Info
Content

Incident Response Plan

Effective Date: September 17, 2025
Revised Date: October 20, 2025
Responsible Office: Information Technology Services (ITS)
Contact: ITS Security Panel – security@AState.edu | ITS Help Desk – (870) 972-3033

1. Purpose

The purpose of this plan is to establish a structured Incident Response Plan (IRP) framework for identifying, responding to, and recovering from information security incidents at Arkansas State University. The plan ensures timely response, minimizes disruption to university operations, protects institutional data and assets, and supports compliance with applicable laws and regulations.

2. Scope

This IRP applies to all Information Technology Services (ITS) staff at Arkansas State University, including Security, Networking, Systems, Infrastructure, Hardware Services, Help Desk, and Card Center units. These groups are directly responsible for executing incident response actions as outlined in this plan.

The plan also extends to university leadership and supporting functions – including the CIO, CISO, Executive Leadership (Chancellor’s Cabinet), General Counsel, University Communications, and Risk Management – roles are defined in Section 5. Where applicable, University Police Department (UPD) and Federal Bureau of Investigation (FBI – Jonesboro Cyber Task Force) will be involved.

Third-party vendors and service providers with access to university systems or data are expected to cooperate fully with ITS, in incident investigation, containment, and remediation activities, and may be required to meet contractual or regulatory obligations (e.g., breach notifications, forensic reporting).

3. General Principles

ITS has the following general principles related to this IRP:

  • Incidents must be reported immediately (“If in doubt, report it”).
  • Containment and evidence preservation precede recovery actions.
  • All responses must follow chain-of-command authority as outlined in the Roles & Responsibilities section.
  • Documentation and lessons learned are mandatory for every incident.
  • Compliance with applicable laws (FERPA, HIPAA, GLBA, PCI, state/federal breach laws) is required.

4. Incident Response Plan (IRP) Procedures

The following steps are designed to ensure incidents are identified, assessed, contained, eradicated, and resolved in a timely and coordinated manner, while preserving evidence, maintaining compliance with regulatory requirements, and minimizing disruption to university operations.

  1. Report the incident immediately.

    The person who discovers the incident will notify the ITS Security Panel (see Appendix A for contacts), email security@astate.edu, contact the ITS front desk at 870-972-3033, or after normal business hours call 870-253-8184. If in doubt, report it.

  2. Initial notification & logging (by first panel member reached).

    Notify the ITS Security Panel and appropriate staff using WebEx/Teams/phone; use email only as backup (email may be part of the compromise). Log initial details on the IT Security Incident Report (Appendix B).

  3. Initial assessment (by Security Panel).

    Meet or confer via phone, Microsoft Teams, or WebEx to evaluate status and immediate needs addressing the following questions to gain further insight into the incident:

    • Is the incident still in progress? If yes, take immediate containment action to disconnect or isolate the incident.
    • What data/property is threatened/compromised, and how critical is it?
    • What is/was the impact if the attack succeeds or has succeeded (minimal, serious, or critical)?
    • What system(s) are targeted, and where are they located (physical/network)?
    • Are regulated/sensitive data involved (e.g. FERPA, HIPAA, GLBA, PCI, sponsored research)?
    • Are third-party vendors/cloud systems impacted? (open vendor ticket/escalation if so)

  4. Categorize the incident (highest applicable level).
    The incident will be categorized into the highest applicable level of one of the following categories:

    • Category one (Data Breach/Confidentiality Compromise)
      Unauthorized access, disclosure, or exfiltration of sensitive or regulated information (FERPA, HIPAA, GLBA, PCI, PII, research data).

      Examples:
      • Ransomware
      • Database intrusion
      • Stolen credentials used to access Banner
      • Exposure of SSNs in files

    • Category two (System Integrity Compromise)
      Malicious activity that undermines the trustworthiness or normal function of university systems.

      Examples:
      • Localized ransomware detected and contained before propagation or data exposure.
      • Malware infection
      • Website defacement
      • Rootkit installation

    • Category three (Service Availability Disruption)
      Denial or degradation of critical IT services.

      Examples:
      • DDoS attack on campus internet
      • LMS/email outage
      • Server crash from attack

    • Category four (Policy/Compliance Violation or Suspicious Activity)
      Incidents that do not rise to the level of breach/system compromise, but indicate misuse, non-compliance, or attempted attack requiring investigation.

      Examples:
      • Phishing attempts
      • Repeated failed logins
      • Unauthorized software installation
      • Use of unapproved cloud storage

        Routine Category Four events (e.g., single compromised accounts, isolated phishing attempts, or minor compliance violations) do not require a full invocation of the Incident Response Plan (IRP).

        These events should still be:
      • Documented via an Incident Response Form.
      • Reported to the Security Panel for awareness, tracking, and trend analysis.

        Escalation criteria: If the incident escalates in scale, impact, or regulatory risk the incident should be re-classified into the highest applicable category (Category 1 - 3) and the full IRP should be triggered.

  5. Legal & compliance notifications.
    If PII or regulated data may be involved, notify University Legal Counsel for statutory notification guidance. The CIO (or CIO’s designee) will coordinate with Legal and University Communications for mandatory notices (state legislative audit/federal law; FERPA, HIPAA, PCI; GDPR if applicable).

  6. Law Enforcement & External notifications.

    The Incident Response Lead, in consultation with the CIO and Legal Counsel, must determine whether an incident meets the criteria for mandatory law-enforcement notification.

    Notify law enforcement (UPD and FBI) within 60 minutes when any of the following apply:

    • Confirmed or suspected criminal activity (unauthorized intrusion, data exfiltration, extortion, or ransomware).
    • Significant sensitive or regulated data exposure (FERPA, HIPAA, GLBA, PCI, CJIS, PII).
    • Evidence of credential theft or account takeover at scale.
    • Significant financial loss or fraud (e.g., business email compromise).
    • Threats to life/safety or potential national-security implications.

    Contact order (phone preferred; do not use email):

    • University Police Department (UPD): 870-972-2093 – establish a campus case number, coordinate chain-of-custody, and initiate contact with local/federal agencies.
    • FBI – Jonesboro Resident Agency (Cyber Task Force): 870-932-0700 — engage for coordination on active intrusion, ransomware, or data-theft cases.
    • Jonesboro Police Department (as directed by UPD): 870-935-5551.

    All notifications must be documented in Appendix B, Section 6 (Notification & Communications).

  7. Containment & Evidence Preservation (Before Changes).

    Based on the assessment, follow the appropriate procedure/runbook (see Incident Response Procedures/Contact List). Prioritize isolation/containment to limit spread.

    • Preserve evidence (volatile and at-rest) and maintain chain of custody with UPD if needed.
    • Capture memory/volatile data where feasible before shutdown/rebuild.
    • Do not alter systems beyond what is required for containment without forensics and executive leadership approval.
    • When law enforcement involvement is triggered; the CISO/Incident Lead must coordinate with UPD to establish an evidence chain-of-custody. All evidence transfers to UPD or FBI must be logged (see Appendix B, §5), sealed, and hashed for integrity verification.

  8. Forensics and Root Cause

    Authorized team members will use forensic techniques (log review, sensor/IDS data, imaging, interviews) to determine cause, scope, dwell time, and affected assets. Log all forensics activity; preserve evidence per chain-of-custody requirements. Recommend specific preventive changes. Approved third-party vendors may be utilized to support forensic analysis.

  9. Eradication & Recovery (Authorization Required)
    With CIO (or CIO’s designee) approval, proceed to eradication and recovery:
    • Rebuild/re-image affected systems and restore data from clean backups as necessary.
    • Require password resets where credential compromise is possible.
    • Harden systems (remove/disable unused services).
    • Apply current patches/updates.
    • Ensure real-time malware protection/EDR and network IDS are active.
    • Verify logging is enabled at appropriate levels and forwarding to central SIEM.
    • Validate clean state (scans, EDR health, integrity checks) before returning to full service.

  10. Documentation
    The following shall be documented and filed with the CIO (or CIO’s designee) (see Incident Identification form):
    • How the incident was discovered.
    • The category of the incident.
    • Initial attack vector (e.g., email, web, RDP, vendor) - How the incident occurred, whether through email, firewall, etc.
    • Origin indicators (IPs, accounts, domains, TTPs, IOCs) - Where the attack came from, such as IP addresses and other related information about the attacker.
    • Response actions taken and by whom.
    • Effectiveness of actions and residual risk.

  11. Evidence Retention
    Copies of logs, emails, images, and other records will be retained as evidence for as long as necessary to complete investigation and any legal proceedings, including appeals, per Arkansas State University’s records retention policy and legal guidance.

  12. Impact & Cost Assessment
    Assess organizational impact and estimate direct and indirect costs (containment, recovery, vendor services, lost productivity, reputational impact, student/faculty disruption).

  13. Lessons Learned & Procedure Updates
    Within 30 days of incident closure, conduct a formal post-incident review. Update procedures, controls, and training. Track and assign actions to owners with due dates.

  14. Communications & Follow-Up Plan
    Determine required announcements, audiences (executives, IT staff, campus community), frequency, timeline, and responsible owner. Use approved communications templates as provided by Chief Communications Officer and retain copies in the incident record.

  15. Closure
    Review the Incident Post-Review Checklist (Section 6) and file with the CIO (or CIO’s designee). Ensure all assigned remediation items are tracked to completion.

5. Roles, Responsibility, and Authority

Effective incident response requires clear roles, responsibilities, and decision-making authority. This section defines the responsibilities and authority of the CIO, CISO/Incident Response Lead, the ITS Security Panel, Executive Leadership, Legal Counsel, University Communications, Risk Management (and UPD/FBI where applicable) to ensure coordinated and efficient response to IT security incidents.

5.1 Chief Information Officer (CIO)

Responsibilities

  • Provides overall leadership for Information Technology Services and ensures alignment of incident response with institutional goals.
  • Approves and enforces the Incident Response Plan (IRP) and related policies.
  • Provides direction during major security incidents and authorizes significant actions (e.g., full system shutdown, network isolation).
  • Ensures resources (staff, budget, vendor support) are available to manage incidents effectively.

Authority

  • Final authority on IT decisions impacting critical university systems and infrastructure.
  • Can delegate operational authority to the CISO, AVC of IT Systems, Networking & IT Support or Incident Response Lead during active incidents.
  • Collaborates with Executive Leadership (Chancellor’s Cabinet) and Legal Counsel to guide strategic response efforts.
5.2 Chief Information Security Officer (CISO) / Director of IT Security / Incident Response Lead

Responsibilities

  • Serves as the incident lead during IT security incidents.
  • Directs all phases of incident response: detection, assessment, containment, eradication, recovery, and closure.
  • Coordinates with the IT Security Department, Networking, Systems, Hardware Services, and Help Desk teams to execute response actions.
  • Provides regular status updates to CIO, Executive Leadership, and Legal Counsel where applicable.
  • Ensures after-action reviews and updates to the IRP.

Authority

  • Authorized to initiate containment measures to limit damage (e.g., disconnect systems, block accounts).
  • May escalate incidents to CIO, Legal Counsel, University Communications, or law enforcement where applicable.
  • Can request vendor/third-party support for forensic investigation or remediation.
5.3 ITS Security Panel (Security, Networking, Systems, Hardware Services, Help Desk, Card Center)

Responsibilities

  • Serves as the central operational body for IT security incident response under direction of the CISO/Incident Response Lead.
  • Coordinates across Security, Networking, Systems, Hardware Services, Help Desk, and Card Center units to ensure rapid containment, eradication, and recovery.
  • Receives incident reports (via Help Desk or Security Panel e-mail – securitypanel@astate.edu) and ensures they are logged and escalated.
  • Preserves evidence, maintains chain of custody, and supports forensic analysis and investigation.
  • Provides system/network/application data as needed for root cause analysis.
  • Implements recovery actions and validates clean state before services return to full service.
  • Manages identity and access-related response measures (e.g., disabling accounts, issuing new credentials, reissuing ID cards via Card Center).
  • Recommends procedural, technical, or policy changes based on lessons learned.

Authority

  • Authorized to take immediate containment measures (e.g., disabling accounts, quarantining endpoints, blocking network traffic, card deactivation).
  • Executes recovery actions (system rebuilds, access resets, card replacements) as directed by the Incident Response Lead.
  • Cannot independently close incidents or restore systems without CISO/Incident Lead approval.
5.4 Executive Leadership (Chancellor’s Cabinet)

Responsibilities

  • Provides institutional leadership and decision-making for incidents affecting university operations.
  • Reviews and approves significant security standards or procedural changes recommended by ITS. Policies have to be approved via Board of Trustees.
  • Allocates emergency resources (funding, personnel, vendor support) as needed for incident response.

Authority

  • Holds final authority on institutional risk and operational decisions.
  • Directs university-wide communications and public relations strategies during major incidents.

Responsibilities

  • Advises on legal, regulatory, and compliance obligations (FERPA, HIPAA, GLBA, state/federal breach laws).
  • Determines requirements for breach notifications to affected individuals or regulatory bodies.
  • Provides legal risk assessments and advises on litigation or regulatory exposure.

Authority

  • Authorized to determine the legal requirements for handling breaches and notifications.
  • May coordinate with law enforcement or third-party investigators.
  • Does not override or delay containment and technical response efforts.
5.6 University Communications/Marketing

Responsibilities

  • Manages internal and external communication strategies during and after incidents.
  • Ensures timely and accurate dissemination of information to students, faculty, staff, and the public.
  • Prepares public statements in coordination with Executive Leadership and Legal Counsel.
  • Supports Help Desk with consistent messaging to impacted users where applicable.

Authority

  • Authorized to coordinate media responses and public statements.
  • Collaborates with Executive Leadership, Legal Counsel, and IT leadership to ensure accurate, compliant messaging.
5.7 Office of Risk Management

Responsibilities

  • Coordinates with ITS and Executive Leadership to assess business continuity impacts of major incidents.
  • Serves as the liaison for institutional cyber liability insurance claims, ensuring required documentation and reporting are completed.
  • Provides guidance on risk transfer, mitigation, and recovery planning for incidents with financial or operational exposure.
  • Ensures that incident response actions are aligned with the university’s overall enterprise risk management framework.

Authority

  • Authorized to initiate cyber insurance claim processes in collaboration with ITS and Legal Counsel.
  • Can require ITS and other units to provide documentation supporting claims or business continuity assessments.
  • Advises Executive Leadership on broader risk implications and recovery options.
5.8 University Police Department (UPD)

Responsibilities

  • Serve as primary law-enforcement liaison for all Category 1 or 2 incidents involving suspected criminal activity or data theft.
  • Coordinate with the FBI Cyber Task Force for federal involvement.
  • Establish official case number and maintain chain-of-custody documentation for evidence collected.
  • Secure physical and digital evidence locations as needed.

Authority

  • May restrict or seize affected university equipment for forensic purposes.
  • Authorize the transfer of evidence to federal law enforcement.
  • Collaborate with Legal Counsel, CIO, and CISO to ensure compliance with investigative requirements.
5.9 Federal Bureau of Investigation (FBI – Jonesboro Cyber Task Force)

Responsibilities

  • Advise ITS and UPD on response to significant cybercrime, ransomware, or data-theft events.
  • Provide intelligence, indicators of compromise (IOCs), and guidance on federal reporting requirements.
  • Coordinate with university Legal Counsel and UPD on secure evidence transfer.

Authority

  • Request evidence or logs as part of an active investigation.
  • Does not supersede university containment or recovery actions necessary to protect operations.

6. Incident Post-Review Checklist

Following the closure of any incident, ITS must complete a post-review process to capture lessons learned, identify improvements, and ensure preventive measures are implemented.

While ITS, specifically the Chief Information Security Officer (CISO), is ultimately responsible for formalizing any final documentation established, the post-mortem review will be initiated and coordinated by ITS in conjunction with, at a minimum, the Security Panel. Depending on the severity and impact of the incident, feedback and input from other constituent groups listed in Section 5 (Notifications & Communications) will also be incorporated as appropriate.

The following checklist should be addressed and documented for every incident:

  • Policy Gaps – Could an additional policy have prevented the incident?
  • Policy/Procedure Compliance – Was a policy or procedure not followed, enabling the incident? What steps can be taken to ensure compliance going forward?
  • Response Effectiveness – Was the incident response appropriate and timely? How could the response process be improved?
  • Communication Timeliness – Were all appropriate parties informed in a timely manner?
  • Procedure Adequacy – Did the documented incident response procedures cover the full scope of the situation?
  • Remediation Actions – Have corrective actions been implemented (e.g., patching systems, tightening configurations, password resets, updating anti-virus, refining email policies)?
  • Prevention of Recurrence – Have changes been made to prevent a similar or related incident in the future?
  • Follow-Up Plan – Has a follow-up plan or assessment been established, and are responsibilities and timelines documented?
  • Risk Management – Was Office of Risk Management notified for assessment of financial/reputational impact and insurance coverage?

7. Standards Review

This plan will be reviewed annually by the CIO, CISO, and ITS Security Panel, or sooner if significant changes occur to technology, organizational structure, or applicable regulations.

Effective Date: September 17, 2025
Next Review Date: September 17, 2026
Version: 1.6

Appendix A – Security Panel Contact List

  • Chris Boothman – 870-253-8184
  • Jennifer Harrell – 870-253-9417
  • Patrick Jeffrey – 870-680-2110
  • Jacob Weaver
  • Chase Roberson – 870-514-9553
  • Himaja Balakrishnan – 870-897-6184
  • Chris Doyle – 870-578-7838
  • Heather Boothman – 870-930-8184
  • Jake Yandell
  • Shane Johnston
  • Ken Anderson – 870-761-7059
  • Eric Barnett
  • Shivani Payyavula – 870-627-8495

Law Enforcement Contacts:
University Police Department (UPD): 870-972-2093 (24/7 Dispatch)
FBI – Jonesboro Resident Agency (Cyber Task Force): 870-932-0700
Jonesboro Police Department (via UPD): 870-935-5551

Appendix B – IT Security Incident Report

Date of Report: ____   Prepared By: ____   Incident Date: ____

1. Executive Summary

Brief overview of the incident, severity, and outcome.

2. Incident Overview & Key Timestamps

Identify severity (IRP category), affected assets/data, and critical timestamps (detection, containment, recovery).

3. Initial Indicators

Describe type, initial vector, and IOCs/IOAs.

4. Containment & Mitigation Actions

Document containment steps, approvals, and responsible parties.

5. Evidence Log & Chain of Custody

Record all collected evidence with dates, handlers, and transfers to ensure integrity and a clear chain of custody (if applicable). If UPD/FBI notified, list contact name, agency, and case number obtained.

6. Notifications & Communications

List all internal/external notifications with times and methods.

7. Root Cause Analysis

Summarize underlying vulnerabilities, process gaps, or third-party issues.

8. Timeline of Events
Date Event Description
ENTER DATE ENTER TEXT
ENTER DATE ENTER TEXT
ENTER DATE ENTER TEXT
9. Lessons Learned

Document what worked, what didn’t, and improvement areas.

10. Recommendations

List technical and procedural remediation items.

11. Review & Approval

Sign-offs by CIO/CISO and Risk Management (if applicable).

Appendix C – Responsibility Matrix

Purpose: This matrix provides a concise execution view for incident responders and approvers.

Legend: R = Responsible  •  A = Accountable  •  C = Consulted  •  I = Informed

Activity / Phase (from IRP) CIO CISO Panel Legal Comms Exec Risk Vendor UPD FBI
Maintain IRP and contacts; resource enablement A R C C C C C C I I
Incident intake and initial notification/logging I A/R R I I I I I I I
Initial assessment and status (in progress? scope?) I A/R R C I I I I I I
Incident categorization (Cat 1–4) I A/R C C I I I I I I
Legal and compliance notifications decisioning I C C A/R I I C I I I
Law-enforcement trigger decision C A/R C C I I I I C C
External notifications (who/when) I C C A/R C I I I R R
Containment actions (isolate, disable, block) I A R I I I I C C C
Evidence preservation and chain of custody I A R C I I C C A/R C
Forensics and root cause (logs, imaging) I A R C I I I C C C
Eradication and recovery authorization A A/R C I I I I C I I
Eradication and recovery execution (rebuilds, resets, hardening, patches) I A R I I I I C I I
Validate clean state and return to service A R R I I I I C I I
Documentation (Incident Identification Form, evidence retention) I A R C I I C I C C
Impact and cost assessment C A/R C C I C C C I I
Communications and follow-up plan (audiences, cadence) C R C C A/R C I I I I
Lessons learned (≤ 30 days) and procedure updates I A/R R C C C I C C C
Annual plan review (or on significant change) A R C C C C I C I I
Back to top