Code White: Major Disruption or Outage Incident
A major system disruption outage or critical incident that places the University in crisis management mode.
General
In many cases these types of crisis cannot be avoided however the steps taken in the aftermath of the incident can significantly reduce the impact the incident has on your organisation.
Business continuity starts as soon as a disruptive event occurs. Whilst the Incident Response Group (IRG) management teams are responding and managing the incident, the local impacted area must immediately act to:
- Understand and report all issues and emerging issues to ICT
- Assess the impact to users
- Assess cause if known
- Assess outage duration (hrs)
ASK
- What immediately needs to be done – e.g. do staff and students need to go home, go somewhere else?
- Who needs to be contacted and informed of the event? – e.g. Academic staff, students, regional campuses?
- What do we do tomorrow – e.g. what arrangements and communications are needed to tell staff and students to come in/stay home/go elsewhere – and for how long. Do we need to send out communications? Uplift capability in call centre?
Incident Classification
What is a LEVEL 2 major system incident?
A concerning event or outage that has the potential to escalate to a crisis and effect the University’s operations including teaching students or conducting research.
What is a LEVEL 3 critical incident?
A concerning event or outage that has the potential to have a significant adverse effect on operations, reputation, or impact delivery of core University services including teaching and conducting research.
First 24 hours
The initial period following an outage or systems incident is critical to restoring security, minimising harm, obtaining and preserving evidence and complying with contractual and legal obligations. Business continuity starts as soon as a disruptive event occurs.
Response Procedure – Impacted Area
For any major systems incident or outage event immediately notify the ICT Service Desk on (03) 9479 1500 ext. 1500 and report:
- Issue and systems affected
- Impact to users
- Cause if known
- Assess outage duration (hrs)
Response Procedure - ICT and IRG
- Chief Information Officer (CIO) will notify the Incident Controller who will activate IRG the for Level 2 or Level 3
- ICT will investigate the issue with internal resources and external vendors to determine the root cause
of the outage - ICT will develop a plan to resolve the outage and remediate root cause to restore services, this may include implementing Disaster Recovery Plans or Business Continuity plans, as required, to contain and stop the disruption
- Establish a recovery communication channels including university news/social media/call centre
- Develop communications for internal/public/media as required and notify affected business areas (Academics, Professional Staff, Regions)
- ICT will document the system issues and recovery procedures
- Determine the University’s legal, contractual, insurance and other reporting obligations (including obligations to notify affected individuals including Privacy Officer for data breaches – see Code Green)
- Consider involving specialists/law enforcement, the Information Commissioner(s) and/or regulators if required
- Conduct post event review on the root cause and remediation of the outage
- Develop a plan to implement recommendations from the report to prevent re-occurrence
Checklist - ICT and IRG
Do
- Activate the IRG for level 2 and 3 incidents
- Establish a “privileged” reporting and communication channel
- Contain and stop additional data loss/breach
- Conduct severity assessment including assessment of risk of serious harm (where applicable) – use independent cyber security and forensic experts if required to carry out reasonable and expeditious assessment of the circumstances
- Secure evidence and preserve audit logs
- Interview personnel involved
- Determine the University’s legal, contractual, insurance and other reporting obligations (including obligations to notify affected individuals)
- Consider possibly involving law enforcement, the Information Commissioner(s) and/or regulators
- Document any data breach and formalise reporting pursuant to the Breach and Incident Management
Framework if applicable
Checklist - Impacted Area
Do not
- Ignore the incident
Regulatory Requirements
The University is required by regulation to implement a cyber and eligible data breach incident response plans. For example, the Payment Card Industry (PCI) Data Security Standard requires all organisations that accept credit cards create and maintain an emergency response (and communication) plan for data breaches involving the loss of credit card data.
The Privacy Act 1988 (Cth) similarly requires the University to detect data breaches, evaluate the risks of serious harm to affected individuals, determine any additional or necessary actions required to rectify and mitigate the breach, and notify each affected individual(s) and/or the Office of the Australian Information Commissioner of the breach. In assessing the severity of the breach all ‘Relevant Matters’ prescribed by the Privacy Act are to be considered, including any remedial activities undertaken in containment of the breach. Certain reporting obligations also exist under The Dangerous Goods Act 1985 for accidents Involving (amongst others) the leakage or escape of dangerous goods in our ownership, possession or control (with limited exception), which may be a consequence of a major system disruption or outage incident.