IT Services

Policy Subject

ITS005 - Information Security Incident Response Policy

Purpose:

The purpose of this document is to set out the scope of authorised IT Services Group response activities in the event of an information security incident.

Scope:

This Policy applies to the management of information security incidents which breach the University’s Information Security Policy.

Definitions

Authorised Access – Access that is explicitly permitted by University policy or procedure.

Information Security – security preservation of the confidentiality, integrity and availability of information.

Information Security Incident – A violation of the University’s Information Security Policy. Examples of this would be attempts to gain unauthorised access to computer systems (hacking) which belong to the University or other organisations, or the distribution of illegal or malicious software such a SPAM email, viruses or software protected under the copyright act. 

Computer Incident Response Team (CIRT) – A team which will develop and implement responses to information security incidents. The CIRT will act under the direction of the CIRT Manager and will be dynamically composed of personnel who are best positioned to provide an effective response in the context of the specific incident.

Computer Incident Response Team Manager – The CIRT Manager will be either the IT Risk Manager or a delegate of the Director, IT Services.

University Staff – This includes permanent staff, contractors, consultants and other agencies of the University.

Information System means any tangible item such as hardware, software, communications facilities and networks, used to store, process and transmit Information Assets owned, controlled, or hosted by Macquarie University.

[Back to top]

Policy / Principles
Authorisation to Respond to Information Security Incidents

1. The CIRT Manager has delegated Authority to enforce the Information Security Policy.

2. Information security incident resolution will be managed in five distinct stages;

1. Containment of information security incident
2. Notifying business owners of impacted systems
3. Collection of data relating to information security incidents
4. Remediation of effected services
5. Escalation

[Back to top]

Containment of Information Security Incidents

3. The general principle for response to information security incidents will be to stop the impact of any incident in the first instance and then to work towards resolving the underlying issue. Where possible incident response activities will attempt to minimize impact to legitimate University business.

4. The CIRT Manager is authorised to take action in order to stop or control information security incidents which represent a current or imminent risk of : -

• breaching University policy;
• breaching relevant legislation; or
• damaging IT assets (including data).

5. Potential information security incidents which fall outside this scope will be escalated to the Deputy Vice-Chancellor and Chief Operating Officer, who will, if appropriate, authorise immediate containment activities.

6. Containment actions taken by the CIRT may include but are not limited to:-

• disabling access to Macquarie University networks in order to  contain a security incident. An example of this would be to disable network access for a computer which has been reported to be distributing illegal software (e.g. content that infringes copyright, spam, viruses etc);
  
  
• disabling system access by locking an account. This may be required if there is a reasonable suspicion that an account may have been compromised;
  
  
• isolating and temporarily impounding the effected computer so as to preserve any evidence which may be present on the computer’s storage device(s); or
  
  
• isolating sub network access to the Macquarie University network and internet gateways. This may be required to contain the impact of a denial of service attack.

[Back to top]

Notifications

7. The CIRT will make reasonable attempts to notify the owners of the information systems which are either being impacted or suspected of being impacted by an information security incident.

[Back to top]

Collection of Information Security Incident Data

9. Any CIRT activities involving the collection and handling of data will be consistent with Macquarie University policies and confidentiality requirements, including the Computer Surveillance Policy.

10. Where appropriate, data relating to information security incidents will be collected and handled by the CIRT in a way which will allow the University to use it as evidence in judicial or administrative proceedings if it chooses to do so. The types of data collected for this purpose may include logs from University owned systems or complete electronic copies of information held on University owned systems.

[Back to top]

Remediation of Impacted Services

11. For systems owned by the University, once the CIRT has completed investigation of the incident and collected any relevant information, the CIRT Manager will coordinate the deployment of controls or countermeasures to ensure that the incident does not reoccur once the service is resumed. Examples of controls include but are not limited to :-

• modifying firewall rules or device configurations;
• applying security patches or recommending such actions where appropriate;
• updating virus signatures; or,
• rebuilding systems from known good media (e.g. using gold disks)

12. Systems which are not owned by the University but which are connected to the Macquarie Network will be re-connected to the Macquarie Network once the System Owner has demonstrated to the CIRT Manager that the information security incident has been satisfactorily resolved. This may require the System Owner to implement similar controls in their systems to those defined above. 

13. Once the controls have been implemented and verified by the CIRT Manager, then the CIRT Manager will authorise the reactivation of the disabled service.

[Back to top]

Escalation

15. The CIRT will be responsible for the enforcement of the information security policy. Any subsequent disciplinary or legal actions will be at the discretion of the appropriate University Authority.  

16. An Information Security Incident Report will be provided to the Deputy Vice-Chancellor and Chief Operating Officer by the CIRT Manager for any significant information security incidents. The report will provide root cause, actions taken and any further recommendations. In order to maintain procedural due process this report will not identify any student or staff member who may be involved in the incident.

17. If the information security incident involves a member of staff, then the incident will be reported by the CIRT Manager to the Staff Member’s Supervisor. The report will include recommendations for follow up activities, which may include training or replacing IT equipment. Where appropriate, the Supervisor may pursue the matter in accordance with the University’s policies and procedures pertaining to misconduct and serious misconduct.

18. If the information security incident involves a student of the University, then the matter will be referred by the CIRT Manager to Registrar & Vice Principal. The Registrar & Vice Principal will consider appropriate action, which may include referring the matter to the Misconduct Committee.

19. If the information security incident involves parties outside of the University and these parties can be identified through investigation by the CIRT, then the matter will be referred to the Deputy Vice-Chancellor and Chief Operating Officer and the University’s Legal Counsel.

20. If the information security incident involves any loss or damage to the University it may choose to exercise its full legal rights to pursue any legal options available to it.

[Back to top]

External Communications

21. University staff (including the CIRT) are not authorised to liaise directly with external agencies regarding information security incidents. Enquires or demands from external agencies for information owned by or under the custody of the University will be directed to the University’s Legal Counsel. This is inclusive of requests from law enforcement agencies, government departments and private corporations.

22. University staff (including the CIRT) are not authorised to respond to questions from media representatives regarding information security incidents. All media requests will be directed to the Public Relations and Marketing Unit in accordance with the Macquarie University Media policy.

23. If there is likelihood that media organisations will contact the University in relation to the information security incident, then the CIRT Manager will provide a briefing to the Public Relations and Marketing Unit as soon as it is practical to do so.

[Back to top]

References
and Further Information

Policy issues should be directed to the IT Risk Manager

Approval

This policy was approved by the Deputy Vice Chancellor and Chief Operating Officer on 30 March 2007.

Supplementary Information

• Macquarie University Information Security Policy http://www.its.mq.edu.au/policies/ITPolicies/its001.html
  
  
• Macquarie University Enterprise Agreement 2006-2009 http://www.pers.mq.edu.au/Enterprise/ea0609/ea0609.pdf
  
  
• AS/NZS ISO/IEC 27001:2006 Information security management systems - Requirements
  
  
• HB 171-2003 Guidelines for the management of IT evidence
  
  
• NSW Crimes Act http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082/
  
  
• Federal Cyber Crimes Act. http://www.austlii.edu.au/au/legis/cth/consol_act/ca2001112/
  
  
• SPAM Act http://www.comlaw.gov.au/comlaw/Legislation/Act1.nsf/0/
  1160D31116822BC1CA256F720010C588/$file/1292003.pdf
  
  
• Macquarie University Media policy          
  http://www.mq.edu.au/dvc-academic/MediaPolicy1907.pdf
  
  
• Macquarie University Computer Surveillance Policy
  http://www.its.mq.edu.au/policies/ITPolicies/its004.html
  

[Back to top]