Mitchell Hamline School of Law

Mitchell Hamline Policy Repository

Incident Response Policy

Posted: May 18, 2023

Applies to: Staff

Policy Holder: Administrative Information Technology

Responsible Office: Administrative Information Technology

Contact Information: Chief Information Officer

Effective Date: March 1, 2023

Last Review Date: March 1, 2023

Approved by: Vice President of Finance and Administration

1.0 Background and Purpose

The purpose of the Mitchell Hamline School of Law (MHSL) Incident Response Policy is to describe the requirements for dealing with information security incidents.

1.1 Who Needs to Know?

The Incident Response Policy applies to executive management and other individuals responsible for protecting MHSL Information Resources.

2.0 Policy

Incident Handling Team (IHT)

An Incident Handling Team (IHT) will be established; consisting of legal experts, risk managers, and other department managers that should be involved in decisions related to incident response.

  • The IHT is responsible for:
    • ensuring that incident response activities are carried out in accordance with legal, contractual, and regulatory requirements.
    • internal and external communications pertaining to information security incidents.
    • ensuring that personnel are trained on how to report a potential incident.

Response Team

An Incident Response Commander will be appointed to oversee and direct MHSL incident response activities.

  • The Incident Response Commander will assemble and oversee a Cyber Security Incident Response Team (CSIRT).
  • The CSIRT will respond to identified cyber security incidents following the Incident Response Plan.
  • The Incident Response Commander is responsible for appropriately reporting incidents to the ELT/IHT.

Incident Response Plan (IRP)

The Incident Response Commander is responsible for overseeing the creation, implementation, and maintenance of an Incident Response Plan (IRP).

  • The Incident Response Plan must be tested by the CSIRT and IHT no less than annually.

Incident Reporting

Management must provide a means for all personnel to report potential incidents. Reporting methods should ensure that a potential incident is promptly escalated to the appropriate person.

  • IT is responsible for monitoring event logging, vulnerability management, and other logs for suspicious activities.
  • All reported incidents must be assessed by a member of the CSIRT or IHT to determine the threat type and activate the appropriate response procedures. All members of the CSIRT or IHT must be familiar with how to assess and escalate a potential incident.
  • The Incident Response Commander must report the incident to the Executive Leadership Team (ELT).
  • The Executive Leadership Team must report any potential breaches and/or incidents involving customer data to the Incident Handling Team (IHT) promptly.

Notification and Communication

The IHT is responsible for ensuring that notification and communication both internally and with third parties (customers, vendors, law enforcement, etc.) based on legal, regulatory, and contractual requirements take place in a timely manner.

All Information concerning an incident is considered confidential, and at no time should any information be discussed with anyone outside of MHSL without approval of ELT and the legal counsel.

  • Personnel
    • Personnel should be notified whenever an incident or incident response activities may impact their work activities.
    • Internal communications should aim to avoid panic, avoid the spread of misinformation, and notify personnel of appropriate communication channels.
  • Interaction with Law Enforcement
    • Interaction between law enforcement and emergency services personnel should be coordinated by the Incident Response Commander or a member of the IHT.
    • Legal counsel should be consulted in communications with law enforcement.
  • Customers and Partners
    • All customers and partners who are affected by the incident must be notified according to applicable contract language, service level agreements (SLAs), applicable statutes and/or regulations.
    • Communications with customers and partners must be consistent, with the same or similar message delivered to each.
  • Regulatory Authorities
    • Only members of the IHT are permitted to discuss the nature and/or details of an incident with any regulatory agencies.
    • The IHT must contact regulators as required or as soon as practical.
  • Public Media
    • The IHT or executive management will assign a designated spokesperson responsible for communication with the media.
    • Inquiries from media agencies must be directed to the designated spokesperson and the IHT.