The purpose of this document is to outline procedures and guidelines for responding to CSUSM information security incidents. This procedure allows for a coordinated response from Information Security, the Computer Security Incident Response Team (CSIRT), and others involved in investigation plus a follow-up of reported information security incidents.
This procedure applies to responses to all CSUSM information security events reported to the IT information security team and covers both the CSUSM and its auxiliary organizations.
3.1. Information Security Officer (ISO)
3.2. Campus Organizations and Data Stewards
3.3. Computer Security Incident Response Team
The ISO receives incident reports from many areas: Help Desk, Network Operations, Campus Divisions, and the public. The ISO will assign the incident severity level, based on the initial information received.
4.1. High Severity Incidents
Definition -A high severity incident is one which may have long-term or widespread effects on campus business operations or which may damage campus reputation or may indicate a violation of state or federal law. Examples of high severity incidents include but are not limited to:
4.1.1 Initial Activities - The ISO or designee will immediately contact the individual
that has reported the incident to obtain an initial understanding of the scope of
the incident. As needed, the ISO will call an emergency CSIRT meeting to determine
appropriate next steps and the ISO or designee will prepare a CSIRT interim report,
which will include a description of the incident , the number of individuals affected,
and the remedial steps that will be taken to address the cause of the incident.
4.1.2 Payment Card Information Breach – The ISO or designee will determine if circumstances suggest that this incident has resulted or may result in loss off Payment Card Industry data. If so, the ISO or designee will convene a PCI incident response team to ensure compliance with PCI-DSS standards regarding the reporting of information.
4.1.3 Police – The ISO or designee will notify University Police and work with officers and investigators as appropriate. Where there appears to be a threat to the safety of persons, the ISO or designee shall make contact University Police Dispatch to ensure that the matter receives appropriate attention.
4.1.4 Legal Counsel - Legal counsel will be engaged in the event there is a violation of law or unauthorized disclosure of protected information.
4.1.5 CSU Notification - The ISO will inform the CIO. Either the ISO or the CIO will inform the campus President and the ISO at the Chancellor’s Office.
4.1.6 Victim Notification - If the situation requires notification of individuals under California law, the CIO will coordinate with the Office of Communications and other stakeholders as necessary. The notification letter will be mailed by return receipt having the receipt responses directed to the ISO. Notifications will be sent with certified mail return receipt requested for groups involving less than fifty (50) individuals being notified.
4.1.7 Public Communications – The Office of Communication will prepare talking points to use if necessary in response to campus or media questions. Talking points should be shared with the following people:
4.1.8 Final Report - The ISO or designee will prepare a final written report to share
with the CSIRT team, including recommendations to the management staff of the campus
unit for addressing the causes of the incident.
4.2 Medium Severity Incidents
Definition - The threat of a future attack or the detection of reconnaissance on the network systems of California State University San Marcos is considered medium severity. Any incident that has a strong possibility to impact a large portion of the campus is considered medium. Examples of medium severity incidents include but are not limited to:
4.2.1 Initial steps - The ISO or designee will immediately contact the individual
that has reported the information to obtain an initial understanding of the scope
of the incident. The ISO will review the severity of the incident and determine if
a CSIRT meeting needs to be called to determine appropriate next steps.
4.2.2 Notification - The stakeholders of the incident will be notified and depending upon the impact to the campus the notification process may also involve the CIO, the Vice President for University Advancement, the Provost and the President of the University.
4.3 Low Severity Incident
Definition - Low incidents have an impact on only one or a few individuals. Incidents that are considered Low Severity can be handled by IITS personnel and do not require escalation to other departments. Low severity incidents pose no imminent threat to campus systems or of exposure of protected information. Examples include but are not limited to:
5. Incident Investigation and Mitigation
5.1 All Information Security incidents will be recorded and investigated in a timely manner.
5.2 Upon completion, incidents will be reviewed by management.
5.3 All High and Medium Severity incidents shall be assigned a unique case number.
5.4 Coordination of the incident may include but is not limited to the following: