Home / Content / Incident Response

Incident Response

Incident Response Information

 

1. In case of a security event or incident, contact the Information Security Office

Arizona State University takes every security event and incident seriously. Reporting a suspected event or incident early on is necessary for proper evaluation and identification. Depending on the severity of the issue or situation, a variety of different groups may be involved in solving and remediating the risk of the issue. The Information Security Office takes the initial steps in helping the reporting party identify the issue, risk and severity of the situation.

To report an event or incident, contact the ASU Help Desk at 1-855-278-5080.

For events that do not require an immediate response, email infosec@asu.edu or visit our contact page.

2. Assessment & Classification of the Issue: Event or Incident

When a potential problem has been identified, the Information Security Office will analyze the situation and attempt to confirm whether it is the result of a security incident. The ISO will also determine the severity of the incident.

Examples of incidents include the exposure or compromise of sensitive information, a large scale attack or intrusion into a system or group of systems, a malicious attack on an ASU hosted server or affecting service negatively or inappropriate usage of ASU resources.

3. Event Follow Up

In the case where the situation is not a significant security threat or is not as large an issue as originally thought, the ISO will classify the reported issue as an event. The ISO will provide information and instructions for the reporting group to follow.

A security issue may be classified as an event if upon initial review it is determined that there is little or no risk to the University community or University assets.

4. Determine Incident Severity & Contact Required Groups

Should the situation be classified as an incident by the ISO, a severity level (Low, Medium or High) will be confirmed by the Chief Information Security Officer and/or the Chief Information Officer (CIO).

The Information Security Office will then meet with an Incident Response Team, which will include appropriate representatives as determined by the nature and severity of the incident. The Chief Financial Officer (CFO) and Provost will be notified during high severity incidents.

5. Incident Containment & Eradication

While contacting the required groups, the ISO will also coordinate with the appropriate network and systems operational teams as well as representatives from the affected department(s). In coordination with the ISO, the networking teams will stop and isolate malicious traffic on the network while department representatives isolate infected systems for forensic analysis.

The ISO may notify relevant parties including the Dean, Office of General Counsel, VP and administrator of the system, but such notification is not a prerequisite to actions necessary to protect University resources or preserve evidence. In cases when it is necessary to support an active investigation or to preserve evidence, the ISO may also take physical possession of any system believed to be involved in the event.

6. System Restoration

System restoration will be handled primarily by the affected department, with the Information Security Office providing suggestions for safer compliance procedures. The Information Security Office will also help identify needed patches and update methodologies so that future incidents and events are less likely to occur.

7. Management Follow Up

During the follow up portion of the incident, the ISO seeks to help the affected department by answering any questions left from the incident, rectifying any standing issues related to the issue and ensuring that any and all relevant policies and best practices are clearly defined.

ASU complies with federal and state requirements to notify individuals if their personal and/or private information has been compromised.