Incident Response Policy

August 3, 2018


The purpose of the Incident Response Policy is to mandate Incident Response activities within St. George’s University, University Support Services, and any other operating units of Medforth Global Healthcare Education Group LP identified by management (collectively, the Enterprise). Incident Response (IR) activities at the Enterprise must be driven by a framework to respond quickly, decisively, and appropriately to an incident.


This policy applies to any response to a security incident that originates from, is directed toward, or otherwise impacts the Enterprise.

Roles and Responsibilities

The Cyber Incident Response Team (CIRT) manages incidents pursuant to the Incident Response Plan (IR Plan). In addition to the CIRT, the Cyber Security Committee and any pertinent Subject Matter Expert(s) (SME) must be involved in IR efforts. It is the responsibility of the CIRT to detect and respond to any security incident as outlined in the IR Plan. The CIRT must include representatives from the Office of Information Technology (IT), Information Security, General Counsel, and other key stakeholders.

Policy Statement

Cybersecurity Incident Response Plan
The IR Plan must outline the processes and procedures in place to allow the Enterprise to respond to a security incident. These response procedures include triaging of events, incident escalation paths, incident containment and eradication steps, preservation of evidence, and required communications. The IR Plan must also define the members and resources of the CIRT, including responsibilities and capabilities of third-party service providers.

Incident Triage and Analysis
The Enterprise’s IR Plan must provide a method to perform triage of impacted systems. Triage processes must allow the Enterprise to identify the scope and impact of an ongoing event, from both a technical and business perspective.

If an event is identified as an incident that requires escalation, the IR Plan must define a method for rapid information sharing with all relevant stakeholders. These procedures for escalation must include the notification of all individuals who have a role in responding to the incident. The CIRT shall inform all other relevant stakeholders at the time of incident escalation, and regularly communicate response progress.

The IR plan must take into account industry best practices, and the Enterprise’s legal and regulatory environment requirements for incident severity levels and communications. The IR Plan should define severity thresholds for notifying the following external parties:

  • Governing bodies or law enforcement agencies
  • Third-party vendors or business partners
  • Other organizations involved in the Enterprise’s supply chain
  • Confirmed or potential victims of data loss

Containment, Remediation, and Recovery
Potential response strategies for incidents of varying severity and impact must be included in the IR Plan, and must include both short-term containment and mitigation strategies as well as long-term remediation strategies where reasonable. These strategies will serve as runbooks in the event of a security incident. After containment and mitigation efforts are underway, the CIRT shall provide the Cyber Security Committee with an After-Action Report containing metrics, a summary of the incident, and recommendations for long-term remediation and recovery.

Testing and Adaptation
The Enterprise must test IR capabilities regularly with incident simulations and tabletop exercises. Additionally, the testing of IR capabilities must take place upon significant organizational or environmental changes to determine continued effectiveness of the IR Plan.

The IR Plan must include processes for periodic review and the incorporation of lessons learned after an incident or formal IR testing has occurred. Updates made to the IR Plan must be approved by the Cyber Security Committee and communicated to relevant stakeholders.

Awareness and Training
The CIRT must receive formal training regularly, and whenever new technology or other significant change is introduced into the Enterprise’s environment. Incident reporting training must also be provided to all users of Enterprise information systems as part of the Enterprise’s broader security training and awareness efforts.

Related Documents