Cyber Incident Reporting Procedure
Summary
New York State policy and SUNY System Administration require that SUNY campuses report information security incidents in a timely and formal way so that other state entities may be informed and warned. This is an important and official duty that must be understood by information technology managers and technicians on each campus to ensure that reports are filed efficiently and completely in all circumstances.
Background
The New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) has issued two components of a “Cyber Security Policy.” The first is Cyber Security Policy P03-001 (Cyber Incident Reporting Policy). The second is Cyber Security Policy P03-002 (Cyber Information Security Policy).
The Cyber Incident Reporting Policy requires that each SUNY campus report cyber security incidents to the State. Although the policy directs agencies to report incidents to CSCIC the SUNY procedure is to report incidents through System Administration whenever possible. The SUNY procedure provides contingencies for reporting incidents that occur outside of normal business hours and for problems with established reporting procedures.
The SUNY procedure does not preclude a campus from reporting or working directly with CSCIC during a cyber incident. CSCIC is a valuable resource and is able to work with campuses to assess the nature and extent of the incident and then assist with an incident response strategy for investigation, containment, mitigation and follow-up.
Scope
91勛圖厙 is required by New York State and SUNY System Administration to report information security incidents in a timely, formal way. The following types of information security incidents should be reported.
Unauthorized Access:
- An unauthorized access to a system that has been successful such as a website defacement.
- An unauthorized access to a system that has not yet been proven to be successful but that we believe may impact other state entities.
- An unsuccessful attempt to access a system that is persistent such as an automated
script that continuously probes a Web server and causes response problems.
Malicious Code
- An instance of malicious code (trojan horse, virus, worm) that has widespread impact or is adversely affecting one or more mission critical systems.
- An instance of malicious code that has been blocked by an email proxy or anti-virus software but that seems persistent and beyond currently known malicious codes
Denial of Service
- A denial of service attack that has widespread impact or is adversely affecting one or more mission critical systems.
- Any other denial of service attack that is persistent or significant such as an attack aimed specifically at our DNS systems.
Reconnaissance Scan or Probe
- A scan or probe that precedes or is related to the above listed incidents should be reported as part of that incident.
- Any other scan or probe that is persistent or significant such as a stealthy scan that attempts to avoid detection.
Information security incidents that have widespread impact, that adversely affect a mission critical system, that threaten protected or sensitive information, that are persistent, that are resistant to campus defenses or that would provide valuable information for other state entities should be reported.
Information security incidents that would be considered normal in a networked environment should not be reported. Examples of information security incidents to report and to not report are provided in the following chart.
Type of Incident | Description of Incident | Report |
---|---|---|
Access | Access to electronic personnel files by an unknown person. | Yes |
Access to electronic personnel files by an employee with read-only access but with no job requirement to access the files. | No | |
Malicious Code | An outbreak of a new virus that is spreading rapidly. | Yes |
An outbreak of a known virus in a department or the college. | No | |
Denial of Service | A sustained denial-of-service attack on a campus resource. | Yes |
A serious problem with network congestion caused by student peer-to-peer traffic? | No | |
Scan or Probe | Intrusion on a campus email server. | Yes |
Intrusion on a person’s office PC. | No |
Procedure
The following steps should be followed to determine whether an information security incident is reportable to SUNY System Administration and the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC).
- The college employee believing to have identified an information security incident should report the incident to Instructional and Information Technology. The reported incident will then be conveyed to the appropriate Instructional and Information Technology supervisor. The incident should be reported directly to the appropriate Instructional and Information Technology supervisor if the college employee believing to have identified an information security incident is a member of Instructional and Information Technology.
- After initial investigation of the incident the appropriate Instructional and Information Technology personnel, Instructional and Information Technology supervisor and the Chief Information Officer will determine whether the information security incident is reportable to SUNY and CSCIC.
The following steps should be followed by the appropriate Instructional and Information Technology supervisor or the Chief Information Officer in the event of an information security incident that is determined to be reportable to SUNY System Administration and the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC).
- Call the SUNY System Administration Customer Services Help Desk at (518) 320-1800
- Inform the SUNY Information Security Officer by briefly describing the incident.
- Receive any updated details on the reporting procedures.
- If necessary request a new copy of the CSCIC Initial Report.
- If necessary receive instructions for password protecting the CSCIC Initial Report.
- Email (password-protected) and fax the completed CSCIC Initial Report to SUNY System Administration at
customer.services@suny.edu and (518) 443-5273 respectively. - Email (password-protected) and fax the completed CSCIC Final Report to SUNY System Administration at customer.services@suny.edu and (518) 443-5273 respectively after the incident has been resolved.
Contingencies
- if you get voicemail when calling SUNY System Administration at (518) 320-1800 leave a brief message indicating your name, campus, a telephone number at which you can be reached and a brief description of the problem - and then call SUNY System Administration at (518) 443-5179 or (518) 443-5596
- if you get voicemail when calling SUNY System Administration at (518) 443-5179 or (518) 443-5596 leave a brief message and then send an email message to customer.services@suny.edu indicating that you have left messages at the appropriate telephone numbers and that you have an information security incident to report
- If the telephone system is not operational at SUNY System Administration send an email message to customer.services@suny.edu indicating that you have an information security incident to report and including your name, campus, a telephone number at which you can be reached and a brief description of the problem.
- if the information security incident occurs outside of normal business hours (evenings, weekends, holidays) or if two hours have passed without a response from SUNY System Administration – and if you need assistance in dealing with the incident or the incident is urgently important to other state entities – call or send an email message to the State CSCIC Office at (866) 767-4722 or irt@cscic.state.ny.us indicating that you have an information security incident to report and including your name, campus, a telephone number at which you can be reached and a brief description of the problem.
Initial Report
State Entity:
Reported By
Name:
Phone:
Email:
Nature of Incident
Denial of Service
Malicious Code
Reconnaissance Scans and Probes
Unauthorized
Other (describe)
Location of Affected Systems
Street Address:
Building/Room:
Details (e.g. virus name, events, etc):
Date & Time Occurred:
Date & Time Detected:
How was the incident detected?
Business impact & criticality (e.g. what information or services are impacted?):
Additional Information:
Final Report
When the state entity is the primary response coordinator, the following information should be gathered during the investigation of the incident and reported to CSCIC when the incident is resolved.
Compromised System(s) Details
Affected Systems (OS, software, release levels, etc.):
Specify nature of any accounts or information that was accessed or compromised:
Attack source details (e.g. source IP address, method of attack, etc):
What actions were taken?
Isolation/containment:
Investigation:
Remediation:
Planned follow up:
What was the overall impact of the incident?
Impact of service outage:
Resources required to resolve the incident (staff time, consultants, etc):