Major Security Incident Process

Major Security Incident Process 

The Major Security Incident Process, managed by the IT Security Office (ITSO), is used to define, trigger and mitigate responses to a major security issue using the CIRT (Cyber Incident Response Team) process.  An overview of that process can be found here:

Normally security issues, including Major Security Incidents, are submitted to ITSO using the ServiceNow request item found here: and reporting an incident.  

ITSO will handle most major security incidents without invoking the Major Incident Process, however there may be some incidents that they require the Major Incident Manager to assist with.  

  1. Only ITSO can propose a Major Security Incident. 
  2. ITSO will propose a Major Security Incident for immediate promotion by the Major Incident Manager. 
  3. Once ITSO has proposed a Major Security Incident as a Major Incident the Major Incident Manager will take the following steps:  
    1. Follow steps outlined in the Major Incident Process with the following exceptions: 
      1. Utilize only communication templates to Service Owners and  VPIT / Senior Leadership  (communication will not be sent to Techsupport or IT Council) 
      2. No posting to IT Status will be made 
      3. The Major Incident Manager will work directly with ITSO to determine if and when additional communications are needed  
      4.  ITSO will make the determination if the CIRT team will be notified and contact them as appropriate. 
Additional Definitions:  

Enterprise incident: Security incidents that have a large or widespread impact. A Distributed Denial of Service attack (DDoS) that degrades network performance in a manner that disrupts University operations is an example. This would be an enterprise-wide issue that would affect the entire University. Enterprise issues may require the activation of the Cyber Incident Response Team (CIRT). CIRT team members may be drawn from many departments across the university and have knowledge of critical systems that can be leveraged to protect Virginia Tech IT assets during an enterprise incident. When multiple incidents occur simultaneously, the most serious or highest potential impact incidents should be handled first. The incident classification is performed by the Incident Response Manager (IRM) using the VT CIRT Incident Response Classification Matrix.  

Local Events: local events represent a risk to Virginia Tech systems, networks, and data but are confined to a single or small number of departmental systems. An example of a local issue would be malware discovered on a departmental desktop or server. Local issues may even lead to data breaches if unencrypted sensitive data is stored on the compromised systems. Most cyber threats are identified, contained, and eradicated through coordinated efforts between the ITSO and affected departments. Local events are the most common type of attack observed at Virginia Tech. 

Process change history

Major changes to the process are documented here.

Date Author(s) Description of Change
9/13/2022 Joyce Landreth Added clarification about CIRT team notification.
10/12/2023 Joyce Landreth  Added clarification about proposing and immediately promoting a Major Security Incident.