FSE Incident Response

On July 1st, 2016 the ASU information Security team implemented an Incident Response Process which includes an Incident Escalation process (see email in appendix). This document details how Fulton IT teams will manage the Incident Response tickets and workflow.

The FSE Incident Response Coordinator is responsible for managing the incident assignment, communication, workflow, and facilitate timely remediation within the Fulton Schools of Engineering. The FSE Incident Response Coordinator position is managed by Scott Abbe and Rich Willis as backup.

In the event of an out of office reply from an IT Team Lead, the FSE IRC will seek out a technician in the same group.

FSE Incident Response Process flow

FSE incidents – Infected Device o Infosec assigns ServiceNow tickets to the FSE Incident Response Coordinator (escalation clock starts

ticking).o Response coordinator will re-assign to appropriate School IT Lead

Determined by information in ticket and FSE SCCM Email notification of incident ticket is forwarded to School IT Lead.

o School IT Lead assigns to technician. o IF the ticket is not closed in 24 hours the ticket will be escalated. The first escalation reassigns the ticket

to the Senior TAG Rep (Denise). The ticket is reassigned to technician by FSE Incident Response Coordinator. Email notification of incident ticket escalation is forwarded to School IT Lead. The team is strongly encouraged to close the ticket and take the system off the network to finish

remediation. o IF the ticket is not closed in 48 hours (after 1st escalation, 72hrs running total) the ticket will be

escalated to the Dean. The ticket is reassigned to technician by the FSE Incident Response Coordinator. Email notification of incident ticket escalation is forwarded to School IT Lead. The team is strongly encouraged to close the ticket and take the system off the network to finish

remediation.o IF the ticket is not closed in 24 hours (after 2nd escalation, 96hrs running total) the ticket will be

escalated to the CISO. The system will be taken offline.

FSE incidents – Web defacement o Infosec assigns the ServiceNow ticket to the website owner and the Senior TAG Rep. (escalation clock starts ticking). o Website owner will remove defacement and scan system.o IF the ticket is not closed in 4 hours the ticket will be escalated. The first escalation reassigns the ticket to the Dean.

Ticket is reassigned to Website owner by FSE Incident Response Coordinator. Email notification of incident ticket escalation will be forwarded to Website owner and School IT Lead. The team is strongly encouraged to close the ticket and take the website off the network to finish remediation.

o If the ticket is not closed in 8 hours, the ticket is escalated to CISO/CIO and the site will be taken offline.

FSE incidents – Anomalous Traffic o Infosec assigns the ServiceNow ticket to the FSE Incident Response Coordinator (escalation clock starts ticking).o Response coordinator will re-assign to appropriate School IT Lead

Determined by information in ticket and FSE SCCM Email notification of incident ticket will be forwarded to School IT Lead.

o School IT Lead assigns to technician. o IF the ticket is not closed in 48 hours the ticket will be escalated. The first escalation reassigns the ticket to the Senior TAG Rep (Denise).

Ticket will be reassigned to the technician by the FSE Incident Response Coordinator.

Email notification of incident ticket escalation will be forwarded to School IT Lead. The team is strongly encouraged to remove the device from the network and close the ticket

o IF the ticket is not closed in 48 hours (after 1st escalation, 96 hrs running total) the ticket will be escalated to the Dean. Ticket will be reassigned to the technician by the FSE Incident Response Coordinator. Email notification of incident ticket escalation will be forwarded to School IT Lead. The team is strongly encouraged to remove the device from the network and close the ticket

o IF the ticket is not closed in 24 hours (after 2nd escalation, 120 hrs running total) the ticket will be escalated to the CISO. Appropriate action at the discretion of the CISO/CIO.

FSE incidents – Unauthorized Access o Infosec assigns the ServiceNow ticket to the FSE Incident Response Coordinator (escalation clock starts ticking).o Response coordinator will re-assign to appropriate School IT Lead

Determined by information in ticket and FSE SCCM Email notification of incident ticket will be forwarded to School IT Lead.

o School IT Lead assigns to technician. o IF the ticket is not closed in 24 hours the ticket will be escalated. The first escalation reassigns the ticket to the Senior TAG Rep (Denise).

Ticket will be reassigned to the technician by the FSE Incident Response Coordinator. Email notification of incident ticket escalation will be forwarded to School IT Lead. The team is strongly encouraged to delete access and close the ticket

o IF the ticket is not closed in 24 hours (after 1st escalation, 48 running total) the ticket will be escalated to the Dean. Ticket will be reassigned to the technician by the FSE Incident Response Coordinator. Email notification of incident ticket escalation will be forwarded to School IT Lead. The team is strongly encouraged to delete access and close the ticket

o IF the ticket is not closed in 24 hours (after 2nd escalation, 72 running total) the ticket will be escalated to the CISO. Appropriate action at the discretion of the CISO/CIO.

ASU Incident Response escalation chart

AppendixTech Studio (assistance Student Owned systems) Downtown University Center (UCENT) L1-80 M-F, 12PM-5PM 602.496.0309 dpcdeskside@asu.edu Polytechnic Academic Center Building (CNTR) 150 M-F, 8AM-5PM 480.727.1824 techstudiopoly@asu.edu Tempe College 660 South College Ave 480.965.2203 Tempe CPCOM Computing Commons (CPCOM) 140 M-F, 9AM-5PM 480.965.2843 techstudio@asu.edu West Campus Fletcher Library, Lower Level M-F, 9AM – 5PM 602.543-8324 techstudiowest@asu.edu

From: Richard Holzer Sent: Thursday, June 30, 2016 12:41 PMAll – Recently, our Information Security Office has briefed all of you concerning the Incident Escalation Process and Incident Response Process (see attached slides) and let you know that we would be rolling out some significant enhancements to ServiceNow in order to support this expanded Incident Response process. Thanks to the tireless efforts of our ServiceNow team, we will be rolling those enhancements out to production this weekend.

Primarily, these enhancements are designed to provide ASU: Greater traceability between security incidents and required remediation actions Ability to track and escalate remediation actions to ensure timely protection of ASU

Starting Saturday, any new security request or security incident tickets opened in ServiceNow will incorporate the enhanced workflows that provide this additional functionality. For all the Senior TAG Reps and their respective Departments, this will mean our communication with you as we request your assistance in responding to security incidents will become more structured and much of it will be automated from within ServiceNow. For those of you who actively use ServiceNow, task tickets will be generated and assigned to your departments for action. For others who are not current users of ServiceNow, we will generate emails to accomplish the same goals and track your responses from within ServiceNow. To be clear – we are not attempting to delegate our security functions to you in any way. We are merely asking for your assistance in taking actions on your systems that you control to appropriately remedy security issues that affect us all. All the tasks will be assigned due dates and any tasks where the due dates are not met will then be automatically escalated to the next level for action per the table below: