Cyber Incident Reporting Procedure

Summary

New York State policy and SUNY System Administration require that SUNY campuses report information security incidents in a timely and formal way so that other state entities may be informed and warned. This is an important and official duty that must be understood by information technology managers and technicians on each campus to ensure that reports are filed efficiently and completely in all circumstances.


Background

The New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) has issued two components of a “Cyber Security Policy.” The first is Cyber Security Policy P03-001 (Cyber Incident Reporting Policy). The second is Cyber Security Policy P03-002 (Cyber Information Security Policy).

The Cyber Incident Reporting Policy requires that each SUNY campus report cyber security incidents to the State. Although the policy directs agencies to report incidents to CSCIC the SUNY procedure is to report incidents through System Administration whenever possible. The SUNY procedure provides contingencies for reporting incidents that occur outside of normal business hours and for problems with established reporting procedures.

The SUNY procedure does not preclude a campus from reporting or working directly with CSCIC during a cyber incident. CSCIC is a valuable resource and is able to work with campuses to assess the nature and extent of the incident and then assist with an incident response strategy for investigation, containment, mitigation and follow-up.


Scope

91勛圖厙 is required by New York State and SUNY System Administration to report information security incidents in a timely, formal way. The following types of information security incidents should be reported.

Unauthorized Access:

  • An unauthorized access to a system that has been successful such as a website defacement.
  • An unauthorized access to a system that has not yet been proven to be successful but that we believe may impact other state entities.
  • An unsuccessful attempt to access a system that is persistent such as an automated
    script that continuously probes a Web server and causes response problems.

Malicious Code

  • An instance of malicious code (trojan horse, virus, worm) that has widespread impact or is adversely affecting one or more mission critical systems.
  • An instance of malicious code that has been blocked by an email proxy or anti-virus software but that seems persistent and beyond currently known malicious codes

Denial of Service

  • A denial of service attack that has widespread impact or is adversely affecting one or more mission critical systems.
  • Any other denial of service attack that is persistent or significant such as an attack aimed specifically at our DNS systems.

Reconnaissance Scan or Probe

  • A scan or probe that precedes or is related to the above listed incidents should be reported as part of that incident.
  • Any other scan or probe that is persistent or significant such as a stealthy scan that attempts to avoid detection.

Information security incidents that have widespread impact, that adversely affect a mission critical system, that threaten protected or sensitive information, that are persistent, that are resistant to campus defenses or that would provide valuable information for other state entities should be reported.

Information security incidents that would be considered normal in a networked environment should not be reported. Examples of information security incidents to report and to not report are provided in the following chart.

Examples of information security incidents to report and to not report
Type of Incident Description of Incident Report
Access Access to electronic personnel files by an unknown person. Yes
Access to electronic personnel files by an employee with read-only access but with no job requirement to access the files. No
Malicious Code An outbreak of a new virus that is spreading rapidly. Yes
An outbreak of a known virus in a department or the college. No
Denial of Service A sustained denial-of-service attack on a campus resource. Yes
A serious problem with network congestion caused by student peer-to-peer traffic? No
Scan or Probe Intrusion on a campus email server. Yes
Intrusion on a person’s office PC. No

Procedure

The following steps should be followed to determine whether an information security incident is reportable to SUNY System Administration and the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC).

  1. The college employee believing to have identified an information security incident should report the incident to Instructional and Information Technology. The reported incident will then be conveyed to the appropriate Instructional and Information Technology supervisor. The incident should be reported directly to the appropriate Instructional and Information Technology supervisor if the college employee believing to have identified an information security incident is a member of Instructional and Information Technology.
  2. After initial investigation of the incident the appropriate Instructional and Information Technology personnel, Instructional and Information Technology supervisor and the Chief Information Officer will determine whether the information security incident is reportable to SUNY and CSCIC.

The following steps should be followed by the appropriate Instructional and Information Technology supervisor or the Chief Information Officer in the event of an information security incident that is determined to be reportable to SUNY System Administration and the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC).

  1. Call the SUNY System Administration Customer Services Help Desk at (518) 320-1800
    • Inform the SUNY Information Security Officer by briefly describing the incident.
    • Receive any updated details on the reporting procedures.
    • If necessary request a new copy of the CSCIC Initial Report.
    • If necessary receive instructions for password protecting the CSCIC Initial Report.
  2. Email (password-protected) and fax the completed CSCIC Initial Report to SUNY System Administration at
    customer.services@suny.edu and (518) 443-5273 respectively.
  3. Email (password-protected) and fax the completed CSCIC Final Report to SUNY System Administration at customer.services@suny.edu and (518) 443-5273 respectively after the incident has been resolved.

Contingencies

  • if you get voicemail when calling SUNY System Administration at (518) 320-1800 leave a brief message indicating your name, campus, a telephone number at which you can be reached and a brief description of the problem - and then call SUNY System Administration at (518) 443-5179 or (518) 443-5596
  • if you get voicemail when calling SUNY System Administration at (518) 443-5179 or (518) 443-5596 leave a brief message and then send an email message to customer.services@suny.edu indicating that you have left messages at the appropriate telephone numbers and that you have an information security incident to report
  • If the telephone system is not operational at SUNY System Administration send an email message to customer.services@suny.edu indicating that you have an information security incident to report and including your name, campus, a telephone number at which you can be reached and a brief description of the problem.
  • if the information security incident occurs outside of normal business hours (evenings, weekends, holidays) or if two hours have passed without a response from SUNY System Administration – and if you need assistance in dealing with the incident or the incident is urgently important to other state entities – call or send an email message to the State CSCIC Office at (866) 767-4722 or irt@cscic.state.ny.us indicating that you have an information security incident to report and including your name, campus, a telephone number at which you can be reached and a brief description of the problem.

Initial Report

State Entity:

Reported By

Name:

Phone:

Email:

Nature of Incident

Denial of Service

Malicious Code

Reconnaissance Scans and Probes

Unauthorized

Other (describe)

Location of Affected Systems

Street Address:

Building/Room:

Details (e.g. virus name, events, etc):

Date & Time Occurred:

Date & Time Detected:

How was the incident detected?

Business impact & criticality (e.g. what information or services are impacted?):

Additional Information:


Final Report

When the state entity is the primary response coordinator, the following information should be gathered during the investigation of the incident and reported to CSCIC when the incident is resolved.

Compromised System(s) Details

Affected Systems (OS, software, release levels, etc.):

Specify nature of any accounts or information that was accessed or compromised:

Attack source details (e.g. source IP address, method of attack, etc):

What actions were taken?

Isolation/containment:

Investigation:

Remediation:

Planned follow up:

What was the overall impact of the incident?

Impact of service outage:

Resources required to resolve the incident (staff time, consultants, etc):