The university has established operational incident-handling capabilities designed to reduce the impact of security incidents; including preparation, detection, analysis, containment, recovery, and user response activities. Service availability falls under this incident response standard.
This policy applies to all directors, information resource owners and third parties who are responsible for University data or information resources, including research and secure research cloud.
Lehigh’s Information Security Program (ISP) is built around NIST 800-171 controls and other control frameworks, regulations, and guidance (eg, FERPA, HIPAA, GDPR, PCI, and others). This section should reference which frameworks are relevant to this particular standard.
Example:
NIST 800-171 references the following security requirements within the Security Assessment family:
3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
Incident Response Training [800.53 IR-2]
Incident Response Testing [800.53 IR-3]
The following information will be emailed to all LTS, every July, as a reminder of the Incident Response Process.
Link to LTS Incident Response Procedure
Link to LTS Retrospectives
Define who can declare an incident
Provide guidance on when an incident should be declared
Process to follow when incident is declared
Defined roles such as incident owner
Communications and updates to users impacted by the incident
Communications to LTS leadership for updates on the incident
Closure of the incident
Retrospective for the incident
Process to be reviewed annually by Director, TIO and the CISO
Illegal, disruptive or suspicious activity involving University information resources can be reported to the Help Desk.
The University CISO is responsible for ensuring that security incidents are triaged in a timely manner and escalated to the Lehigh University Police Department, Office of General Counsel, and to various external agents as required by various laws and regulations.
The Incident Response standard is created under the Information Security Policy.
We often encounter situations where we notice unusual behavior with a server, service, or application but the situation is not yet a full incident. In those cases, we encourage the user of the #operations channel for transparency and discussion.
List any terms used in this standard which need to be defined for the readers understanding.
Incident
An incident is an unplanned interruption to a service or a reduction in the quality of a service. Incidents require immediate attention to restore normal operations as quickly as possible to minimize business impact.
Event
An event is any observable occurrence in a system, service, or network. Events can be informational, warning, or critical and are often generated by monitoring tools. Not all events lead to incidents, some are routine, while others may indicate potential issues before they become incidents.
Severity
Severity refers to the impact level of an incident on business operations. Higher severity levels demand immediate response and resolution.
Critical (Severity 1) – System-wide outage affecting all users. (e.g., University wireless is down campus-wide.)
High (Severity 2) – Major functionality is affected but workarounds exist. (e.g., Email service is slow but still functioning.)
Medium (Severity 3) – Some users are affected, but the core system works.
Low (Severity 4 or 5) – Minor issue, no significant business impact.
LTS Alerts
System used by LTS to alert our community if there is an incident or planned maintenance happening. Our status page is at https://lehigh.statuspage.io .
Date | Version | Description | Approval |
|---|---|---|---|
| 1.3 | Added terms | |
1.2 | Changed PM to Retrospective | Approved | |
1.1 | Update to include guidance on #operations | Draft | |
1.0 | Final Original Document | Approved | |
| 0.1 | Original Document | Draft |