Incident Response Standard

Description

The university has established operational incident-handling capabilities designed to reduce the impact of security incidents; including preparation, detection, analysis, containment, recovery, and user response activities. Service availability falls under this incident response standard.

Scope

This policy applies to all directors, information resource owners and third parties who are responsible for University data or information resources, including research and secure research cloud.

Security Requirements

Lehigh’s Information Security Program (ISP) is built around NIST 800-171 controls and other control frameworks, regulations, and guidance (eg, FERPA, HIPAA, GDPR, PCI, and others). This section should reference which frameworks are relevant to this particular standard.

Example:

NIST 800-171 references the following security requirements within the Security Assessment family:

• 3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

• 3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

• Incident Response Training [800.53 IR-2]

• Incident Response Testing  [800.53 IR-3]    

Incident Response Training

The following information will be emailed to all LTS, every July, as a reminder of the Incident Response Process.

• Link to LTS Incident Response Procedure

• Link to LTS Retrospectives

Incident Handling and Response Reporting

Incident response process that must include the following.

• Define who can declare an incident

• Provide guidance on when an incident should be declared

• Process to follow when incident is declared

• Defined roles such as incident owner

• Communications and updates to users impacted by the incident

• Communications to LTS leadership for updates on the incident

• Closure of the incident

• Retrospective for the incident

• Process to be reviewed annually by Director, TIO and the CISO

Illegal, disruptive or suspicious activity involving University information resources can be reported to the Help Desk.

The University CISO is responsible for ensuring that security incidents are triaged in a timely manner and escalated to the Lehigh University Police Department, Office of General Counsel, and to various external agents as required by various laws and regulations.

Related

The Incident Response standard is created under the Information Security Policy.
We often encounter situations where we notice unusual behavior with a server, service, or application but the situation is not yet a full incident. In those cases, we encourage the user of the #operations channel for transparency and discussion.

Definitions

List any terms used in this standard which need to be defined for the readers understanding.

• Incident

  • An incident is an unplanned interruption to a service or a reduction in the quality of a service. Incidents require immediate attention to restore normal operations as quickly as possible to minimize business impact.

• Event

  • An event is any observable occurrence in a system, service, or network. Events can be informational, warning, or critical and are often generated by monitoring tools. Not all events lead to incidents, some are routine, while others may indicate potential issues before they become incidents.

• Severity

  • Severity refers to the impact level of an incident on business operations. Higher severity levels demand immediate response and resolution.

    • Critical (Severity 1) – System-wide outage affecting all users. (e.g., University wireless is down campus-wide.)

    • High (Severity 2) – Major functionality is affected but workarounds exist. (e.g., Email service is slow but still functioning.)

    • Medium (Severity 3) – Some users are affected, but the core system works.

    • Low (Severity 4 or 5) – Minor issue, no significant business impact.

  • LTS Alerts

    • System used by LTS to alert our community if there is an incident or planned maintenance happening. Our status page is at https://lehigh.statuspage.io .

Revision History