IT Security Incident Response (S-17)

Standard: S-17
Responsible Executive: Vice President for Information Technology and Chief Information Officer
Responsible Office: Office of the Vice President for Information Technology
Date Issued: September 1, 2019
Date Last Revised: December 12, 2024

Table of Contents

Contacts
Individuals and Entities Affected
Statement of Standard
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates
Appendix

Contacts

Clarification of Standard

Purdue Systems Security (PSS)
765-494-4000 | itpolicyanswers@purdue.edu

Individuals and Entities Affected

University students, faculty, staff and all other individuals or entities using University IT Resources.

Statement of Standard

This standard sets forth a set of general requirements for the efficient response to IT Security Incidents in order to maintain the security and privacy of IT Resources and Information Assets, as well as satisfy requirements of state and federal law. 

Reporting IT Security Incidents

Any observed event which appears to satisfy the definition of an IT Security Incident must be reported to the Coordinator of Incident Response (CIR) per IT Security Incident reporting procedures. The person who reports the event, including complaints relayed on behalf of customers, should document and report any available relevant information about the event, including, but not limited to dates, times, persons/resources involved, serial numbers, MAC Addresses and IP Addresses.

Situations which are suspected to be crimes must be reported immediately to the appropriate law enforcement agencies by the person who possesses first-hand knowledge of the facts or circumstances related to a suspected crime.  Purdue students, faculty and staff on campus must report crimes to the Purdue University Police Department. Persons off of the Purdue University campus should report crimes to their local law enforcement agency.

Those events which are suspected to be both a crime and an IT Security Incident should be reported first to the appropriate law enforcement agencies, and then a notification that a police report has been filed should be sent to the CIR. However, in such situations the CIR would not generally act on the report unless asked to do so by said law enforcement agencies.

Response

Reported events become IT Security Incidents only after they have been received and evaluated by the CIR. In order to facilitate the accurate and productive response, all IT Security Incidents must be assessed and classified by the CIR for severity at their onset. As the IT Security Incident progresses, its classification may be reevaluated and changed as necessary to ensure proper handling. If an IT Security Incident falls under multiple classifications, the classification with the highest severity will generally dictate the course of the IT Security Incident response.

The CIR will determine if the IT Security Incident warrants a formal response. IT Security Incidents that do not warrant a formal response will be remanded to the appropriate Purdue Security Contact (PSC) for handling. If deemed appropriate by the CIR, a Cyber Incident Response Team (CIRT) will be formed and led by the handler assigned to the IT Security Incident. All reported events or IT Security Incidents must be documented throughout the response process.

The CIR reserves the right, per Information Security and Privacy (VII.B.8) and Acceptable Use of IT Resources and Information Assets (VII.A.4) and subject to applicable law and other applicable University policies, to use the following resources for IT Security Incident detection and/or response:

• System and application logs
• Passive network traffic monitoring (e.g., IDS, and other network packet analyzers)
• Active scanning of systems suspected of violating University policy or systems exhibiting symptoms of compromise
• Other resources as determined appropriate by the CIR and as allowed by Purdue policy and applicable law
• Confiscation of systems to support analysis activities

Business Continuity

In the course of responding to an IT Security Incident it may be necessary, subject to applicable laws and University policies, to require the suspension of involved or targeted services/systems in order to:

• Protect students, faculty, staff, IT Resources, other systems, data and University assets from threats posed by the involved services/systems
• Protect the service/system in question
• To preserve evidence and facilitate the IT Security Incident response process

The decision to suspend operations will be made by the CIR per Information Security and Privacy (VII.B.8) and Acceptable Use of IT Resources and Information Assets (VII.A.4).

In the case of mission critical applications, the CIR will make a good-faith effort to consult with the appropriate PSC, and if available, service/application owner before carrying out a suspension. If, in the judgment of the CIR, an excessive amount of time (giving due weight to the relative severity of the IT Security Incident) has passed without response from the appropriate PSC or service/application owner, suspension may occur without consultation. In other cases, the appropriate PSC will be notified of suspension of service.

Any equipment not owned by the University that is using University IT Resources and is found to be the target, source or party to an IT Security Incident may be subject to immediate suspension of services without notice until the issue has been resolved or the subject system is no longer a threat.

In all cases, it is the CIR who determines if and when a service suspension may be lifted.

In order to facilitate proper and timely handling of IT Security Incident responses, it is necessary that network-connected devices can be identified and located as soon as possible. To this end, PSCs are required to maintain an inventory of network-connectable devices under their control, per guidelines to be established by the CIR. Absent these guidelines, PSCs are required to maintain a list of all such devices that includes, at a minimum, the primary location of the device and the physical addresses for all network interfaces used by the device (i.e., MAC Address).

Responsibilities

CIR

• Document and maintain appropriate IT Security Incident classification guidelines, response and resolution procedures, including a formal operations guide outlining the specific processes and methods for handling IT Security Incidents.
• Assess reported event for veracity and determine whether or not the event is an IT Security Incident, classify severity and initiate response procedures.
• Coordinate with appropriate resources for events determined to not require a formal response by the CIR.
• Provide a protocol by which the CIR, PSC and Reporters of potential IT Security Incidents can communicate to facilitate and maintain accurate reporting, handling and record keeping.
• Coordinate the activities of the University’s CIRT, known as STEAM-CIRT.
• Make all documentation regarding STEAM-CIRT procedures available to Regional Campuses.

PSCs

• Handle IT Security Incidents reported by the CIR for students, faculty and staff for which they are responsible.
• Maintain an inventory of network-connectable devices under their control meeting the guidelines of the CIR or, at minimum, the requirements of this standard.
• Respond to and manage incidents that do not warrant a formal response as determined by the CIR.
• Relay information about PSC handling of IT Security Incidents to the CIR.
• Disseminate advisory information to students, faculty and staff for which they are responsible.
• Contact the CIRT (STEAM-CIRT) for assistance when needed via abuse@purdue.edu.
• Participate in STEAM-CIRT meetings as called by the CIR.

Regional Campuses

• Appoint Purdue Security Contacts (PSCs) to coordinate IT Security Incident response for an individual business unit, college/school, or department.

Security Officers

• Appoint Purdue Security Contacts (PSCs) to coordinate IT Security Incident response for an individual business unit, college/school, or department.
• Oversee recovery from the IT Security Incident for their covered area.

Definitions

All defined terms are capitalized throughout the document. Additional defined terms may be found in the central Policy Glossary.

CIR
The CIR, or Coordinator of Incident Response, is the party responsible for managing University-wide IT Security Incident response. The Purdue Systems Security (PSS) office, under OVPIT, currently fulfills the role of CIR. 

CIRT (known as ‘STEAM-CIRT’ or ‘STEAM’ at Purdue)
A Cyber Incident Response Team (also known as “computer incident response team”) composed of skilled individuals designated to respond to any IT Security Incident (1) that requires coordination across multiple departments, (2) that cannot in the reasonable judgment of the CIR be adequately addressed by a single department, or (3) when it is otherwise determined to be appropriate to employ such a team by the CIR. The CIR is responsible for defining the specific procedures for and operations of CIRTs.

IP Address
Internet Protocol Address. A unique numerical address that identifies computers connected to the Internet or other IP networks. 

IT Security Incident
Any event involving University IT Resources or Information Assets that:

1. violates local, state or U.S. federal law, or
2. violates regulatory requirements which Purdue is obligated to honor, or
3. violates a system-wide Purdue University policy, or
4. is determined to be harmful to the security and privacy of University IT Resources and Information Assets, or
5. constitutes harassment under applicable law or University policy, or
6. involves the unexpected disruption of University services.

MAC Address
A media access control address, which is a hardware identification number that uniquely identifies each device on a network. The MAC Address is manufactured into every network card, such as an Ethernet card or Wi-Fi card, and therefore cannot be changed. 

PSC
Purdue Security Contact is the person or persons assigned to coordinate IT Security Incident response for an individual business unit, college/school, or department. The PSC is responsible for interacting with the CIR. 

Reporter
A person who notifies the CIR of an event they believe to be an IT Security Incident.

Security Officer
A representative from each IT area who provides technical input, coordination and leadership for the information security program and appoints Purdue Security Contacts (PSCs).

Related Documents, Forms and Tools

This standard is issued in support of the policy on Information Security and Privacy (VII.B.8), as amended or superseded.

Additional related policies and procedures:

• Acceptable Use of IT Resources and Information Assets (VII.A.4)
• Access to Student Education Records (VIII.A.4)
• IT Security Incident Reporting Procedures
• Payment Card Acceptance, Security and Governance (S-1)
• STEAM-CIRT

Related laws and regulations:

• Children’s Online Privacy Protection Act (COPPA)
• Digital Millennium Copyright Act of 1998 (DMCA)
• Electronic Communications Privacy Act of 1986 (ECPA)
• Family Educational Rights and Privacy Act (FERPA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Information Privacy and Accountability Act (HIPAA)
• USA Patriot Act

History and Updates

December 12, 2024: Document reviewed; minor administrative updates made to titles, offices and links.

September 1, 2019: Supersedes the policy on Incident Response (VII.B.3). Reorganized information into a more readable order to provide clarification of IT Security Incidents. Added definition for MAC Address and removed requirement for Regional Campuses to have their own response plans. Updated hyperlinks in Related Documents, Forms, and Tools section.

Appendix

There are no appendices to this standard.