rules specific to the discovery of ESI.  In 2006, the Federal Rules of Civil Procedure were amended to include several new provisions specific to the preservation and production of ESI. 

ESI is essentially any electronic information that could serve as evidence in civil litigation.  Local hard drives, e-mail, shared storage, backup systems, mobile devices (e.g. cell phones, PDAs, etc.) and removable media (E.g. CDs, DVDs, flash drives, etc.) are all potential sources of ESI.

When civil litigation is reasonably anticipated, North Idaho College must:

• Preserve historical and prospective ESI from destruction.

If litigation commences, North Idaho College may be required to:

• Provide a description by category and location of all ESI in its control which may be relevant to the case.
• Produce ESI in original format if it is relevant, not privileged and reasonably accessible.

The procedures for handling e-discovery compliance at North Idaho College are managed by the Office of General Counsel (OGC) and the Information Technology Department (IT).  The OGC is responsible for directing the legal process; the IT assists with using technology to fulfill the e-discovery requirements as directed by the OGC.

IT Administrator Practices

The following are recommended best practices for administrators managing electronic data in North Idaho College’s computing environment. These practices should be followed to ensure easier compliance with a litigation hold.

1. All automated data destruction for users under a litigation hold should be suspended. This includes backup volumes for accounts, computers and email.

2. Preserve data logs for users under a litigation hold for items such as email forwarding settings, known accounts, shared file systems, cloud service accounts, etc.

3. Maintain a listing of systems known to house data for users under a litigation hold.  Such a list would include user directories, computers, email account locations, and other systems that store data for which the user is a custodian.

Litigation Hold

When litigation is "reasonably anticipated," the Office of General Counsel will issue litigation hold memos to any faculty or staff who may possess potentially relevant information or documents (both electronically stored information and information in paper form).  You may receive a litigation hold directly from the Office of General Counsel or it may be forwarded to you by a supervisor or a colleague.  Appropriate system administrators and other IT staff are typically included on litigation hold distributions.

Note that any electronic device that contains electronic data that might be relevant to a case is subject to the litigation hold.  This includes but is not necessarily limited to NIC owned computers, NIC licensed cloud services, personal computers, personally contracted cloud services, PDAs, cell phones, data drives or other removable media, backup media, etc.

Upon Receipt of a Litigation Hold

The following steps should be taken to ensure compliance upon receipt of a litigation hold.

1. Suspend deletion, overwriting, or any other destruction of electronic information that might be relevant to the case.  This includes electronic information wherever it is stored - at your workstation, on a laptop, on a shared file system, in the cloud, or at home. It includes all forms of electronic information - e.g. email, word processing documents, calendar entries, voice messages, videos, photographs, information on PDAs, etc.

2. Consider creating separate folders for email and files to contain data relevant or potentially relevant to the case.

3. Check with local IT staff or other computer support staff to ensure that any data stored on servers, or backups of such data, is retained.

4. If your computer or any other source of potentially relevant data is not being backed up, contact your departmental computing staff or the Information Technology Department (IT) to discuss options to ensure that the data is retained.

5. Take steps to understand where files and email are being stored. In many cases this can include local computer disk(s), a network file system, email servers, cloud services, or other systems. IT staff may be able to help to determine where data is stored.

6. If a computer is being replaced (e.g. as part of an upgrade cycle) or decommissioned contact IT and the Office of General Counsel (OGC) before any actions are taken. A copy of the existing data may need to be preserved prior to the upgrade or decommissioning.

7. If your email is being migrated to a different mail system, contact IT and the OGC prior to the migration. A copy of the existing, pre-migration data may need to be preserved.

8. If possible, consider moving any relevant data to a network file system that is regularly backed up. Centrally or departmentally supported systems are often safer repositories than a local computer.

9. If relevant data is stored on removable media (CDs, DVDs, external hard drives, etc.) contact ISO and OGC to determine if preservation copies should be made.

10. Any hard-copy documents under your control that may be relevant to the case should also be preserved.

Revocation of a Litigation Hold

Generally, litigation holds remain in effect until the statute of limitation has expired with respect to anticipated claims or - if litigation has commenced - when the lawsuit and all appeals have been concluded.  Upon notification from General Counsel that a litigation hold has been revoked, users may elect to delete any data that was being retained due to the litigation hold, provided that deleting the data would not conflict with any standard operating procedures or data retention practices within your business unit.

HIPPA Breach Notification

On September 23, 2013, the “HIPAA Omnibus Rule” took effect modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules and implementing various provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. This rule provides for the notification of individuals following a breach of their unsecured protected health information.

Unsecured protected health information is defined as protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary.

If, after investigating a suspected security breach, the Information Security Office determines that unsecured protected health information was or is reasonably believed to have been accessed, acquired, used, or disclosed in a manner not permitted and cannot demonstrate a low probability of compromise based on a risk assessment of the following factors, the Information Security Office will coordinate with covered components to notify affected individuals, following the methods required by 45 C.F.R. § 164.404.

• The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the protected health information or to whom the disclosure was made;
• Whether the protected health information was actually acquired or viewed;
• The extent to which the risk to the protected health information has been mitigated.

Media Notification:

If it is determined that a breach of unsecured protected health information involves more than 500 residents of a state or jurisdiction, the Information Technology Department will coordinate with covered components to notify prominent media outlets serving the affected area, as required by 45 C.F.R. § 164.406.

Federal Notification:

For all breaches affecting less than 500 individuals, the Information Technology Department will coordinate with covered components to submit notice of all such breaches discovered in the prior calendar year to the Department of Health and Human Services (HHS) via the HHS website. This notice will be submitted to HHS on an annual basis, no later than sixty (60) days after the end of each calendar year. For all breaches affecting more than 500 individuals, the Information Technology Department will coordinate with covered components to provide notice to HHS contemporaneously with the notification of affected individuals.

To fulfill burden of proof requirements, the Information Technology Department will coordinate with covered components to document that all notifications were made or that the use or disclosure did not constitute a breach.

Note: Joint Guidance on the Application of FERPA and HIPAA to Student Health Records maintains that FERPA, not HIPAA, governs the health records of students.