IR-1: Incident Response – Policy and Procedures
NIST Baseline: Low
Privacy Baseline: Yes
DIR Required By: 07/20/2023
Review Date: 07/10/2024
Purpose –
The Incident Response Policy and associated controls describe the requirements for responding to and minimizing the impact of an information security incident impacting Tarleton State University (Tarleton).
Scope and Roles –
This policy applies to information resources owned or managed by Tarleton. The intended audience includes the Tarleton Chief Information Officer (CIO), Chief Information Security Officer (CISO), and information resource owners and custodians.
Compliance –
Incident Response controls are implemented to ensure compliance with the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by Title 1 Texas Administrative Code §202.76, §202.73 and Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security.
Implementation –
- Tarleton will follow the guidance of TAMUS Cybersecurity and the Texas Department of Information Resources (DIR) in responding to suspected information security incidents.
- Prioritization of information security incidents will be based on the criticality of impacted resources, and current and potential business impact (e.g. unauthorized disclosure of confidential information, access to services, loss of revenue, and potential to spread to other information resources). See Control IR-6, Incident Reporting, for additional information.
- The Tarleton CISO, in coordination with information resource owners and custodians, shall develop, document, and disseminate a policy and set of controls that addresses the Incident Response Policy for information resources. These controls and policy should:
- Address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Be consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
- Information resource owners and custodians are responsible for any procedures to facilitate the implementation of the Incident Response Policy and associated controls in order to ensure the proper prioritization of information security incidents based on the criticality of impacted resources, and current and potential business impact;
- The CISO, or their designee, shall review and update the Incident Response Policy and associated controls as necessary and at least every two years as required by DIR.