Incident Responders perform the technical evaluation and mitigation of incidents. This group includes all engineering/technical staff in the Networks/Security group. Incident Responders may work with other UMBC engineering/technical staff as appropriate in addressing any given incident.
Incident Response Approvers are the OIT managers responsible for approving the actions taken by Incident Responders. Incident Response Approvers also approve guidelines for the handling of frequently occurring issues. This group includes the Asst. Director of Network Security, the Director of Infrastructure and Support Services, and the Chief Information Officer.
Incidents are considered time-critical if an OIT incident handler has reason to believe that an incident originating within the UMBC domain poses a threat to:
- IT integrity within UMBC
- IT integrity outside UMBC
- The health or safety of self or others
AND that even a relatively small delay (on the order of 30 minutes) in addressing the incident will make the threat/impact significantly more severe.
IT integrity refers to data integrity, data confidentiality, system availability, network availability, system performance, network performance, and the reliable availability of other services and hardware offered or used by OIT and the UMBC campus.
The UMBC OIT incident handling procedures consist of three stages:
- Intake initial incident report and triage
- Action execution of measures taken to address and document the incident
- Closure completion of incident handling efforts and execution of any appropriate follow-up activities
Intake
Incoming incident reports are received from various sources. Typically, these include:
- E-mail
- Phone
- Help desk
- Walk-ins
- Legal Affairs/Campus Police
- Campus IT personnel
All reports are directed to the Network/Security group of OIT.
Incident Responders in the Network/Security group perform the initial triage of incoming reports under the supervision of the Incident Handling Manager. Significant or unusual incidents are referred to the Incident Handling Manager. (In the absence of the Incident Handling Manager, these referrals go to the Asst. Director of Network Security)
The Incident Handling Manager is responsible for notifying the Asst. Director of Network Security of the ongoing status of incident handling in general and of specific incidents as appropriate.
Action
Specific incident response is determined through the combined effort of Incident Responders and the Incident Handling Manager. In the absence of the Incident Handling Manager, the Incident Responders will work with the Asst. Director of Network Security.
Guidelines:
An Incident Response Approver must approve any measures involving the interruption of OIT-provided services.
If no Incident Response Approver is available and the issue is time-critical, the Incident Responder will take "best judgment" measures to address the incident while:
- Continuing to attempt to contact an Incident Response Approver
- Minimizing the impact of the incident to the campus infrastructure
- Maintaining detailed records of all actions and decisions involved in the response
Once the response is approved, execution is the responsibility of the Incident Responders and the Incident Handling Manager.
Closure
Incident Closure is the responsibility of the Incident Handling Manager and the Asst. Director of Network Security. The Incident Handling Manager and the Asst. Director of Network Security may approve guidelines and/or procedures for the handling of frequently occurring issues.
The Incident Handling Manager and the Asst. Director of Network Security are responsible for the management and disposition of relevant evidence, case notes, and other materials related to any incidents.
Any legal issues related to the activity of any Incident Responder must be referred to the Asst. Director of Network Security.
" Indicates a link to an external (non-UMBC)
