University cyber-security incident response process
The University cyber-security incident process, effective from 8 February 2023, was requested by the Information Services Committee (ISC) to improve the detection, visibility, and response to cyber-security incidents across the University.
The process details the relationship between institutional IT staff and the UIS CSIRT service including requirements, responsibilities and response times.
It applies to all institutions connected to the University Data Network when a cyber-security incident is detected.
The process assumes University working hours are 09:00 - 17:00, Monday to Friday (excluding public holidays).
Reporting a cyber security incident
Non-IT staff and students
Non-IT staff and students should follow the reporting an IT security incident process and report all cyber security incidents to their institution’s IT support team. For some institutions this is the UIS Service Desk, but most institutions have their own local IT support staff.
Institutional IT staff
Institutional IT staff should follow the step-by-step process outlined below, which has been designed to help institutions and UIS maintain a consistent approach to cyber-security incident response.
View PDF flow charts of the response process.
When to report an incident to UIS CSIRT
-
Reporting significant incidents
Institution IT staff must report significant cyber security incidents to UIS CSIRT. The decision on whether an incident is significant and reportable to CSIRT is the judgement of institutional IT staff, but UIS recommends that it is reportable where a cyber-attack:
- demonstrates unusual or novel attack methods
- constitutes an elevated risk to the institution or the wider University
- successfully compromised a server, device or user account
- successful malware infection
Institutions must update UIS CSIRT when a significant incident is resolved.
-
Minor incidents
If an incident is not significant, then it should be considered a minor security incident or event, and this does not need to be reported to CSIRT. Examples of a non-reportable event include:
- a security vulnerability is discovered but there’s no evidence of exploitation
- a port scan from a remote IP address is detected
- an easily identifiable phishing email
- a small number of failed logins to an SSH server
-
Malicious spam reporting
Malicious spam, such as phishing emails, is very common and can be acted upon by the UIS. Generally this doesn't need any additional correspondance back to an institution. In this case malicious spam can be sent directly to the UIS spam reporting address, spam@uis.cam.ac.uk.
-
Worsening incidents
Institutions must update UIS CSIRT if an incident under investigation significantly changes in scope or becomes potentially relevant to other University institutions.
How to report an incident to CSIRT
These steps are a summary of the incident flow diagrams.
-
If UIS is responsible for the affected IT service
- Send CSIRT a support request message (csirt@uis.cam.ac.uk)
- CSIRT investigates and resolves the incident
- CSIRT sends the institution an incident resolved message
- The incident is closed
- If the institution is responsible for the affected service
- The institution sends CSIRT an incident notification or a support request message
- CSIRT responds within 4 working hours
- The institution investigates the incident following their local process, with advice and support from CSIRT if requested
- The institution resolves the incident
- The institution sends CSIRT an incident resolved message
- The incident is closed
- If it's malicious email
- The institution forwards the email to spam@uis.cam.ac.uk or, if support is required, sends CSIRT a support request message which follows the process outlined above
- CSIRT follows the malicious email incident process
Receiving a CSIRT security alert or advisory
These steps are a summary of the incident flow diagrams.
Process for receiving a [CSIRT Alert] email
- An email sent from UIS CSIRT that includes in the Subject line [CSIRT Alert] is a security alert. It may be important and should be treated as a priority.
- An institution receiving a new security alert from UIS CSIRT must send an acknowledgement within 8 working hours. An automatically generated reply from a service desk platform, or similar, is not sufficient and the acknowledgement must be written by a person.
- If UIS CSIRT does not receive an acknowledgement, it will contact the institution’s designated cyber-security incident escalation address.
Process for receiving a [CSIRT Advisory] email
- An email from CSIRT marked [CSIRT Advisory] in the Subject line is a security advisory. Security advisories are a lower priority than alerts.
- CSIRT does not require an acknowledgement within 8 working hours, but the institution must inform CSIRT by email when the advisory has been resolved so that the incident can be closed.
- CSIRT may repeat unresolved advisories if they have not received a reply.
Process for UIS CSIRT
- When contacted by an institution's IT staff, UIS CSIRT must send an acknowledgement within 4 working hours.
- UIS CSIRT will inform Jisc of any security incidents that meet Jisc’s reporting criteria described in the Janet Security Policy.
Institutional cyber-security incident contacts
The ISC has instructed that all institutions connected to the University Data Network supply a contact role email address to receive security alerts and advisories from UIS CSIRT.
Additionally, all institutions must supply a cyber-security incident escalation contact, including an email address, for the situation when a [CSIRT Alert] is not responded to within the agreed time.