The Major Security Incident Process, managed by the IT Security Office (ITSO), is used to define, trigger and mitigate responses to a major security issue using the CIRT (Cyber Incident Response Team) process. An overview of that process can be found here: https://security.vt.edu/content/dam/security_vt_edu/downloads/incident_response.pdf.
Normally security issues, including Major Security Incidents, are submitted to ITSO using the ServiceNow request item found here: https://security.vt.edu/about/contact.html and reporting an incident.
ITSO will handle most major security incidents without invoking the Major Incident Process, however there may be some incidents that they require the Major Incident Manager to assist with.
Enterprise incident: Security incidents that have a large or widespread impact. A Distributed Denial of Service attack (DDoS) that degrades network performance in a manner that disrupts University operations is an example. This would be an enterprise-wide issue that would affect the entire University. Enterprise issues may require the activation of the Cyber Incident Response Team (CIRT). CIRT team members may be drawn from many departments across the university and have knowledge of critical systems that can be leveraged to protect Virginia Tech IT assets during an enterprise incident. When multiple incidents occur simultaneously, the most serious or highest potential impact incidents should be handled first. The incident classification is performed by the Incident Response Manager (IRM) using the VT CIRT Incident Response Classification Matrix.
Local Events: local events represent a risk to Virginia Tech systems, networks, and data but are confined to a single or small number of departmental systems. An example of a local issue would be malware discovered on a departmental desktop or server. Local issues may even lead to data breaches if unencrypted sensitive data is stored on the compromised systems. Most cyber threats are identified, contained, and eradicated through coordinated efforts between the ITSO and affected departments. Local events are the most common type of attack observed at Virginia Tech.
Major changes to the process are documented here.
|Date||Author(s)||Description of Change|
|9/13/2022||Joyce Landreth||Added clarification about CIRT team notification.|
|10/12/2023||Joyce Landreth||Added clarification about proposing and immediately promoting a Major Security Incident.|