Cybersecurity Incident Response Policy

Cybersecurity Incident Response Policy

This policy details the basic steps to be followed by anyone discovering or being informed of the unauthorized access of University data or system. A data exposure occurs when restricted or confidential information is revealed or exposed to an unauthorized party. The policy also outlines the responsibilities of the Office of the Vice President for Information Services. The measures taken and their order will depend on the type and scope of the unauthorized access, but the basic process follows as:

Upon discovering or being informed of a security event or data exposure:

  1. Enact countermeasures to prevent further data loss. For Information Services staff: if you are in a position to stop the unauthorized activity and prevent any further data loss, do so. This may involve shutting down systems, terminating access, or taking resources offline.
  2. Immediately notify the following people of the issue and any actions taken:
    1. Your immediate supervisor and/or director
    2. The Director of Information Security
  3. Gather the facts and record what you know. Immediately begin to keep a log of information and actions taken along with the time and date stamp of those occurrences. For Information Services staff: preserve any and all records/logs of access, names of people involved (if known), the data itself, any information used to generate the data in question, and any other evidence that may be needed for a forensic evaluation of the event/incident.
  4. Provide contact information and be available for interaction with the Director of Information Security and University of Richmond-Cybersecurity Incident Response Team (UR-CIRT); law enforcement, if needed.
  5. All requests for information by the media or other outside parties should be referred to University Communications.

Incident Response Process:

The Vice President of Information Services will be responsible for managing incident response until it is determined that the incident must be handed off to law enforcement, University Counsel, or other person/entity.  The Vice President of Information Services will ensure the following occurs: 

  1. Quickly work with other staff to determine if the activity is still in progress. If so, stop the unauthorized activity to prevent any further data loss. Begin to ascertain the extent of the incident and determine the source and type of data, amount of data, affected persons and to the degree possible the exact data involved.
  2. Appoint an incident response team. The composition and charge of the team will depend upon the type of incident and resulting data exposure. The team will conduct a preliminary assessment and risk assessment and help develop a tailored incident response plan. Once the incident is contained, this team will also evaluate changes in processes, systems and/or policies to prevent a repeat event.
  3. Be responsible for interaction between IS, the incident response team, and the University administration. In order to ensure that only accurate, timely information that will not interfere with the ongoing investigation is released, no one else is to provide information to any party outside of the incident response team.
  4. Alert the appropriate senior administrators to include the Vice President for Business & Finance, Provost, Chief of University Police, Office of Communications, University Counsel, and others as the situation warrants.
  5. Work with the Director of Information Security, the incident response team and other internal or external parties to determine the identities of affected individuals and determine exactly how they are affected.
  6. Review and refine the incident response plan as appropriate. Help ensure that appropriate resources are available.
  7. Develop a separate data exposure notification plan. Provide accurate and timely notification that meets or exceeds all legal requirements. Working with the appropriate parties alert affected individuals and develop remediation strategies as appropriate to the situation. Work with the senior staff and University Communications on the release of information to the media, members of the campus community, and other key constituents as appropriate. University Communications will designate a spokesperson(s) to work with the media and all media and outside requests should be referred to them.
  8. Communicate project status as appropriate, determine next steps, and develop a final report to include lessons learned and actions taken.

View the Cybersecurity Incident Response Policy.