Incident Handling Guidelines

1.0 Purpose

Incident handling refers to those practices, technologies and/or services used to respond to suspected or known breaches to security safeguards.

2.0 Scope

In accordance with the “security standards” incorporated into the Health Information Portability and Accountability Act, incident handling must be an integral part of the College of Public Health Information Technology Security Plan. Incident handling reduces the risk that key information technology assets will be compromised by an intrusion or other breach of security.

Once a suspected intrusion activity has been qualified as a security breach (i.e., incident), it is imperative that the incident be contained as soon as possible, and then eradicated so that any damage and risk exposure is limited and if at all avoided. Information Technology security incidents refer to deliberate, malicious acts which may be technical (e.g., creation of viruses, system hacking) or non-technical (e.g., theft, property abuse, service disruption). In several cases, if the incident is left “unchecked” (i.e., not contained), then the damage resulting from these incidents continues to spread within, and across the collegiate environment.

Handling incidents can be logistically complex, and may require information and assistance from sources outside the College of Public Health (e.g., University Security Officers, technical specialists, law enforcement entities such as state police or FBI, and the public affairs office). Industry best practices suggest that organizations who adopt both proactive and reactive means to address incident handling are better able to limit the negative implications of incidents. Examples of proactive activities include establishing communication mechanisms to report incidents and to disseminate incident alerts; and identifying technical experts who can provide emergency assistance if needed. Examples of reactive activity include blocking or aborting computer processes; temporarily denying user access; and deploying inoculation software.

3.0 Applicability

This standard is applicable to all College of Public Health users.

4.0 Guidelines

4.1 Required

Each College of Public Health entity must develop/follow an Incident Response Plan (IRP), which identifies the responsibilities and actions to be taken in response to incidents.

4.2 Required

Each College of Public Health entity must ensure that out-of-band communication alternatives are established as part of their Incident Response Plan (i.e., that the “compromised” device, platform, or media is not used to notify users or to report the incident).

4.3 Required

Incidents must be reported to the collegiate Office of Information Technology Security Officer and, if serious enough to cause actual damage or compromise of a College of Public Health system, to the data owners and to the Entity head. If it appears that the incident could compromise systems at other locations, then information about the incident should be passed to the University IT Security Office as soon as possible.

4.4 Required

Each College of Public Health entity must continue to update and maintain an Incident Response Plan (IRP) on an annual basis, which identifies the responsibilities and actions to be taken in response to incidents.

4.5 Recommended

At minimum, incidents must be logged and the collegiate Office of Information Technology Security Officer must review the logs at least monthly. Please note that the logs are potentially legal evidence, hence, they should be protected and preserved accordingly.

5.0 Procedures involving Computer Workstation

  • Upon detection of an incident, immediately remove or disable the device from all local area networks.
  • Remove all external storage devices from the infected/compromised system.
  • Immediately contact the collegiate Office of Information Technology Security Officer.
  • In coordination with the collegiate Office of Information Technology, evaluate the incident to determine the proper course of action.
  • The collegiate Office of Information Technology Security Officer officially logs the incident into a database.
  • Review activity logs of the infected/compromised system.
  • With the proper tools, scan system offline to detect infection or compromise.
  • If the problem is detected, proceed to fix the incident.
  • If there is not 100% certainty that the incident is fixed, the system will need to be re-imaged or cleaned by reinstalling the operating system and applications.
  • All external storage devices will need to be scanned and evaluated before re-attaching to clean system.
  • Upon completion and cleansing of system, all external storage devices will be re-attached and network access will be re-established.

6.0 Procedures involving a Stolen/Lost Device

  • Upon detection of a lost or stolen device, immediately report the incident to the collegiate Office of Information Technology.
  • In coordination with the collegiate Office of Information Technology, evaluate the incident to determine the proper course of action.
  • If the device was stolen at the University of Iowa, immediately call the University Police/Security Office to file a report.
  • If the device was stolen outside of the University, immediately contact the corresponding Police department or security office to file a report.
  • The collegiate Office of Information Technology Security Officer officially logs the incident into a database.
  • Determine if the device included Protect Health Information or other critical data.
  • If the device included Protected Health Information, immediately contact the University IT Security Office to determine course of action.
  • Determine the reason for the stolen or lost item and correct the incident from happening again.
  • Determine whether there are appropriate backups of the data.
  • Restore backup data for the end-user to a new device so that work can continue.

7.0 Procedures involving a User Account

  • Upon detection of an incident with a user account, immediately report the incident to the collegiate Office of Information Technology.
  • In coordination with the collegiate Office of Information Technology, evaluate the incident to determine the proper course of action.
  • If the user account has been breached, immediately disable the user account from all IT resources.
  • Determine the reason for the user account breach in security and correct the incident from happening again.
  • If the user is legitimate, reset the user account password on all systems and devices and proceed to reactivating the account.
  • Monitor the account activity for an extended period of time to assure validity.
  • If the user is in violation of the University Acceptable Use of Information Technology Services Policy, immediately report the incident and individual to the University Information Technology Security Office and leave the account disabled indefinitely.

8.0 Contacts and Technical Experts

College of Public Health Office of Information Technology (384-3838)
cph-support@uiowa.edu

University of Iowa Information Technology Security Office (335-6332)
it-security@uiowa.edu

University of Iowa Police and Public Safety Office (335-5022)
police@uiowa.edu