Incident Response Procedure

An Administrative Procedure Governing Information Security

Document #: POL-SLU-IT-0012
Effective: September 9, 2025
Owner: Information Technology – Information Security Office

I. PURPOSE

St. Lawrence University (SLU) is responsible for ensuring the security of its information systems by defending its computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks and protecting the confidentiality, integrity, and availability of data. This standard aims to authorize appropriate personnel to investigate and respond to security incidents that immediately threaten the confidentiality, integrity, or availability of computing services.

This standard also defines the responsibilities of all St. Lawrence University (SLU) community members when responding to or reporting information security incidents.

a. Exceptions

On rare occasions, a security standard exception may be considered depending on the impact on the Institution mission and security risk(s) introduced. The IRT Lead or a designated appointee is authorized to make exceptions to this standard. Exception requests must be submitted to the IRT Lead for evaluation and risk assessment. Contact the IRT Lead for more information.

II. INTRODUCTION

This IT standard addresses information security incidents that threaten the confidentiality, integrity, and availability (“CIA”) of (“SLU's”) information assets, information systems, and the networks that deliver the information. This standard also assures that the response is conducted consistently, with appropriate leadership and technical resources, to promptly restore operations impacted by the incident and determine the potential loss of CIA.

III. BACKGROUND

A security incident is an event or occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

IV. SCOPE

This IT standard shall apply to all members of the SLU community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors who use, access, or otherwise employ, locally or remotely, the Institution’s IT Resources, whether individually controlled, shared, stand-alone, or networked. Devices or data may be physically located on Institution grounds or remotely, e.g., wherever a person is working or, in the case of servers, potentially in the cloud. Devices or data could also exist either physically or virtually in either environment.

V. STANDARD STATEMENT

This standard requires multiple controls to be in place, in addition to a set of response procedures for reporting and handling a security incident. These response mechanisms must be documented and maintained within a Computer Security Incident Response Plan (“IRP”) and supporting playbooks.

VI. INCIDENT RESPONSE PLAN

St. Lawrence University (SLU) will maintain a security incident response plan and procedures that include:

  • Roadmap for incident response;
  • High-level approach to incident response for the overall institution;
  • Roles and responsibilities for those engaged in response activities;
  • Incident classification and prioritization procedures;
  • Communication, notification, and escalation requirements;
  • Defined reportable information security incidents; and,
  • Incident documentation and post-event follow-up requirements.

VII. INCIDENT RESPONSE PROCESS

SLU's incident response processes are based on the incident response life cycle prescribed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, revision 21. This is described in more detail in the SLU Cyber Security Incident Response Plan and follows the following phases:

  • Detection & Analysis
  • Containment, Eradication & Recovery
  • Post Incident Activity

The testing, training, and exercise elements of SLU's incident response process is based on best practices outlined in NIST Special Publication 800-84.2

VIII. INCIDENT RESPONSE TEAM LEADERSHIP

The roles and responsibilities listed in SLU's IRP will include the designation of the key role of Computer Security Incident Response Team Lead (“IRT Lead”) and Computer Security Incident Response Team Lead Backup (“IRT Lead Backup”). This standard establishes the IRT Lead, or the IRT Lead Backup in the IRT Lead’s absence, as responsible for overseeing SLU's institutional incident response strategy and activities.

Incident Response Plan Annual Review & Maintenance

SLU's Incident Response Plan will be reviewed, updated, and tested at least annually for timely and effective handling of all security incidents. All revisions are to be approved by:

  • The IRT Lead
  • SLU Chief Information Officer (CIO)
  • VP of Finance and Administration

The IRT Lead is responsible for oversight of this process and for updating the IRP whenever changes are necessary, communicating these changes as appropriate, and making any IRP revisions available via the website.

Community Responsibilities

Security Event Reporting

It is critical to properly report incidents and possible incidents to comply with the St. Lawrence University (SLU) obligations regarding appropriate handling and reporting to law enforcement and cyber insurance providers, as well as to comply with specific federal and state laws and industry regulations.

Examples of security events to report include, but are not limited to:

  • Attempts (either failed or successful) to gain unauthorized access to a system or its data;
  • Unwanted disruption or denial of service;
  • Compromised or exposed user account credentials, e.g., username and password;
  • Compromised endpoint, e.g., malware, keylogger, ransomware, etc., detected on a user’s desktop, laptop, or other device;
  • Compromised server, e.g., malware, unauthorized use/access, unusual activity;
  • Compromised Institution-owned websites, e.g., website defacement;
  • Compromised infrastructure, e.g., router, switch, firewall;
  • Changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent;
  • Unauthorized exposure of sensitive data (especially high-risk data types); or;
  • Theft or other loss of a laptop, desktop, or other device that contains sensitive SLU information, whether such device is owned by the Institution.

All members of the St. Lawrence University (SLU) community have an obligation to report events or activities that are or could lead to a security incident or violation utilizing SLU resources in a timely fashion. It should be noted that not all security events become security incidents. Any individual who suspects that a theft, breach, or exposure of PSC-protected asset or sensitive data has occurred must immediately send notice of such events and relevant information via email to helpdesk@stlawu.edu or call (315) 229-5770.

If a security event involving a device is suspected, stop using the device in question immediately while awaiting triage of a reported event. Do not turn off the device, as this could result in the loss of valuable forensic evidence; instead, disconnect the device from the network. Do not attempt to investigate or remediate the issue yourself, as this could damage valuable forensic data. The Incident Response Team (“IRT”) will quickly analyze detected alerts and reported events. Only the IRT can confirm if an event is an actual incident.

Incident Information Disclosure

All information pertaining to an information security incident investigation must be handled with discretion. Disclosure of specific incident response details to both internal and external parties will not be made available except on a need-to-know basis to protect those specifics from unauthorized disclosure and modification. The IRT Lead will communicate updates promptly to appropriate individuals and groups and shall communicate and escalate security incidents to proper governance bodies, campus offices, and stakeholders according to the Incident Response Plan.

Any external disclosure of information regarding information security incidents must be reviewed and approved by the IRT Lead in consultation with the Vice President of Finance and Business Affairs, University Communications, the Office of Human Resources, & legal representation.

Computer Security Incident Response Team

SLU shall maintain a Computer Security Incident Response Team (“CSIRT” or “IRT”) responsible for handling the incident response process per the Computer Security Incident Response Plan (“IRP”). Please refer to the IRP for those specific roles and responsibilities for reporting and handling a security incident. Note that each incident could require various SLU personnel to be available for investigation and remediation. The IRT Lead will generally follow the outlined team setup but may need to select additional participation on an ad-hoc basis from organizational units depending on the nature of the incident and required skills. Personnel chosen to participate as part of the IRT are expected to provide appropriate and timely responses to requests and communicate and document their actions as outlined within the IRP.

All members of the CSIRT must participate in annual testing and training exercises designed to sustain and refine the Institution’s ability to handle security incidents.

Security Awareness Training

SLU requires all new and existing community members to participate in annual security awareness training and refreshers. This training should include incident response training on recognizing an incident and responding appropriately, in addition to modules or topics sufficient to address relevant security risks and best practices. IRT members and IT technical staff should receive training and maintain awareness of current threats and countermeasures. Departments handling sensitive or protected data should also receive specialized training on the associated risks and expected best practices in their respective areas.

IX. ENFORCEMENT

The University may temporarily suspend or block access to any individual or device when it appears necessary to do so in order to protect the integrity, security, or functionality of institution and computer resources.

Violations of this standard may result in penalties and disciplinary action in accordance with the Student Handbook, Faculty Handbook and/or rules governing employment at St. Lawrence University.

X. DISCLAIMER

St. Lawrence University disclaims any responsibility for and does not warrant information and materials residing on non- St. Lawrence University systems or available over publicly available accessible networks. Such materials do not necessarily reflect the attitudes, opinions or values of St. Lawrence University, its faculty, staff or students.

XI. STANDARD AUTHORITY

This standard is issued by the University President for St. Lawrence University

XII. REFERENCES

Elements of this Standard have been drawn from numerous sources, including:

  • Computer Security Incident Handling Guide, National Institute of Standards and Technology (NIST)

Special Publication (SP) 800-61, revision 23

  • Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, National Institute of

Standards and Technology (NIST) Special Publication (SP) 800-844

  • UTIA IT0122 – Information Security Incident Response Standard, University of Tennessee5
  • Cyber Incident Response Standard, Boston University6
  • Information Security Incident Response Standard, Fordham University7
  • Incident Response Standard, Vanderbilt University8
  • Incident Response Standard, University of Florida9
  • Security Incident Response Standard, University of Southern California10
  • Information Security Incident Response, Stanford University11

XIII. APPROVAL, REVIEW AND REVISION HISTORY

Date: 9/4/2025

Version: 1.0

Description of Revision: Final Copy

Author: Wendy Wilde, CISO

Approval Date: 9/4/2025

Approved by (Name & Title): Karl Spiecker, VP of Finance and Administration