1. Home
  2.  » 
  3. UCI Information Security Management Program
  4.  » Incident Response Process

Incident Response Process

Unit Incident Response Process

Each Unit is responsible for their own local incident response plan. Key parts of that should include identifying individuals within the Unit who are responsible for detecting potential incidents and how that is done, when and how that gets reported to the central campus process, and how it gets contained and recovered from.

Campus Incident Response Process

A high level description of the main components of the campus incident response process is below.

The complete UCI Security Incident Response Plan is available internally to UCI stakeholders, and fully aligns with the UC Incident Response Standard.

1. Detection / Report of Potential Incident

Potential incidents can be detected internally by OIT Security Operations Center (SOC) event monitoring, or via a report from a Unit, campus affiliate via the Report an Incident page, or one of our many threat intelligence partners. Incidents can include compromised account, compromised computing device, compromised data, or any other cyber-criminal activity.

2. Incident Response (Containment and Initial Classification)

The SOC works with the appropriate IT Owner to contain the incident if necessary. Root cause is progressively identified. Basic analysis is done to determine if it is a Routine incident or a potentially Significant incident.  If it is a Routine incident, skip to step 5.

3. Validation and Classification of Significant Incident

A potentially Significant incident is reported from the SOC to the CISO. The CISO, in consultation with the campus privacy official and campus counsel, validate that it meets the criteria of a Significant incident. If it does (or likely does based on incomplete facts in progress), the CISO notifies the appropriate people based on the cyber incident escalation protocol. Based on a number of factors, including data type, number of people affected, criminal activity, and impact, escalated notification may include the CIO, CRE, Chancellor, UCOP Cyber Coordination Center (C3), UC President or Regents. The formal incident response team is convened.

4. Formal Incident Response Team Coordination

The campus-wide team is convened to respond to an escalated Significant incident, that includes the SOC manager, CISO, CIO, CRE, privacy, legal, risk, compliance, communications, police, and appropriate Unit Head(s) and UISL(s). Depending on the severity of the incident, external resources may be included such as the UCOP C3, OGC, external law enforcement, and external 3rd parties that handle forensics, communications, or call center. Assistance is offered for incident containment, root-cause analysis, remediation, and notification to affected individuals and regulatory bodies.

5. Remediation and Post-Incident Review

The impact of the incident (Routine or Significant) is fully contained, eradicated, and recovered. Post-incident review includes lessons learned, updated risk assessment, planned corrective actions, final communications, and final report close out.