Fayetteville Policies and Procedures  911.0 

Data Security Incident Response

  1. Overview
    Data security threats, both physical and virtual, can damage data and/or be disruptive to the university. The university’s process of identifying, protecting, detecting, responding, and recovering from security incidents, can have a significant impact on reducing frequency and severity of incidents. The handling of potential incidents impacting data and data resources maintained by the University of Arkansas requires a coordinated, collaborative, and consistent approach. It is the responsibility of university staff and faculty to report all potential or actual security incidents to UITS. The Office of the Chief Information Security Officer (CISO) is charged with leading incident response for all data security events and reporting security events to Arkansas Legislative Audit.

  2. Purpose
    The purpose of this policy is to define and document the university’s response to data security incidents. 

  3. Scope
    This policy is applicable to all university data, infrastructure, information systems, and network segments. The policy is applicable to everyone who is associated with the University of Arkansas, has access to its systems, data resources or services. 

  4. Definitions
    Incident: An electronic, physical, or social engineering event that adversely impacts the confidentiality, integrity, or availability of data or information systems, or an action inconsistent with computing policies, standards, or codes of conduct.

    Incident Response Team (IRT): A collaborative team comprising subject matter expert(s), members of the Office of the CISO, and other staff, faculty, or outside forensic experts as required by the incident.  The IRT investigates, halts, and remediates incidents pursuant to an incident response process maintained internally by UITS. It is the responsibility of the IRT to remediate risk or harm resulting from a data security incident, provide an incident analysis / lessons learned, and to propose mitigating controls that will prevent similar incidents.   

  5. Policy
    Users of university data resources must, as soon as is possible, report to UITS or the Office of the CISO all events involving the possible unauthorized access to, or other compromise of, university data and information systems.
    1. Reporting and Response Requirements
      1. Reportable incidents include:
        1. Loss or theft of computers, devices, or media where University data was stored.
        2. Unauthorized entry into offices or work areas, where it is reasonable to believe that data categorized above public may have been accessible to unauthorized personnel.
        3. Intrusion by malware, unauthorized software, or unauthorized access via the university network into data resources.
        4. Any other circumstances where it is reasonable to believe that the confidentiality, availability, or integrity of data classified higher than public has been compromised.
      2. Special cases:
        1. The reporting requirements described in this policy fully apply to circumstances where personal computers, devices, media, services, or other data resources are used for university business. Ownership of the resource does not affect the requirement to report incidents involving university data.
        2. Due to legal, contractual, or other requirements, it may be necessary for the university to isolate computers, devices, services, or other resources in order to preserve evidence and prevent further loss.
        3. If an incident involves a compromised computer system:
          1. Do not alter the state of the computer system. The computer system should remain on and all currently running as is. Do not shut down or restart the computer.
          2. Immediately disconnect the computer from the network by removing the network cable from the back of the computer or shutdown WIFI.
          3. Document all relevant information you know while waiting for CISO to respond to the incident.
        4. Additional reporting and response requirements may apply for special types of data covered by laws or regulations, contracts, or policies.
    2. Incident Response:
      The overall incident response process includes investigation and analysis, containment, eradication, recovery, and post-incident activity. This plan outlines general tasks for incident response and is supplemented by internal guidelines and procedures that describe the use of security tools and/or channels of communication:
      1. Investigation: This phase includes initial classification of the incident, formal incident declaration, and initial formation of an IRT, as well as sub-procedures for scoping, prioritization, escalation, communication, and halting damage.
      2. Analysis: This is a review / investigation into the scope of the incident, including affected systems and infrastructure. This investigation is conducted by the Incident Response Team. The IRT will review logs, configurations, systems, and data structures to determine the method of attack, tools of the attack, and level of damage or loss.
      3. Containment, Eradication & Recovery. The following key steps will be taken in most incident responses, as applicable:
        1. Containment: The affected host, systems, accounts, and data resources are identified and isolated, or otherwise contained to their current infrastructure.
        2. Eradication: Illegitimate access is removed, malware is deleted, and any environmental changes put in place by unauthorized persons are corrected.
        3. Recovery: Systems are restored to normal operation, confirming that systems are functioning normally, and services are back up and running.
        4. Post Incident Activity: The incident is reviewed to understand what happened, what went wrong, how well the response was implemented/managed, areas of improvement, and remediation of vulnerabilities to prevent similar incidents.
      4. Incident Notification: When an incident is analyzed and prioritized, the IRT will notify the appropriate individuals. Exact reporting requirements will vary with each incident, but parties that are typically notified include the CISO, legislative audit, unit lead, dean, vice chancellor for finance and administration, compliance officers, the Office of General Counsel, and in some cases external vendors, law enforcement, regulatory authorities, and affected individuals.
      5. Documentation: Records relevant to the incident are preserved and maintained according to the incident response process maintained internally by UITS. These can include emails, system data, log data, analyses material and investigatory notes.
    3. Testing and Adaptation:
      The Office of CISO will periodically review lessons learned after an incident or formal incident response testing and incorporate such lessons into broader data security incident response planning. Updates made to the incident response process maintained internally by UITS must be approved by the CISO and communicated to relevant personnel.

  6. Reporting and Addressing Suspected Violations
    Anyone who has reason to believe that another person has violated this policy shall report the matter promptly to the Office of the CISO and/or their supervisor or department head. Failure to report a suspected violation is a violation of this policy. After a suspected violation of this policy has been reported or discovered, the issue will be handled as soon as possible to mitigate any harm to the university and its affiliates.

  7. Enforcement
    Violation of this policy may result in loss of access and disciplinary action up to and including termination. For additional information, see the Code of Computing Practices.

  8. Exemptions
    Exemptions from this policy must be approved. Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the CISO. Please see the Exemption policy.

  9. References
    Data Classification Policy
    Ark. Code Ann. § 10-4-429

August 8, 2022