Main Menu

Incident Management

The purpose of Incident Management (IM) is to accurately document known risk and remediate accordingly to allow Shepherd University to resume normal operations as quickly as possible. IM is the process responsible for managing the lifecycle of all data information security (DIS) incidents irrespective of their origination.

Incident Management Goals:

Responsible Office: Information Technology Services
Date Issued: July 19, 2021
Revision: 2
Date Last Revised: 7/29/2021

An IT (DIS) incident is any activity involving Shepherd IT Systems that:

It is an IT security incident if someone:

Please see IT Security Policy, BOG policy #35 for additional guidance on information security principles, access control, personnel practices, and administration.

Reporting IT Incidents 

Any observed event which appears to satisfy the definition of an IT Security Incident must be reported to the Coordinator of the Information Security Program and Director of Information Technology Services. The requestor who reports the event, including complaints relayed on behalf of students, should document and report any relevant information regarding the event, including, but not limited to dates, times, persons, resources or systems involved, serial numbers, device types, MAC addresses, and IP addresses. This information should be sent by email to itworkorder@shepherd.edu ; subject line “GLBA Incident” as soon as possible. The incident system will generate a response email assigning a ticket number for tracking purposes. Users are encouraged to report any event that could be considered an incident.

Situations which are suspected to be crimes must be reported immediately to the appropriate law enforcement agencies by the person who possesses first-hand knowledge of the facts related to a suspected crime.  Shepherd students, faculty and staff on campus must report crimes to the Shepherd University Police Department. Persons off campus should report crimes to their local law enforcement agency.

Those events which are suspected to be both a crime and an IT Security Incident should be reported first to the appropriate law enforcement agencies, and then a notification that a police report has been filed should be sent the Coordinator of the Information Security Program and Director of Information Technology Services.

Response

Reported events become IT Security Incidents only after they have been received and evaluated by the Coordinator of the Information Security Program. In order to facilitate the accurate and productive response, all IT Security Incidents must be assessed and classified by the Coordinator of the Information Security Program. As the IT Security Incident progresses, its classification may be reevaluated and changed as necessary. If an IT Security Incident falls under multiple classifications, the classification with the highest severity will dictate the response.

The Coordinator of the Information Security Program will determine if the IT Security Incident warrants a formal response. IT Security Incidents that do not warrant a formal response will be reassigned to the appropriate Information Technology Services staff for remediation handling. If deemed appropriate by the Coordinator of the Information Security Program, a Cyber Incident Response Team (CIRT) will be formed and may be comprised of, but not limited to, members from Executive Leadership, Information Technology Services staff, Shepherd University Police Department, and departmental managers as appropriate. All reported events or IT Security Incidents must be documented throughout the response process.

The Coordinator of the Information Security Program subject to applicable law and University policies, may use the following resources for IT Security Incident detection and/or response:

Business Continuity 

Responding to an IT Security Incident it may become necessary to suspend/alter/change any targeted or dependent services/systems in order to:

In the case of mission critical applications, the Coordinator of the Information Security Program will follow the formally documented Communication Plan in an effort to consult with the appropriate staff before carrying out a suspension.

Any equipment not owned by Shepherd University that is using campus IT resources and is found to be the target, source, or party to an IT Security Incident may be subject to immediate suspension of services without notice until the issue has been resolved or the subject system is no longer a threat.

In all cases, it is the Coordinator of the Information Security Program or CIRT who determines if and when a service suspension may be lifted.

In order to facilitate proper and timely handling of IT Security Incident responses, it is necessary that network-connected devices be identified and located as soon as possible. Shepherd University Information Technology Services maintains an inventory of network-connectable devices.

Created 7/19/2021