7-1: Incident Response Procedure

Procedure Owner Cori Bergen, CIO
Procedure Approver(s) Cori Bergen, CIO
Storage Location
Effective Date 8/25/2023
Next Review Date 8/25/2024


The purpose of this procedure is to ensure that SFCC’s incident response capabilities, used to monitor for security incidents have a maintained quality and integrity. The incident response capabilities determine the magnitude of the threat presented by these incidents, and to respond to these incidents. Without an incident response capability, the potential exists that in the event that a security incident occurs, it will go unnoticed and the magnitude of harm associated with the incident will be significantly greater than if the incident were noted and corrected.


The Incident Response Procedure applies to all information systems and information system components of Santa Fe Community College Specifically, it includes:

  • Servers and other devices that provide centralized computing capabilities.
  • SAN, NAS, and other devices that provide centralized storage capabilities.
  • Desktops, laptops, and other devices that provide distributed computing capabilities.
  • Routers, switches, and other devices that provide network capabilities.
  • Firewalls, IDP sensors, and other devices that provide dedicated security capabilities.

Governing Laws & Regulations

Guidance Section
NIST SP 800-171 3.6.1-3.6.3
FERPA Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
GLBA Safeguards Rule


Basic Security Requirements:

  • An operational incident-handling capability will be developed and implemented for all organizational information systems that house or access SFCC controlled information. The incident response capability will include a defined plan and will address the seven stages of incident response:
    • Preparation
    • Detection
    • Analysis
    • Containment
    • Eradication
    • Recovery
    • Post-Incident Activity
  • Incidents will be tracked, documented, and reported to appropriate officials and/or authorities both internal and external to the organization.

Derived Security Requirements:

  • Incident response capabilities will be tested annually.
  • To facilitate incident response operations, responsibility for incident-handling operations will be assigned to an incident response team.
  • Incident response plans will be reviewed and, where applicable, revised on a regular Review will be based on the documented results of previously conducted tests or live executions of the incident response plan. Upon completion of plan revision, updated plans will be distributed to key stakeholders.

Incident Response processes

The Office of Information Technology is responsible for documenting and maintaining incident response processes.  Accessible to employees. Requires the use of VPN.

Link to process:

Revision History

Version Date of Change Author Rationale
1.00   Cori Bergen, CIO