Cybersecurity Incident Handling Policy

Revised: 10 Oct 2018 by ITSC

Cybersecurity Incident

In principle, cybersecurity incident can be broadly defined as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices” (quoted from NIST Computer Security Incident Handling Guide SP800-61).

In practice, the current focus is on any unauthorized access, use or modification to the University’s IT resources including end-points, servers, applications, network and data. Such accesses, uses or modifications usually happen in the form of :

  • Computer viruses or malicious codes;
  • Hoaxes or scams enticing individuals to surrender confidential information;
  • Manual or automated hacking activities;
  • Leaks or breach of high-risk data according to the Risk Classification Examples of Common IT Resources.

In particular, when a cybersecurity incident involves (or is expected to involve) leakage or breach of personal data, the incident is considered a Personal Data Incident. In compliance of the Hong Kong Data Privacy Ordinance, such incidents need to be further reported to the University Data Privacy Officer according to the guidelines detailed in the University’s Personal Data Privacy.

Handling Cybersecurity Incident

To protect the concerned individuals, units as well as the University as a whole, cybersecurity incidents should be handled as soon as possible. The following outlines the stages involved in handling a cybersecurity incident :

1. Report

Cybersecurity incidents, once discovered, should be promptly reported to ITSC. Currently, the following channels are available for reporting cybersecurity incidents :

  • ITSC Help Line (telephone with voice mail)
  • ITSC Service Desk (in person)
  • ITSC Cybersecurity Incident Response Contact Email at security@ust.hk

2. Initial Containment

Cybersecurity incident usually comes with damages. Attempts should be made to minimize the impact of the incident as much and as quickly as possible. For instance, disconnecting the affected computer from the network may be a sensible first step to limit the damage in certain cases. Those who discover a cybersecurity incident are usually in the best position to perform containment measures and may seek further advice and help from ITSC and their respective Cybersecurity Coordinators when reporting the incident. In any case, such measures are intended only as quick containments of the problem and should not be considered as closure of the incidents.

3. Impact Assessment, Eradication and Recovery

The Cybersecurity Incident Response Team in ITSC works hand in hand with Cybersecurity Coordinators in different units to follow up on reported cybersecurity incidents.

When a cybersecurity incident is reported, the Cybersecurity Incident Response Team will classify it into one of the following different incident impact levels:

Incident Impact Level Descriptions of Impact Level Example of incidents
Extensive/ Widespread If not resolved immediately, the incident will result in unscheduled service interruption of critical service, or severe security breach together with financial loss, data breaches or reputation damage. Compromise of computer handling student records; media reported compromise of system, etc.
Significant/ Large If not resolved timely, the incident may affect the normal operation of core services and lead to security breach. Financial loss or reputation damage is also probable. Disruption of teaching related IT systems; compromise of computing facilities but without student or staff records, etc.
Moderate/ Limited If not resolved within a reasonable period of them, may introduce additional vulnerabilities and expose the information systems or resource to higher risk of service interruption. Financial loss or reputation damage is possible if such vulnerabilities are exploited accidentally or by malicious parties. IT systems found to be vulnerable or compromised; some non-teaching related servers suspected to be compromised.
Minor/ Localized The incident is related to non-critical information systems or non-sensitive data, and the possibilities or causing service interruption, financial loss or reputation is remote. However, it may require additional controls or alternative operational procedures to retain service level and could lead to downgrade of efficiency. Virus infection of a few desktop computers which are not used for student records.

Priority and approach to handle incidents will depend on the incident impact level. Extensive/Widespread incidents will be further reported to University senior management by following our Escalation Procedure for Extensive / Widespread Cybersecurity Incident .

Technical measures will be taken where appropriate, such as eradicating any malicious contents from the affected systems, resetting passwords, applying software patches, correcting system configuration, etc. In some situation, entire system needs to be re-installed. Any damaged or lost data may need to be restored.

4. Review

All cybersecurity incidents will be recorded. For Significant/Large or Extensive/Widespread incidents, the Cybersecurity Incident Response Team shall prepare a review report in collaboration with the relevant Cybersecurity Coordinators. The review report will outline the incident, remedial actions taken, impact of the incident as well as longer term actions that are deemed appropriate. The review report will be sent to the Cybersecurity Steering Group as well as the management of the concerned units for reference.

Related Links