Incident Response Standard
Description
The university has established operational incident-handling capabilities designed to reduce the impact of security incidents; including preparation, detection, analysis, containment, recovery, and user response activities. Service availability falls under this incident response standard.
Scope
This policy applies to all directors, information resource owners and third parties who are responsible for University data or information resources, including research and secure research cloud.
Security Requirements
Lehigh’s Information Security Program (ISP) is built around NIST 800-171 controls and other control frameworks, regulations, and guidance (eg, FERPA, HIPAA, GDPR, PCI, and others).
NIST 800-171 references the following security requirements within the Security Assessment family:
3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
Incident Response Training [800.53 IR-2]
Incident Response Testing [800.53 IR-3]
Incident Response Training
The following information will be emailed to all LTS, every July, as a reminder of the Incident Response Process. Incident response testing shall include an annual tabletop exercise. Exercise results shall be used to update IR procedures.
Link to LTS Incident Response Procedure
Link to LTS Retrospectives
Incident Handling and Response Reporting
Incident Classification
Before following any incident response procedure, determine whether you are dealing with a Security Incident or an IT Operations Incident.
You are likely dealing with a Security Incident if any of the following apply:
A vendor or third party has notified Lehigh of unauthorized access to their systems that may affect Lehigh accounts or data
You suspect unauthorized access to a Lehigh account, system, or data
You received an unusual request via email involving financial transactions, wire transfers, gift cards, or credential input
You observe evidence of malware, ransomware, or system behavior consistent with compromise
Data may have been accessed, modified, or exfiltrated without authorization
There are indicators of phishing, account spoofing, or credential theft
If this is a Security Incident: Notify the CISO immediately and follow the Security Incident Response Procedure.
You are likely dealing with an IT Operations Incident if any of the following apply:
A system, service, or application is unavailable or degraded with no signs of malicious cause
A configuration change, software update, or hardware failure is causing service disruption
Users cannot access a service due to a technical problem with no suspected security involvement
If this is an IT Operations Incident: Follow the Incident Response Procedure and declare in Slack #incidentmanagement.
Incident response process that must include the following.
Define who can declare an incident
Provide guidance on when an incident should be declared
Process to follow when incident is declared
Defined roles such as incident owner
Communications and updates to users impacted by the incident
Communications to LTS leadership for updates on the incident
Closure of the incident
Retrospective for the incident
Process to be reviewed annually by Director, TIO and the CISO
Illegal, disruptive or suspicious activity involving University information resources can be reported to the Help Desk.
The University CISO is the accountable owner for security incident response. Operational responsibilities during a security incident are defined in the Security Incident Response Procedure.
Related
The Incident Response standard is created under the Information Security Policy.
We often encounter situations where we notice unusual behavior with a server, service, or application but the situation is not yet a full incident. In those cases, we encourage the user of the #operations channel for transparency and discussion.
Definitions
Incident
An incident is an unplanned interruption to a service or a reduction in the quality of a service. Incidents require immediate attention to restore normal operations as quickly as possible to minimize business impact.
Event
An event is any observable occurrence in a system, service, or network. Events can be informational, warning, or critical and are often generated by monitoring tools. Not all events lead to incidents, some are routine, while others may indicate potential issues before they become incidents.
Severity
Severity | IT Operations Indicators | Security Incident Indicators |
|---|---|---|
Critical (Severity 1) | System-wide outage affecting all users. (e.g., University wireless is down campus-wide.) | Active ransomware or destructive malware; confirmed exfiltration of regulated data; financial fraud confirmed at any amount |
High (Severity 2) | Major functionality is affected but workarounds exist. (e.g., Email service is slow but still functioning.) | Confirmed unauthorized access to privileged accounts; vendor breach with confirmed Lehigh data access; BEC with pending or executed wire transfer |
Medium (Severity 3) | Some users are affected, but the core system works. | Suspected security incident under active investigation; vendor notification with unclear Lehigh impact; credential compromise of limited scope |
Low (Severity 4 or 5) |
| Security event under monitoring; suspicious activity not yet confirmed as compromise |
LTS Alerts
System used by LTS to alert our community if there is an incident or planned maintenance happening. Our status page is at https://lehigh.statuspage.io .
Revision History
Date | Version | Description | Approval |
|---|---|---|---|
Mar 30, 2026 | 1.4 | CISO Approval | Approved |
Feb 24, 2026 | 1.4 | Distinguish between IT OPS issue and security event, insert table with severity for each type | Draft |
Mar 11, 2025 | 1.3 | Added terms | Approved |
Nov 15, 2023 | 1.2 | Changed PM to Retrospective | Approved |
Jan 16, 2023 | 1.1 | Update to include guidance on #operations | Draft |
Sep 29, 2021 | 1.0 | Final Original Document | Approved |
Aug 3, 2021 | 0.1 | Original Document | Draft |