Information Security Incidence Response Policy

Updated June 2021

Approved by the University's Corporate Management Team

1. Introduction

The University of Wolverhampton is the owner and custodian of a significant quantity of potentially sensitive or confidential information, including personal data relating to students, staff members and other individuals; financial or other business-related documentation; as well as academic data and papers that are intended to remain private and confidential. The University has a legal, moral and operational obligation to ensure the security of all such information at all times, and to set out the measures and plans it has in place in order to do so.This document sets out the University’s policy to govern its approach in the event of a security incident (as defined below) along with the procedures to follow under such an event.

2.Definitions

An information security incident is defined as any event where data held by the University is compromised (or an attempt is made to compromise it) through unauthorised means. This could mean the data is altered, accessed, deleted, damaged, shared, published, lost, copied or used in any other fashion by an unauthorised individual or individuals or a program irrespective of whether done intentionally or accidentally.

Examples include but are not limited to the following:

  • Malware infection e.g. ransomware attack
  • Network hacking attempt
  • Phishing, web-spoofing or other attempt at tricking a user to gain access/information
  • Human error e.g. inadvertently forwarding a confidential email
  • Theft or loss of devices containing data
  • Disruption to information systems or denial of service
  • Disclosure of payment card information to unauthorised users
  • Exploitation of a system weakness to gain access to data

Other definitions and abbreviations used in this document:

CSIRT Cyber Security Incident Response Team

DDoS Distributed Denial of Service attack

DPO The University Data Protection Officer

DS Digital Services

HESA Higher Education Statistics Agency

ICO The Information Commissioners Office

JISC Joint Information Systems Committee

MFA Multi-Factor Authentication

NCC NCC Group PLC

NCSC National Cyber Security Centre

OfS Office for Students

OVC Offices of the Vice Chancellor

SLA Service Level Agreement

UoW University of Wolverhampton

3. Purpose

The purpose of this policy is to outline the actions and steps to be undertaken in the event of a suspected or actualInformation Security Incident. It also details the responsibilities of all individuals with access to University data in terms of reporting and responding to such incidents.

When a security incident occurs it is imperative that the university should take prompt action to mitigate risks and limit potential damage. The consequences of inaction or inadequate action could be one or more of the following:

  • Financial loss
  • Significant reputational damage
  • Legal action and serious fines if a breach can be proven to be due to inappropriate procedures
  • Damage to equipment and/or university systems
  • Distress to staff or students
  • Disruption or serious interruption of university operations
  • Contractual costs through failure to meet obligations
  • Costs and inconvenience associated with the time taken to restore data
4. Audience

This document is aimed at all users of the University of Wolverhampton’s systems and data, including staff, students, suppliers, contractors and any other party whose business or operations brings them into contact with the university’s electronic data or systems.

The document is considered to be public domain and may therefore be accessed by all interested parties in an unrestricted fashion.

5. Scope

All individuals using University of Wolverhampton data and systems are expected to be bound by this policy. This includes but is not limited to staff members (permanent and temporary), students, suppliers and contractors. Failure to comply fully could result in disciplinary action for staff and students in line with the University’s procedures, or suspension/termination of contracts for suppliers and contractors.

University-owned systems are included as well as any privately-owned device where university data is processed or held, such as personal mobile devices with access to the university email server. This also includes supplier systems and databases where university data is held or processed and relates to any location whether within the university premises or elsewhere.

This policy is concerned only with electronic data (both at rest and in transit) and includes storage media such as memory sticks or DVD ROMs. Non-electronic (physical) data under the ownership of the university is outside the scope of this document. This means any information stored in paper format, or other non-electronic format e.g. physical photographs and images, microfiche etc. Such non-electronic personal data is covered under the University Data Protection Policy.

Systems operated by suppliers and third parties which do not process University-owned data are considered beyond the scope of this policy irrespective of whether or not they interface with University systems.

6. Roles and responsibilities

All users of University systems and data are responsible for using devices appropriately in order to minimise the risk of security incidents and are required to exercise caution at all times. Further advice can be found on the University of Wolverhampton Information Security webpages – see https://www.wlv.ac.uk/its/information-security. Should a user suspect or observe such an incident, then the prescribed actions should be taken at the earliest opportunity.

Responsibility for overseeing the application of this policy lies with the Head of Information Security, reporting directly to the Director of Digital Services. Depending on the nature of the incident, a P1 Response Team within Digital Services reporting to the Head of Information Security will be responsible for assessing the severity of such an incident, progressing such incidents to ensure resolution, managing/concluding incidents that require further investigation, and notifying the relevant parties documented below where escalation is deemed necessary. This team will be formed as required based on the nature and severity of the incident and is likely to comprise of members of staff from across DS along with other individuals, such as representatives from NCC. Staff in the IT Service Desk will be responsible for first line support in the event that a security incident is reported. They will triage the issue, provide advice to the user and escalate it as appropriate based on the procedures laid out.

In line with other matters relating to staff conduct, HR Business Partners and Advisors for the relevant department or faculty are to be involved in the first instance where staff misconduct is suspected involving a cyber security incident. The HR Director may be responsible for dealing with matters involving possible legal action against a member of staff, or where a serious disciplinary procedure is to be invoked.

All students have agreed to abide by University regulations in relational to the ICT Acceptable Use Policy. If a student is suspected of misconduct in breach of this policy that has led to a possible cyber security incident, then they may be called to account under the University of Wolverhampton Student Disciplinary Procedure.

The University Data Protection Officer will be responsible for managing the university response in the event that a security incident leads to a potential breach of the Data Protection Act 2018 or other related legislation or other failure to comply with legal requirements over data privacy. This may include notifying the Information Commissioners Office (ICO) and the data subject where a serious breach is detected which would have a serious impact on the rights and freedoms of data subjects affected. If the incident is likely to have an impact on the reputation of the University, or major financial consequences, then staff members of OVC will be involved in planning and executing a recovery plan that includes protecting the reputation and wider standing of the University.

A specially trained First Responder Incident response team will be responsible for handling the most serious incidents involving a major data breach that necessitates that equipment and evidence be collected and preserved for a potential criminal investigation.

7. Security incident procedure

 

7.1. Reporting an incident

A user may be alerted to the existence of a suspected or actual information security incident through a number of different sources depending on the type of incident (see examples below). Often it will not be immediately obvious if an incident has actually taken place, however users are advised to err on the side of caution and report all instances where they suspect a security breach has occurred.

In the first instance, users should report a suspected incident through the itsupport@wlv.ac.uk email address or bycalling 01902 32 2000 (during core hours), or by visiting the IT Support portal (you will need to sign in) and completing the support form. This should be done as soon as the incident is first noticed as time is often of the essence in such cases.

Important note: If the incident involves a possible breach of personal data, users should also report the suspected incident to the DPO through the Data Breach Reporting Form immediately. Ensure as much detail is included in the report as possible. Note: Never give confidential information here such as passwords, bank details etc.

Details should include at a minimum the following:

  • The full name and contact details of affected user(s)
  • The date and time when the incident was observed or suspected
  • A description of the data involved in the breach (without giving the actual data unless specifically requested). Make clear if personal, confidential or sensitive data is thought to be involved.
  • Does the data just relate to the user in question, or could other user’s data be impacted? If the latter, give an estimate of the likely number impacted (1 – 10, 11 – 100, 101 – 499, 500+).
  • A description of the application, system or website in use at the time
  • Details on the device involved – i.e. laptop, phone, tablet. If a University of Wolverhampton-owned device, provide the identity tag (ITR) number if known.
  • A full description of what happened and what steps the user undertook
  • Any other information that might of relevance, such as whether the incident took place on campus or at home, and whether connected to the University network at the time of the event.

In general, users are not advised to try to resolve such incidents themselves. Instead, report the matter promptly and await a response from the support team. Cooperation with the support team is critical, so users are asked to follow any instructions given to them exactly and promptly.

The support team will log the incident as a ticket in the service management system (ServiceNow). All information supplied as part of any investigation will be treated in confidence and handled on a need-to-know basis.

In some cases a user will not be aware a security incident has occurred affecting their account and/or data, and will first learn of it when informed by the Support Desk with instructions on how to proceed. This will happen in the event that a system-generated warning has been triggered.

7.2. Common types of incident

There are a wide variety of security incidents that users may be exposed to, some of which are potentially serious especially if carefully targeted at an individual or group of individuals. Other attempts are more random and generally easier to identify, but still represent a risk to the organisation and the individual.

In general, users are advised never to disclose password details or any other authenticating information (e.g. MFA response codes) to anyone purporting to represent the University or any associated organisation. A user should never be asked to disclose this type of information from a genuine member of staff.

The following represents a selection of the most common types of attempt to compromise security:

Malware: This represents any type of malicious or ill-intentioned software that has found its way into a system. Often this is software that’s mistakenly downloaded from a seemingly benign website, or installed from an email attachment or link (see also Phishing attempt below). Memory sticks and other removable storage are also often a source of these.

Malware can often take the form of a virus that attempts to spread itself across a network, in the process harming the host device and/or harvesting confidential information – for example using key-capture software to collect passwords. The antivirus software installed on many devices should identify and neutralise many of these, but is not considered fail-safe. Users should report any instances whether suspected or observed.

One of the most serious type is ransomware. This is software that typically encrypts a user’s data and threatens to wipe it unless a ransom is paid. If such a program is encountered, a user should never offer topay the ransom under any circumstances. Ensure the device is disconnected from any network, and then report the issue immediately. This will then be investigated as a high priority matter.

Compromised accounts: A user account is compromised when someone else gains access to it, or makes a concerted attempt to do so. Once an account is compromised, any data and systems accessed by that user are no longer considered secure.

An account may be compromised when a user enters their details into a spoofed webpage (i.e. a page that looks genuine to trick someone into giving their account credentials), or by malware that harvests passwords in other ways. If this happens, a user should report it immediately so that the account can be temporarily deactivated and the password reset.

If it’s clear that data has been accessed and leaked/damaged, then an assessment of the situation will be undertaken and appropriate remedial measures planned.

It’s often the case that a user will not realise that their account has been compromised or that there have been attempts to do so. The University monitors security events related to account logins and may take action on behalf of a user if a breach is suspected. Where possible users will be informed if this is the case, though it’s likely that their primary email address will have been compromised, so some other means of communication will be sought such as via a secondary (external) email address.

Users should be vigilant for this type of attack – for example, by confirming that any webpage that asks for account details is secure (look for the padlock symbol), and, where applicable, uses multi-factor authentication (MFA) such as through a SMS code sent to the user’s mobile phone.

Phishing attempt: This usually comes via an email that lulls a user into providing confidential information, such as user account information, bank details etc. It may appear to come from a colleague or friend, but this should not be trusted – the friend’s account may already be compromised. The email may ask for the user to reply directly with information (such a password), or more likely, invite the user to click on a link to a fake (spoofed) webpage. It is often accompanied by a chilling warning that failure to do so will result in the account being locked out permanently, or legal proceedings being brought against the individual.

A phishing attempt may also take the form of a phone call or text message purporting to come from a member of staff at the University, a utility provider, a bank or some other trusted organisation. If genuine, such calls will never ask for confidential information, and will never ask the user to install something on their device, so if the caller or message is urgently requesting this it should be treated with extreme suspicion and reported immediately.

In general, a suspected phishing email received by a UoW account should be reported to the Service Desk alongside phish@office365.microsoft.com then deleted immediately. Send the email as an attachment rather than forwarding the content – this allows the message headers to be inspected. Links andattachments should never be clicked on, and no personal identifiable information should ever be disclosed. If a user believes they’ve inadvertently been lulled into disclosing such information, this should be reported as described above. For more advice here, see https://www.wlv.ac.uk/its/information-security/phishing-awareness

Hacking attempt: This covers a large number of techniques used by criminals to try to overcome security protocols that are designed to protect valuable systems and data. This may include direct hacking attempts to circumvent firewalls, as well as more nuanced attacks such as Distributed Denial of Service attacks (DDoS) which try to disable a system by flooding them with requests or data.

Any user who is a victim of such an attempt should report it immediately and mark it as a high priority matter. Depending on the nature and severity of the issue, it may be necessary for the University to impound one or more devices for evidence so that a criminal investigation may be undertaken.

In such an instance, a wide-ranging response effort is likely to be needed including involvement by the Digital Network Architect in the investigation and recovery process.

Details on the procedures and processes for handling the above types of incidents are documented separately – see Related Documents and Dependencies.

7.3. Process for responding to an incident

In the first stage, the Digital Services Support Desk will review incoming reports of an information security incident affecting University systems and/or data. They will log this in the ServiceNow system, triage the matter to identify the severity and scope, and make an initial assessment. In normal working hours they will aim to do so within less than 2 hours, though best endeavours mean that this timeframe will not always be achievable.

In particular, they will consider:

  • The type of incident
  • The number of users affected, and any distress caused
  • The amount and sensitivity of data impacted
  • The overall effect on University operations, such as the legal or commercial implications.

The Support Desk will be expected to refer to the standard operating procedures documenting the approach to each type of incident. After analysis, it may be determined that the incident is considered a relatively minor one with a known resolution path, in which case they may be authorised to undertake the remedial measures (if any) and close the incident. In such instances no further action need be taken. The affected users will be informed and given appropriate advice on how to proceed.

In cases where the risk analysis indicates a more serious incident, or where the severity and extent is unclear, then the P1 Response Team may become involved. This will entail appointing a lead investigator who will then document the issue fully – potentially involving further representations from the user(s) – as well as ensuring all relevant information is gathered and preserved. They may also request that physical equipment be submitted for investigation.

If information relating to the incident – particular that of a personal nature – needs to be recorded, this will be logged in a manner that limits access only to those requiring it.

An impact assessment will be made based on the probable breach of confidentiality, and the impact on wider users and systems. If it proves necessary – for example, there’s a likely impact on the financial well-being of the institution, or possible reputational harm, then the matter may be escalated for a wider incident response. Alongside that, the lead investigator will move to the containment and recovery phase (see below).

Affected users will be kept informed during this process and, where possible, steps will be taken to ensure that disruption to their activities are minimised, for example by offering the use of temporary equipment if it’s not possible to restore access to their suspected device in a sufficiently short timeframe.

7.4. Containment and Recovery

In consultation with other individuals in the P1 Response Team, the lead investigator will decide on the appropriate course of action to limit the impact of the incident and mitigate any knock-on effects. Full support from staff is expected as part of this exercise as this may involve individuals from different departments within Digital Services. This may involve isolating compromised network equipment to create a network firebreak, as well rebuilding/reimaging devices where appropriate.

Consultation with third party organisations may be necessary in order to undertake the containment and recovery of the most severely affected systems and data, in particular NCC Group as the cyber security partner of the University.

All steps to recover lost or damaged data will be undertaken to limit the spread, and to attempt to resume normal activities. Where necessary this may mean restoring from system backups, or resetting/recreating compromised accounts. System owners and information asset owners will be informed where assets under their management are likely to have been impacted.

For very serious incidents involving suspected or actual criminal intent, equipment will be seized and securely stored by the First Responder team as evidence for a potential criminal investigation.

Every step undertaken will be documented for audit purposes and, if appropriate, potential future legal action.

7.5. Escalation

The escalation procedure is outlined as follows:

  • Initial triage of reported security incident by the IT Service Desk. Based on the initial risk assessment, the matter may then be escalated to the Head of Information Security (or other member of staff within this team). A decision may be taken to form a P1 Response Team if it is believed that personal or confidential business data has been compromised or a significant number of individuals have been adversely affected.
  • The P1 Response Team would undertake a review of the issue and assess the scope, scale and impact of the incident. If personal or other confidential/sensitive data has been seriously compromised, this will be escalated further on the advice of a member of the Information Security team. If so, it’s possible that the First Responder team will be asked to impound devices and collect evidence.
  • Senior management will then be informed including the Director of Digital Services and a decision will be made on the proposed course of action. If the Director of Digital Services declares it to be a major incident then professional support services such as HR and Legal department will be engaged in accordance with the prescribed major incident procedures.
  • Engagement with the CSIRT at NCC may be initiated, according to the terms of the retained incident response SLA at the behest of the Director of Digital Services or the Head of Information Security.
  • For issues likely to have a widespread impact on the University as a whole whether reputational, financial or operational, the matter may be escalated to OVC via the University Secretary. In particular, if a serious databreach is suspected, the University Legal department may become involved along with the Data Protection Officer (DPO). Further details of the procedure here are to be found in the University of Wolverhampton Data Breach Incident Management Policy.
  • If the scope, scale and visibility of the issue means that there may be outside media interest, or may cause concern amongst business partners or other organisations, then External Engagement will be involved in the communication response. The Vice Chancellor will be kept abreast of all such communications and the overall response.
  • For a breach involving personal data which would pose a high risk to the rights and freedoms of individualsthen the Information Commissioners Office (ICO) and the data subjects may be notified. The DPO will be responsible for the decision to report here and will handle all such communication.
  • Depending on the nature of the security incident, it may also be necessary to inform the Police or other external government agencies such as the National Cyber Security Centre (NCSC): https://www.ncsc.gov.uk/scheme/cyber-incidents. This will be determined by the Head of Information Security or the Director of Digital Services.
  • The Office for Students (OfS) may also need to be informed if the incident leads to a “Reportable event” as defined by the OfS guidance on data security.
  • HESA (the Higher Education Statistics Agency) should also need to be alerted in the event of a ransomware attack (or similar) that seriously impacts the University’s systems.
  • Consideration should also be given to involving the JISC Cyber Security response team depending on the nature and spread of the issue, especially in the case of a denial of service attack or a ransomware attack.
7.6. Closure and Lessons Learned

A security incident may be closed only once all containment and recovery activities are complete, and efforts have been exhausted to limit the fallout and impact. A recommendation to close will be made by the lead investigator, and will require approval from the Head of Information Security or the Director of Digital Services. Closure will be noted within the reporting system, along with a final closure report. A closure meeting may be called to confirm the above are complete, and review and conclude communications with external organisations e.g. ICO.

For serious incidents, and particularly those without precedent, important lessons will need to be learned. This will include a review of the actions taken to determine whether improvements could have been made, such as how the response could have been faster and/or more effective. Steps and measures will be taken to limit the exposure to similar issues in future which may include hardening defences as well as strengthening operating procedures. All changes and recommendations will be documented against the incident. The Head of Information Security is expected to lead this activity in consultation with other staff involved in the incident response along with the NCC CSIRT team (if applicable).

8. Related documents and dependencies
Document/ResourceDescriptionOwnerAudience
Service Desk Phishing Response procedure  Process to be followed by Service Desk on notification of suspected or actual phishing incident  UoW Information Security Dept Internal
First Responder Incident Procedure  Process to be undertaken by First Responders in the event of a serious incident requiring the preservation of evidence  UoW Information Security Dept Internal
Compromised Accounts recovery process  Process to be undertaken following report of compromised user accounts UoW Information Security Dept Internal
Ransomware recovery process  Process to be undertaken following report of ransomware affecting user device(s)  UoW Information Security Dept Internal
University of Wolverhampton Business Continuity and Disaster Recovery plan  Plan for the restoration of service after outage or data loss, including those caused by a security incident.  Health, Safety and Resilience Division  Internal
University of Wolverhampton Information Security Policy  General policy and approach to information policy adopted by the University of Wolverhampton  UoW Information Security Dept Public Domain
University of Wolverhampton Data Protection Policy University of Wolverhampton Data Protection Policy Office of the University Secretary Public Domain
University of Wolverhampton Data Breach Incident Management Policy Policy on the processes covering the evaluation, response and recovery following a data breach. See Data Breach Policy Office of the University Secretary Public Domain
National Cyber Security Centre Incident Management resources Cyber-security incident management resources and guidance for UK organisations. See
https://www.ncsc.gov.uk/section/about-ncsc/incident-management
NCSC Public Domain
Information Commissioners Office (ICO)  Independent UK body set up to uphold and enforce information rights. See https://ico.org.uk/  ICO Public Domain
OfS Guidance for providers about reportable events Office for Students documentation detailing the requirements for reportable security events See: https://www.officeforstudents.org.uk/ OfS Public Domain
JISC Cyber Security portal Cyber security services provided by JISC https://cybersecurity.jisc.ac.uk/services Jisc Membership access
Retained Incident Response Service User Guide  Details on retained incident response support service provided by NCC to UoW NCC Internal
HESA (Higher Education Statistics Agency) Designated Data Body (DDB) of the OfS. UoW has an obligation to report ransomware attacks to the HESA Liaison team and Legal team  HESA N/A