Incident response management policy

Purpose

Incident response includes planning for and actively managing incidents that can prevent the University from leveraging its assets to meet its goals. Most commonly this takes the form of unauthorised access into a computer system, physical security intrusions, or if a natural disaster occurs. The Incident Response Policy provides the processes and procedures for ensuring incidents are properly handled with as little impact to the University as possible, and to begin the recovery plan. This policy applies to all Faculties and Directorates and all assets connected to the enterprise network.

Responsibility

Digital and Technology Services (DTS) is responsible for managing all IT and Cyber Security incident response functions.

All DTS staff are required to follow the written incident response plan.  Real world deviations are expected and the DTS Major Incident Manager will record and manage those deviations in line with the DTS Major Incident Process and Procedures. 

Third-party organisations involved in the incident response process must be managed by the incident manager. 

Users are responsible for reporting incidents that they are aware of to line management or to DTS or to other personnel as specified in the incident reporting process. Users are responsible for attending training for recognising and reporting incidents within the enterprise. 

It is the user’s responsibility to read and understand this policy and to conduct their activities in accordance with its terms. Users who find the policy statements to be unclear are encouraged to reach out to Digital and Technology Services (DTS) (https://www.dundee.ac.uk/it) to clarify ambiguities.

Exceptions

Exceptions to this policy must be made in writing and approved by your manager. This must contain:

• The reason for the request,
• Risk to the University of not following the written policy, 
• Specific mitigations that will not be implemented, 
• Technical and other difficulties, and 
• Date of review. 

All exceptions must be requested to DTS via the University Service Desk Self-Service Portal: https://help4u.dundee.ac.uk. 

Policy

1. DTS must develop and maintain a written incident response plan. 
2. This process must be documented and approved. 
3. This plan must include a process for responding to incidents. 
4. At a minimum, the incident response process must be reviewed on an annual basis or following significant changes within the enterprise. 
   
   1. This review may also occur following an incident or tabletop exercise. 
5. An incident manager and backup incident manager must be specifically identified by name within the plan. 
   
   1. If an external party is the incident manager, then one internal individual must be specified to oversee the response process.
   2. Contact information must be recorded in the incident response plan. 
6. Any parties that need to be made aware of a security incident must be documented. 
7. The plan must address any regulatory or other compliance requirements. 
8. The plan must address communications. 
9. DTS must develop and maintain a written process for users to report incidents. 
10. This process must include approved methods for reporting incidents including: 
    
    1. Primary and secondary methods for reporting. 
    2. Specific recipients to receive incident reports.
    3. Any minimum information needed. 
    4. Timeframes for reporting incidents. 
11. At a minimum, the incident reporting process must be reviewed on an annual basis or following significant changes within the enterprise. 

Review and Updates

This policy will be reviewed annually by the University and updated as necessary to reflect changes in technology, legislation, or institutional priorities.