56.50.10 - Incident Response
To define, establish, and implement an incident response policy, procedure, and plan for computer security incidents at TTUHSC El Paso as per state and federal law. 
The Information Security Officer (ISO) and the Chief Information Officer (CIO) will review this policy/procedure, and supporting documents biennially.
1. Scope and Applicability
- The Information Security Office will conduct periodic reviews of detected abnormal events and will verify whether these events are being reported on per this policy by employees, students, and vendors at TTUHSC El Paso. The Information Security Officer will assess the CIRT’s effectiveness to implement incident handling and response in two ways: lessons learned phase as established in the Incident Response Plan per incident and conduct an annual test incident to determine gaps in the policy, handling procedures, and response plan. 
2. General Policy
Any employee, student, or vendor at TTUHSC El Paso who suspect or experience an abnormal event during the use of a computer system, mobile device, and/or any other electronic device is required to immediately report such event in accordance with HSCEP OP 56.01. 
The Information Security Office, by means of incident response and handling procedures set forth in this policy, establishes whether an event is determined an incident or not. If an event is validated as an incident during the incident handling identification phase, the incident response plan will be activated, and the remaining phases will be executed.
Consequently, precedence over normal business operations will take place upon the immediate execution of incident response.
3. Procedure for Reporting, Handling, Monitoring, and Response
1. Reports abnormal event to the IT Helpdesk via phone call at 915-215-4111 or if possible via email to ELP.HelpDesk@ttuhsc.edu.
IT Helpdesk Personnel
2. Receives report from System User and immediately notifies the Information Security Office.
CIRT (First Responder)
3. Validates abnormal event as an incident or not.
a. If event is determined an incident, reports to the Information Security Officer
Information Security Officer
4. Determines level of incident as either small, medium, or large.
5. Assigns CIRT Lead if incident is classified as medium or higher.
6. Activates Incident Response Plan. 
7. Notifies the Chief Information Officer/Information Resources Manager when incident is classified medium or higher.
CIRT (Lead & Team)
8. Implements remaining phases to handle incident as defined in the Incident Response Plan. 
9. Tracks and documents the incident as per the Incident Response Plan. 
10. Reports back on incident resolution and results to the Information Security Officer.
Information Security Officer
11. Reports incident resolution and results to the Chief Information/Information Resources Manager, other executive level management, and the Department of Information Resources.
The Information Security Office will conduct periodic reviews of detected abnormal
events and will verify whether these events are being reported on per this policy
by employees, students, and vendors at TTUHSC El Paso.
The Information Security Officer will assess the CIRT’s effectiveness to implement incident handling and response in two ways: lessons learned phase as established in the Incident Response Plan per incident and conduct an annual test incident to determine gaps in the policy, handling procedures, and response plan. 
5. Management Commitment
In the event of a “large incident”, the Institution Head of TTUHSC El Paso, the Information Resource Manager, and other executive level management, will provide support and the necessary resources (financial, staff, etc.) to the Information Security Officer, the Information Security Office, Computer Incident Response Team, and Information Technology to mitigate exposure and loss.   
- A failure to report a suspected or abnormal event by any employee, student, or vendor, may result in the disciplinary actions as defined in HSCEP Information Technology Policy 56.01.10. 
- Disciplinary actions also include, but are not limited to:
In the event that a system user is found to be out of compliance with this policy or impede Information Security efforts, they are required to complete additional security awareness training within 30 days of the incident.
- Incidents will be reported to the Human Resources Department. For repeated incidents, additional disciplinary actions, as aligned with Compliance and Human Resources disciplinary policies, will apply.
The following are roles and responsibilities defined in this policy:
- System User
- Stops all work on a computer system, mobile device, and/or any other electronic device.
- Reports a suspected or actual incident via phone or email.
- Receives reports of suspected or actual incidents.
- Maintains up-to-date list of TTUHSC El Paso System Owners, system managers/operators, and system type for each system.
- Notifies appropriate personnel.
- Receives reports of suspected or actual incidents either from Helpdesk or System users.
- Determines level of incident in behalf of the Information Security Officer and execute incident handling action per Incident Response Plan.
- Notifies appropriate personnel.
- Determines level of incident and activate the Incident Response Plan.
- Notifies the Chief Information Officer if incident is determined a “Medium Incident” or higher.
- Directs and guides the information Security Office.
- Notifies the Institution Head of TTUHSC El Paso and other executive level management.
- Provides support to Information Security Officer, Information Security Office, and the CIRT.
- Provides any additional support (information, media, etc.) to the Information Security Officer, the Information Security Office, CIRT, and Information Technology
- Collaborates with CIRT to prevent internal/external barriers against incident handling and incident response.
- Computer Incident Response Team
The team composed of Information Technology (IT) and non-Information Technology personnel that is designated to respond to computer security incidents. Commonly referred to as the CIRT Team.
- Computer Security Incident
Any unlawful, unauthorized, or unacceptable event having potential or actual harmful effects on a computer system, mobile device, and any other electronic device with an operating system or that operates on a computer network. 
For ease-of-use purposes, the terms “computer security incident” and “incident” are the same through-out this policy.
The type of incident widely recognized as harmful include, but are not limited to, the following:
- Attempts (either failed or successful) to gain unauthorized access to (or use of) a system or its data.
- Unwanted disruption or denial of service.
- Unauthorized changes to system hardware, firmware, or software, including adding malicious code (such as viruses).
- Detection of symptoms of the above, such as altered or damaged files, virus infection messages appearing during start-up, inability to log in, etc.
At TTUHSC El Paso, incidents are classified by impact levels: small, medium, and large. 
- Incident Handling 
The process of handling an incident, which includes the following phases: identification, containment, eradication, recovery, and lessons learned.
- Incident Response 
The activities of the TTUHSC El Paso Information Security Office, in collaboration with other IT and non-IT personnel, that are performed in response to any situation determined to be either a potential or actual incident.
- 45 CFR 164.308(a)(6)
- TAC 202 Control Catalog IR-1, IR-4, IR-5, IR-6, IR-8
- HSCEP OP 56.01 – Acceptable Use of Information Technology Resources
- TTUHSC El Paso Incident Response Plan
- TAC 202.70 (2) & (3)
- TAC 202.71 (B)
- 56.01.10 Disciplinary Process