Incident Response

When a potential problem has been identified, the ASU Security Operations Center (SOC) will analyze the situation to confirm whether it has resulted in a security incident. The SOC will also determine the severity of the incident at this time.

Examples of incidents include a breach, exposure, or unauthorized use of sensitive information, large-scale attacks or intrusions into ASU system(s), a malicious attack on an ASU hosted service or inappropriate/unlawful usage of ASU resources.

In the case where the situation is not a significant security threat or is not as large an issue as originally thought, the ASU Security Operation Center (SOC) will classify the reported issue as a security event. The SOC will also provide information and instructions for the reporting group to follow.

If the reported event is classified as an incident then the SOC will begin documenting the involved ASU resources and data to determine which ASU departments and personnel will need to be involved.

Should the situation be classified as an incident by the ASU Security Operation Center (SOC), a severity level (P0-4) will be assigned, with P0/1 incidents being confirmed by the Chief Information Security Officer (CISO) and/or the Chief Information Officer (CIO).

The SOC will then initiate an incident call with the Incident Response Team, which will include appropriate representatives as determined by the nature and severity of the incident. These members may include personnel like The Chief Financial Officer (CFO),  The Provost, Chief General Counsel, Media Relations, Registrar, ASU PD, and other department/college specific deans or VPs.

While contacting the required groups, the ASU Security Operation Center (SOC) will also coordinate with the appropriate network and systems operational teams as well as representatives from the affected department(s). In coordination with the SOC, the networking teams will stop and isolate malicious traffic on the network while department representatives isolate infected systems for forensic analysis.

The SOC may notify relevant parties including the Dean, Office of General Counsel, VPs, and administrators of the systems, but such notification is not a prerequisite to actions necessary to protect University resources or preserve evidence. In cases when it is necessary to support an active investigation or to preserve evidence, the SOC may also take physical possession of any system believed to be involved in the event.

System restoration will be handled primarily by the affected department, with ET Cybersecurity providing suggestions for safer compliance procedures. ET Cybersecurity will also help identify needed patches and update methodologies so that future incidents and events are less likely to occur.

After containment is confirmed, the ASU Security Operation Center (SOC) will finalize the incident report and file it with ET Cybersecurity. The report will contain an executive summary of the incident and details on all response actions taken by the involved parties.

During the follow-up portion of the incident, the ASU Security Operation Center (SOC) seeks to help the affected department by answering any questions left from the incident, rectifying any standing issues related to the issue, and ensuring that any and all relevant policies and best practices are clearly defined. The SOC will also create or update alerting based on the incident to improve early detections for similar events.

ASU complies with federal and state requirements to notify individuals if their personal and/or private information has been compromised. These notifications, when required, will be sent out by the ASU Data Steward for the involved data with guidance from ET Cybersecurity.