Escalation Procedure for Extensive / Widespread Cybersecurity Incident
Extensive / Widespread incidents will be further reported to University Senior management.
- Upon receiving report from IT Security Officer, Director of ITSC will report the incident to Associate Provost (Teaching & Learning) and Vice-President for Administration & Business within 24 hours on confirmation of the incident. They will decide collectively if further escalatation to the President and/or any legal action are necessary.
- All server and network logs will be preserved.
- In addition, the incident will be handled in a manner acceptable for possible subsequent legal action. Namely,certified cybersecurity forensics experts will be engaged to assist the investigation and handling of evidence, with respect to the following actions:
- Data acquisition : Use forensically safe method to obtain compromised image.
- Evidence handling : Evidence and its copies will be safely stored and protected. Detail transfer logs will be documented in order to preserve chain of custody.
- Investigation : Investigation methods will be clearly documented in order to show it is comprehensive.
- Reports will be prepared in a forensically sound manner when the incident is required to be admissible in court.
Milestone at different stages
- Report will be provided when one of the following milestones is reached during the course of incident handling:
- Early assessment on business impact
- Completion of containment and how the containment could protect the business.
- Completion of incident eradication.
- Final incident report is ready.
- In case the next milestone cannot be reached within a month, a monthly update will be provided.