UM Incident Response Standard

IN PLAIN LANGUAGE

When something goes wrong with University systems or data — whether it's a suspected breach, unauthorized access, or a policy violation — everyone has a responsibility to report it promptly. This standard defines how the University prepares for, detects, responds to, and recovers from security incidents. The Information Security Office leads incident response and coordinates with IT, Legal, and Communications as needed. Incident response capabilities are tested at least annually, and lessons learned are used to continuously improve. The faster an incident is reported, the better the University's ability to contain and minimize its impact.

1. Purpose

This Incident Response Standard defines the operational requirements for identifying, reporting, responding to, and recovering from information security incidents at the University of Montana. It supports the University's ability to protect the confidentiality, integrity, and availability of University Data and Information Technology Resources.

This Standard implements the incident response requirements established by the UM Information Security Policy and aligns with the NIST Cybersecurity Framework (CSF) Respond and Recover functions.

2. Scope

This Standard applies to:

• All University of Montana departments and campuses
• All users of University Information Technology Resources
• All information systems and services owned, operated, or managed by the University or on its behalf

This Standard applies to digital University Data and information systems. Non-digital records are governed by records management, privacy, and other applicable University policies.

3. Definitions

Event — An observable occurrence within an information system or network.

Incident — An event that actually or potentially compromises the confidentiality, integrity, or availability of information or systems, or violates University policy.

Definitions are consistent with NIST guidance and University information security standards.

4. Standard

4.1 Incident Reporting

All members of the University community must promptly report suspected or confirmed information security incidents through established reporting channels. Timely reporting is critical to effective containment and mitigation.

4.2 Incident Response Capability

The University must maintain an incident response capability that includes:

• Preparation and readiness activities
• Detection and analysis of security events
• Containment, eradication, and recovery actions
• Post-incident review and continuous improvement

Incident response activities must be coordinated by the UM Information Security Office in collaboration with Information Technology organizations, Legal Counsel, Communications, Privacy, and other stakeholders as appropriate.

4.3 Training and Testing

• Personnel with incident response responsibilities must receive role-appropriate training upon assignment and at least annually thereafter
• Incident response capabilities must be tested at least annually
• Lessons learned from training, testing, and real incidents must be incorporated into improvements

4.4 Incident Response Plan

The University must maintain an Incident Response Plan that:

• Defines reportable incidents and escalation criteria
• Establishes roles, responsibilities, and coordination mechanisms
• Integrates with business continuity and disaster recovery planning
• Is reviewed and updated at least annually or following significant incidents or organizational changes

4.5 Monitoring and Coordination

The University must employ technical and procedural mechanisms to support incident detection, tracking, and coordination. Incident response activities must align with security monitoring, logging, and vulnerability management standards.

5. Compliance and Enforcement

Failure to comply with this Standard may result in disciplinary action, loss of access, contractual remedies, or legal action, consistent with University policy.

6. Review and Maintenance

This Standard must be reviewed at least annually by the UM Information Security Office and updated as necessary to address changes in risk, technology, or regulatory requirements.

7. References

• UM Information Security Policy
• NIST Cybersecurity Framework (CSF)
• NIST SP 800-61, Computer Security Incident Handling Guide