Information Security Incident Response Team (ISIRT) Organizational by peisty474


									           Information Security Incident Response Team (ISIRT)
           Organizational Structure and Delineation of Roles and

 To supplement Western Michigan University’s security infrastructure and to investigate and
 minimize the threat of damage resulting from a breach of restricted/confidential or internal
 data of the university.

 Incident Response Working Group
 The existing Campus Information Security Committee will serve as the working group and is
 the ISIRT’s steering committee. They are charged with establishing the basic policies and
 procedures that will be employed by the ISIRT and may be called upon to oversee team
 activities. This group appoints the pool of Incident Officers and Incident Response Team

 Incident Officer
 The Incident Officer is an individual who is selected to oversee and direct the ISIRT actions
 as well as to act as the single point of contact for the given incident. The Incident Officer
 typically also will be responsible for ensuring that specific information is communicated to
 management in a timely fashion. This individual will be assigned by the CIO based on the
 information breach in question, i.e. credit card data, student data, HIPAA, etc. and in
 consultation with the representative group. In all cases the Incident Officer will have
 received mandatory training on coordinating an incident response plan, as well as be
 instrumental in the development of specific procedures for a given security breach.

 Information Security Incident Response Team - Definition and Charge
 The Security Incident Response Team is a group of individuals who have been trained in
 incident management, each having distinct response roles. The ISIRT works under the
 direction of the Incident Officer.

 The Information Security Incident Response Team is tasked with the following
 • processes IT security complaints or incidents.
 • assesses threats to IT resources.
 • alerts IT managers of imminent threats.
 • determines incident severity and escalates it, if necessary, with notification to CIO and
    President’s Senior Staff.
 • coordinates security incidents (level 2 or 3) from discovery to closure.
 • reviews incidents, provides solutions/resolutions and closure.

 ISIRT Membership
 Each incident could require various campus constituents and personnel to be available for
 investigation and remediation. The Incident Officer will select from the organizational units
 deemed technically proficient to provide their expertise to the particular incident. The
 following university organizational units may be convened depending on the incident

Purpose                                         Unit
Campus PCI Compliance Officer                   Accounting Services
Direction and oversight for IT issues           OIT CIO
Expertise within departmental IT                Local System Administrators

Forensic expertise                               Public Safety
ISIRT direction and oversight                    Incident Officer
Networking security expertise                    Network Operations
Overall direction for campus emergency           Emergency Management
response plans
Programming expertise                            OIT Applications
Public communications and responding to          University Relations
press inquiries
Regulation and policy expertise                  Internal Audit
                                                 General Counsel’s Office
                                                 OIT Planning – Security Officers
Regulation and policy expertise as it pertains   Human Resources
to an employee data incident
Regulation and policy expertise as it pertains   Accounting Services
to a student data incident                       Vice President of Student Affairs
Regulation and policy expertise as it pertains   Enrollment Management
to financial aid, registration or admission
data of a student
System and hardware expertise                    OIT Operations

 Summary of Responsibilities for key personnel
 Incident Officer
 • Be periodically trained in handling data security breaches
 •    Be knowledgeable of the policies and procedures for identifying and remediating a
     breach of restricted/confidential, internal, as well as public data for the particular
     category as outlined below.
 • Declare a critical incident and form an ISIRT from a pool of trained members
 • Communicate to IT services leadership that an incident has been declared and an ISIRT
 Category of data breach                           Incident Officer
 Credit card data                                  Director, Accounting Services
 Employee personnel records                        Director, Human Resources
 Financial data                                    Director, Accounting Services
 Donor and Alumni data                             Director, Advancement Services,
                                                   Development Office
 Human subjects data                               VP of Research
 Parking services data                             Captain of Services, Parking Services
 Public Safety data – ID card, etc.                Director, Public Safety
 Protected health information (HIPAA)              University HIPAA Privacy and Contact Officer
 Personnally identifiable health information –     Chair, Psychology Department
 Clinical Psychology
 Personnally identifiable health information -     Director, Center for Counseling and
 Counseling and Psychological Services             Psychological Services
 Personnally identifiable health information –     Director, University Counseling and Testing
 Counseling Center                                 Center
 Personnally identifiable health information –     Director, WMU Unified Clinics
 Unified Clinics
 Student FERPA data                                Registrar
 Student financial aid records                     Director, Student Financial Aid
 Other institutional data – BroncoNetID, etc.      Chief Information Officer

Chief Information Officer
• Assigning a corresponding Incident Officer based on the category of data breach
• Communicate status of critical incidents to the Senior Staff
• Forward briefings to University Relations
• Distribute Incident Response Policy

Incident Response Working Group
• Assist in development and promotion of policy and procedures
• Select and train incident response team members and officers
• Develop a representative inventory of critical incidents
• Develop procedures to follow during an incidence response.
• Recommends updates to the ISIRT Plan.
• Maintains systems for discovering security incidents involving Western Michigan
   University information resources.
• Documents security incidents in a tracking system.

Information Security Incident Response Team
• Follow the leadership of the Incident Officer
• Develop a plan of action for a given incident and carry out the procedures of the plan.

Supporting Groups
• Provide technical and other assistance to ISIRT as requested

Document Revision History
Reviewed by:                  Campus Information            January 14, 2009
                              Security Committee
Revised by:                   Campus Information            January 14, 2009
                              Security Committee


To top