IR-01-727 Incident Response Policy and Procedures

Incident Response Policy and Procedures

IR-01-727
Incident Response Policy and Procedures
Incident Response
Respond
Cyber-Security Incident Response
LOW, MOD, HIGH
P1
Yes
May 20, 2016

The Agency shall follow Texas A&M University System ("TAMUS") and State of Texas procedures and guidance in responding to any suspected information security incidents. Identification of information security incidents shall be prompted by any suspicious information resource behavior that can be attributed to a suspected or confirmed intentional threat actor. Prioritization of information security incidents shall be based on the criticality of impacted resources, scope of the suspected impact, and potential for the behavior to spread to other information resources. Reporting of information security incidents shall follow the TAMUS incident notification matrix. Resolution of information security incidents shall follow guidance provided by TAMUS and State of Texas, any outside incident response providers, and industry accepted best practices for information security incident investigation and remediation.

Information security incidents are not responded to in a quick, effective and orderly manner.
The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and b. Reviews and updates the current: 1. Incident response policy [Assignment: organization-defined frequency]; and 2. Incident response procedures [Assignment: organization-defined frequency].
The organization has documented policies and procedures and trained personnel to identify, prioritize, report, and resolve information security incidents as required by federal and state rules.
State organizations shall assess the significance of a security incident based on the business impact on the affected resources and the current and potential technical effect of the incident, e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks.
Obtain incident response policy and procedures; other relevant documents or records and ascertain if : (I)the organization develops and documents incident response policy and procedures. (ii)the organization disseminates incident response policy and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review incident response policy and procedures. (iv)the organization updates incident response policy and procedures when organizational review indicates updates are required. (v)the incident response policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. (vi)the incident response policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance. (vii)the incident response procedures address all areas identified in the incident response policy and address achieving policy-compliant implementations of all associated incident response controls.