Security Incident Response Framework (External)
About This Policy
It is the responsibility of the entire University community to respond in a consistent manner, with appropriate leadership and technical resources, to any security incident. The Montclair State University IT Service Desk and Office of Information Security are available to facilitate and provide guidance with any computer security incidents that affect University IT resources or threatens the availability, confidentiality, and integrity of university information.
Security incidents involving restricted personally identifiable information (PII) or confidential information as defined by the Data Classification and Handling Policy must be reported immediately to the Office of Information Security (firstname.lastname@example.org)
What is a Security Incident?
An incident is an adverse event in an information system, including the significant threat of an adverse event. In other words, it implies harm or the attempt to harm. An incident can be defined as any act that violates University Information Security policies and/or the Guidelines for Responsible Computing. The following activities are common incidents and should be reported to the Office of Information Security:
- Attempts to gain unauthorized access
- Unwanted disruption of services or denial of resources
- Unauthorized use of a system
- Changes to a system without the owner’s knowledge, instruction, or consent
- Theft or loss of University computing equipment
What is not an incident?
Spam is not considered an incident as the high volume of spam e-mails makes it difficult to investigate every case. Only when the spam is a sign of a compromised Montclair State University account, or if the spam contains criminal content will it be considered an incident. If you are interested in reporting unsolicited email (Spam) please contact the IT Service Desk at email@example.com. You are encouraged to read this page prior to making a complaint to help you distinguish activities which do not violate the law or policy.
How can I report an incident?
If you would like to report an incident that meets the criteria for a violation please contact the appropriate agency. Please do not submit personally identifiable information such as your CWID, passwords, or financial information via e-mail. This contact matrix provides guidance in the event you observe or experience the following:
|Alerts or behavior indicating possible infection on a University provided client (computer)||University Service Desk or your local college technical team|
|Network scanning, probing or system compromises||University Service Desk, email Office of Information Security|
|Found a lost mobile device||University Police|
|Lost or stolen University provided mobile device||University Police, email Office of Information Security and inform your supervisor|
|Discover you have incorrect access rights to a shared University file repository (MSUFILES, Google Drive, etc.)||E-mail IT Office of Information Security|
What are some signs of common Security Incidents?
If you are experiencing issues with your computer or a resource located on the network it is recommended to first check with the University IT Service Desk or your local technical team to rule out common problems.
Signs of a Denial of Service Attack
- The network appears to be running slower than usual or there is no connection at all (opening files or visiting websites)
- Unable to reach a University website, resource or any public website or resource available through the internet
- Mailbox is inundated with spam to the point that no legitimate e-mails can be delivered
- The hard drive has suddenly become full
Signs of Malicious Code (Virus, Malware, Spyware, Rootkits)
- Computer is running abnormally slow or crashes for no apparent reason
- Files are being deleted or becoming corrupt
- Internet homepage is different and/or there are additional components added to the browser
- Pop-up ads are always appearing on the desktop
- Random Windows error messages appear
- The mouse cursor moves around without any interaction
Signs of Unauthorized Access
- Computer is not in the same physical condition that it was left in
- Files and folders have been added, deleted, or changed
- You witness someone using a system or using credentials that do not belong to them
Once the initial response is performed and the incident is classified and contained, further investigation may be required to determine the cause. All actions taken should be fully documented within an incident in ServiceNow. Report incidents by logging into our ServiceNow self-service portal and submitting an ISIM “Security Incident Reporting Form” ticket.
Recovering from an incident occurs when the investigation process is complete and the machine can be returned to normal operation. Lessons learned will be identified and any implementation to protect from any future incidents of the same kind will be taken. A final report to communicate findings with University IT Security Office, IT staff and other affected parties will need to be developed and shared.
Information Security Breach Notification Guidelines
Breach of restricted personal or confidential information requires special handling. Refer to the Montclair State University Breach Response Protocol for an appropriate response. The Information Security Breach Reporting Form must be used to report a security breach to the Office of Information Security.
Request for Computer Forensic Examination
Computer forensics is the analysis of data from a computer system in response to a security incident. A computer forensic examination may be needed when it is suspected that a computer was misused, violating University Guidelines for Responsible Computing or used to commit a crime. To learn more and to request a computer forensic examination, please contact firstname.lastname@example.org.