Objective:

This document describes the appropriate procedures for reporting a security incident as detailed in UTIA IT0122 – Information Security Incident Response Policy.

Scope:

The Incident Response Plan and Reporting Procedures apply to all units of the University of Tennessee Institute of Agriculture (the Institute), including contractors and consultants who manage or utilize IT assets, as well as individuals accessing those assets. These procedures must be followed in the event of a security incident or possible incident. Reportable information security incidents will be treated as an incident until procedures have ruled out an actual incident.

Reportable Information Security Incidents:

Although not an all-inclusive list, any of the following can be considered a security incident:

Suspicious computer activity including, but not limited to:
- Unusual connections
- Unusual logon attempts or successful logons
- Excessive bandwidth consumption
- Copyright infringement
- Malicious network or system sweeps or scans
- Significant degradation of computer performance
Suspected compromise of IT resources including, but not limited to:
- Ransomware attacks
- Spear phishing attacks
- Stolen Institute-owned IT assets
- Malicious attacks against systems
- Denial of service attacks
- Malware
  - Phishing attempts
  - Clicking on suspicious links
  - Opening unrequested email attachments
- Compromised user accounts
Suspected breaches of moderate or internal use data. Examples of moderate data include:
- Personally Identifiable Information (PII)
- HIPAA data
- FERPA data
- PCI data
- Legally protected Human Resources data
- Research data protected by contract
- Self-declared critical data
- Patent data
Misuse of IT assets according to Institute policies and procedures; University policies; industry and government standards; and applicable local, state, and federal laws

Procedures for Reporting a Security Incident:

End User Responsibilities

Stop all work on the computer and contact your local or regional IT support personnel.
Advise the local or regional IT support personnel if your system is classified as low, moderate, high, or business critical.
- If a local or regional IT support person in not available, immediately contact the Chief Information Security Officer (CISO).
- Please contact the OIT HelpDesk for reporting a security incident only in the event you are unable to reach a local or regional IT support person, or the

Institute’s CISO and be certain to tell them you are with the Institute.

Local/Regional IT Support Personnel Responsibilities

Quickly and briefly investigate system anomalies to assess if an information system security incident is in progress or has occurred.
Create a trouble ticket in utk.teamdynamix.com, completing all mandatory fields. If a security incident has not occurred, please proceed to step 5.
If the system is classified as moderate, high, or business critical, then
1. Do not turn the system’s power off;
2. Disconnect all network connections;
3. Contact the Institute’s CISO immediately;
4. Wait for direction from the incident response team before taking any further action.
If the system is classified as low, then
1. Run necessary scanning services as listed on Institute’s Security website;
2. Contact the Institute’s CISO for additional support, if necessary;
3. Remediate the IT asset by reimaging or per other departmental guidelines if necessary (i.e., scan hard drive with additional tools, rebuild, etc.);
4. Update the ticket in FootPrints, logging results.
Local/regional IT support personnel will close utk.teamdynamix.com security tickets for systems classified as low, while the Institute’s CISO will review and close all tickets for systems classified as moderate, high, or business critical as related to security incidents.

Institute CISO Responsibilities

Provide advice and assistance to all users.
Determine who is on the Institute Response Team and provide oversight.
Provide checklist to the Incident Response Team to ensure all procedures are completed.
Work with the Incident Response Team to determine if an incident has occurred and the severity of the incident.
Perform follow-up activity with the Incident Response Team.
Maintains all documentation for all system security incidents.
The Institute’s CISO will submit a detailed report to the UT System Administration

CISO for appropriate state reporting.

Work should be conducted within the Institute’s organizational tree to quantify the personnel time required for dealing with the incident (including time necessary to restore systems). Analyzing the personnel work time associated with an incident will help those who may be prosecuting any suspected perpetrators, and will aid in the justification of funding for future security initiatives.

Refer back to UTIA IT0122 – Information Security Incident Response Policy to ensure that all other requirements have been met.

References:

UTIA Glossary of Information Security Terms

UTIA IT0122 – Information Security Incident Response Policy UT Policy IT0122 – Security Incident Reporting and Response

UTIA IT0115 – Information and Computer System Classification Policy

UTIA IT0110 – Acceptable Use of Information Technology Resources Security Policy (AUP) NIST SP 800-61 – Computer Security Incident Handling Guide

For more information, contact Sandy Lindsey, CISO, at (865) 974-7292, or email sandy@tennessee.edu.

Approval of Procedures

We approve UTIA IT0122P – Incident Response Plan and Reporting Procedures as described in this document.

Name	Title	Signature	Date
Tim Cross, Ph.D.	Senior Vice President and Senior Vice Chancellor, UTIA		7/27/2021 \| 08:
Angela A. Gibson	Chief Information Officer, UTIA		7/27/2021 \| 09:
Sandra D. Lindsey	Chief Information Security Officer, UTIA		7/27/2021 \| 09: