[Faccus] Security Incident Reporting

Jason Testart jatestart at uwaterloo.ca
Fri Feb 20 16:17:52 EST 2015


In order for the IST Security Operations Centre (SOC) to be effective, it requires feedback; not just as a result of to SOC-initiated incident response, but proactive notifications of potential incidents from outside of IST. Without this information, it is difficult to correlate possibly-related activity or to make educated decisions about risks or future strategy. As legislation and contractually-imposed requirements mature, this information will only become more crucial to everyone.

In examining campus-wide responses to information security incidents, and in meetings with other staff, it has become apparent that information is often insufficiently gathered and is not always shared with the IST SOC. While response to SOC-initiated investigations is generally good, incidents initiated outside of the SOC don't always get reported back. On occasion, SOC staff find out about incidents third-hand. While it is understood that IT staff are busy, this lack of reporting is hindering the SOC from doing its job of gathering information related to incidents. Furthermore, reporting security incidents that might have resulted in the breach of personal information - which is nearly every security incident - is required by University Policy 8. Even "routine" malware infections could result in a breach, so these must be reported as well.

The easiest way to report an infection is to send whatever details you have to soc at uwaterloo.ca, where ISS staff can assist in response and information gathering. We understand that IT staff are busy and that gathering this information can cause what seems to be extra work, but it is critical for the University to maintain its security posture, compliance with legislation, and contractual obligations.

The university's security incident response procedure can be found here:

https://uwaterloo.ca/information-systems-technology/about/policies-standards-and-guidelines/security/incident-response-procedure

It is linked to from the Policy 8 page.

Thanks,

JT

- -
Jason Testart, BMath, CISSP
Director, Information Security Services
Information Systems & Technology
University of Waterloo
Waterloo, Ontario, Canada
+15198884567 x48393
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/faccus/attachments/20150220/7fbee713/attachment.html>


More information about the Faccus mailing list