The following information will help you to use our Security Operations Management Tool.
Security Operations Records Types:
- Security Request (SR)
- Security Incident (SIR)
- Security Incident Response Task (SIT)
Other Terminology:
- A ‘caller’ is the person that has made a Security Request (SR) or that Cyber Security has added to a Security Incident (SIR) to work with directly.
- An ‘assignment group’ is the Department IT group that Cyber Security has added to a Security Incident Response Task (SIT) to request help with a task.
- The ‘assigned to’ is the Departmental IT representative that is working on a Security Incident Response Task (SIT)
Security Request (SR) Workflow:
A Security Request (SR) is visible only to the Cyber Security team and is created when a caller:
- contacts the Security Operations Center (SOC) by phone at 404.385.CYBR (2927)
- sends an email to soc@gatech.edu
- enters a request via the Security Incident Catalog
All communication between the security analyst and the caller will take place via email or over the phone and the notes will be recorded within a single Security Request (SR) record.
If the security analyst decides that a security incident has occurred, they will convert the Security Request (SR) record to a Security Incident (SIR) record and the Security Request (SR) record will be closed.
Security Incident (SIR) Workflow:
A Security Incident (SIR) record is visible only to the Cyber Security team and is created when:
- an analyst converts a Security Request (SR) to a Security Incident (SIR)
- an analyst learns of a security incident directly
- a security alert triggers in our Security Information and Event Management (SIEM)
If the security incident affects a single user and Cyber Security needs to work with them directly, we will add them to the Security Incident (SIR) record as a caller to communicate with them via email or phone.
If the security incident affects more than one user and Cyber Security needs to work with them directly, we will create multiple Security Incident (SIR) records and add each user as a caller to communicate with them via email or phone.
If Cyber Security needs a Department IT representative to help investigate or respond to a security incident, we will create and assign a Security Incident Response Task (SIT).
Security Incident Response Task (SIT) Workflow:
A Security Incident Response Task (SIT) record is visible to assignees, assignment groups, and to the Cyber Security team. It is linked to a Security Incident (SIR) record, but that record is only available to the Cyber Security team.
Cyber Security will create a Security Incident Response (SIT) when help from a Department IT representative is needed. We use these assignment procedures:
- we set the ‘assignment group’ on all SITs and to make initial contact
- we will set the ‘assigned to’ on a SIT if we are already in contact with an IT representative who is working on the task
- we will also set the ‘assigned to’ to on a SIT to escalate to the manager of the group if necessary.
Department IT will receive a notification to the group email address that we have on file when a Security Incident Response Task (SIT) record is created. It will contain a link to the Security Incident Response Task (SIT) record, but will not contain any of the details. The group email address and the assignee will both receive an email notification when a Security Incident Response Task (SIT) record is updated.
Please login to the Security Operations Management Tool and look at the ‘Security Contacts Report’ in the pulldown on the home screen to ensure that your department is represented correctly.
Department IT representatives should monitor their group’s email address for notifications and set an assignee to work with Cyber Security as quickly as possible. All communication between Cyber Security and the Department IT representative should occur on the phone or within the Security Incident Response Task (SIT) record record. Please DO NOT send email Teams messages, etc. out of band.