Information Security Incident Response Plan

Similar documents
Information Security Incident Response Plan

Credit Card Data Compromise: Incident Response Plan

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

Privacy & Information Security Protocol: Breach Notification & Mitigation

Standard for Security of Information Technology Resources

Donor Credit Card Security Policy

Subject: University Information Technology Resource Security Policy: OUTDATED

Information Security Incident Response and Reporting

LCU Privacy Breach Response Plan

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

ADIENT VENDOR SECURITY STANDARD

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

Member of the County or municipal emergency management organization

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Incident Policy Version 01, April 2, 2008 Provided by: CSRSI

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

HPE DATA PRIVACY AND SECURITY

IDENTITY THEFT PREVENTION Policy Statement

Red Flags Program. Purpose

Privacy Breach Policy

Red Flags/Identity Theft Prevention Policy: Purpose

Identity Theft Prevention Policy

Data Security and Privacy Principles IBM Cloud Services

DATA BREACH NUTS AND BOLTS

Ouachita Baptist University. Identity Theft Policy and Program

Version 1/2018. GDPR Processor Security Controls

PTLGateway Data Breach Policy

Heavy Vehicle Cyber Security Bulletin

Seattle University Identity Theft Prevention Program. Purpose. Definitions

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Cyber Risks in the Boardroom Conference

University of Pittsburgh Security Assessment Questionnaire (v1.7)

MNsure Privacy Program Strategic Plan FY

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

Data Breach Preparation and Response. April 21, 2017

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

[Utility Name] Identity Theft Prevention Program

Data Privacy Breach Policy and Procedure

INCIDENT RESPONSE POLICY AND PROCEDURE

CCISO Blueprint v1. EC-Council

Putting It All Together:

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Business continuity management and cyber resiliency

Responding to Cybercrime:

Standard Development Timeline

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Prevention of Identity Theft in Student Financial Transactions AP 5800

Security of Information Technology Resources IT-12

Records Retention Policy

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Information Technology General Control Review

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Standard CIP Cyber Security Critical Cyber Asset Identification

Customer Proprietary Network Information

Security Breaches: How to Prepare and Respond

General Data Protection Regulation

Data Compromise Notice Procedure Summary and Guide

SECURITY & PRIVACY DOCUMENTATION

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

1 Privacy Statement INDEX

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

The Southern Baptist Theological Seminary IDENTITY THEFT RED FLAGS AND RESPONSE INSTRUCTIONS IDENTITY THEFT AND PREVENTION PROGRAM As of June 2010

Security and Privacy Breach Notification

Checklist: Credit Union Information Security and Privacy Policies

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

The University of British Columbia Board of Governors

University of Wisconsin-Madison Policy and Procedure

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Identity Theft Prevention Program. Effective beginning August 1, 2009

Records Management and Retention

Ohio Supercomputer Center

Standard CIP Cyber Security Critical Cyber Asset Identification

Employee Security Awareness Training Program

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Information Security Controls Policy

Data Breach Response Guide

University of North Texas System Administration Identity Theft Prevention Program

Information Security Policy

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

( Utility Name ) Identity Theft Prevention Program

Trust Services Principles and Criteria

Development of your Company s Record Information System and Disaster Preparedness. The National Emergency Management Summit

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

HIPAA Privacy, Security and Breach Notification

Lakeshore Technical College Official Policy

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Rules for LNE Certification of Management Systems

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

National College for High Speed Rail DATA BREACH NOTIFICATION PROCEDURE

Transcription:

Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations, the division of information services is responsible for a coordinated response to a breach or potential compromise of systems or data. This incident response plan supplements the Administrative Policy on Electronic Information Security (3342-9-01.4) and provides guidance for identification, containment, notification, verification, communication, investigation, and remediation of such incidents. Responsibility Any university employee or any other person or entity who believes a breach or potential compromise (electronic or physical) of any type or form of system or data has occurred is required to adhere to the steps outlined in this plan. Resilience It is imperative that prior to an incident occurring, adequate protections are put in place to ensure the continuity of business operations before, during, and following the detection of a security incident. The Division of Information Technology has taken steps to perform ongoing monitoring and detection of university information technology systems and developed the following procedures in effort to minimize the impacts when security events occur. Upon verification of a security incident, steps will are taken to neutralize the incident which in many cases will result in processing delays or system outages however, these effects are minimized through the coordinated response efforts. In the event of a significant incident (as determined by the incident response team), it may become necessary to enact a full recovery by initiating the disaster recovery process. Identification Identification of a breach or potential compromise of data is the first step in an incident response. Identification can occur by, but is not limited to, the following: Containment (1) Report from a third party (such as a law enforcement agency), (2) Anonymous complaint of unauthorized use or misuse of data, (3) Alerts from security monitoring systems including, but not limited to, intrusion-detection, intrusion prevention, firewalls, file-integrity monitoring systems, and network infrastructure devices that detect rogue wireless access (wireless access points physically connected to the network that are used to intentionally subvert University policy and/or security controls) (4) Routine monitoring (examination of activity and/or access logs), (5) Vulnerability scans, or (6) Suspicious circumstances beyond normal processes. DRAFT - Version 1.1, Revised: 10/25/18 1

Containment is the next critical step to limit exposure, preserve potential evidence, and prepare for an investigation of the incident. Containment steps include: (1) If an electronic device: (e) (f) Do not access or alter the compromised device, Do not power off the device, Do terminate its network connection (unplug network connection from the device or disable the wireless adapter), Isolate the device from access by others, Document how the event was detected and the device s state at that time, and Document steps taken to contain and isolate the device. (2) If data is believed to have been compromised by loss of physical property, follow the steps outlined in the section for Internal Notification. Initial Notification In the event of a breach or potential compromise of data, notification of the appropriate KSU personnel will ensure a coordinated and unified response in determining the scope of the breach, business continuity, internal and external communications, and remediation. Notification must be made to the office of security and access management at 330-672-5566 during normal business hours. Do not leave a voicemail message if the call goes unanswered. If the call is not answered or it is being made outside of normal business hours, contact the division of information services data center at 330-672-2552. An email notification should also be sent to securityescalation@kent.edu. (1) If the data breach involves loss of physical property (theft of physical media or a device containing credit card data), report this to the law enforcement agency having jurisdiction where the loss occurred. (2) Cross reference each notification. Provide law enforcement with contact information used for internal university notification. Include law enforcement department and report number in notification to university. Response Team The recipient(s) of notification of a breach or potential compromise of data should immediately contact the manager of security and access management who will contact the members of the Response Team to begin the requisite response activities. The Response Team will be comprised of representation from the office of security and access management, division of information services, general counsel, and compliance and risk management department. The department of public safety/ police services will be a member of the Response Team if the breach or potential compromise of data occurs on any Kent State University owned or leased property or until such jurisdiction is determined. In the absence of the manager of security and access management, responsibility for contacting the Response Team will fall to the members of the team in DRAFT - Version 1.1, Revised: 10/25/18 2

the order listed. The Response Team will convene immediately to initiate a response and will involve others in the university community as circumstances warrant. Verification (1) The division of information services will lead preliminary efforts in verifying a breach occurred. If and upon the discovery of evidence indicating a criminal offense was committed, the department of public safety / police services will be notified. Police services may collaborate with other federal, state, and local law enforcement agencies as appropriate. A criminal investigation may be conducted in parallel, supersede, or require authorization for any further action taken by the university. (2) The theft of physical media or a device containing sensitive university data will be reported to the appropriate law enforcement agency. A criminal investigation will be at the discretion of said agency. The division of information services will be responsible for attempts to determine the type and scope of data potentially compromised. Additionally, the division of information services in conjunction with the person having control over the device will determine the availability of remote access to the device. Internal Notification Communication strategies begin upon the verification of a data breach or compromise. Once a potential breach has been reported and verified per the Internal Notification and Verification procedures, Information Services Leadership Team will facilitate communications to other university areas. The following institutional members will ALL be informed of the breach or compromise of data and will be provided with periodic updates of significant findings from Information Services Leadership Team during the investigation and remediation processes: Vice President for Information Services, Senior Vice President for Finance and Administration, (The SVP for Finance and Administration will notify the President and the President s office will determine if notification of Trustees is warranted based on the circumstances.) Vice President or executive responsible for functional area of breach, General Counsel, Director of Public Safety / Police Services, Senior Vice President for Strategic Communications and External Affairs, Insurance company providing cyber liability coverage, Respective Data Steward(s) based on affected systems or data, Respective reporting agencies as required by law or contractual obligation Investigation DRAFT - Version 1.1, Revised: 10/25/18 3

The investigation will be the responsibility of the division of information services, the appropriate law enforcement agency, or a combination of both. The investigation will include, but is not limited to, the following: (1) Interview of the person or entity learning of or discovering the breach or compromise of data. (2) Collect and preserve evidence: (e) (f) (g) Photograph or video record the scene as is, Collect affected hardware, Acquire activity and/or access logs and network logs for device, Acquire recent history of users of device, Retain documentation of any associated alerts from security monitoring systems, Obtain video surveillance history and key swipe logs of area accessed without authorization, and Maintain chain of custody records for evidence collected. (3) Minimize scope: Determine if breach or compromise is likely to be duplicated, Determine if breach or compromise is beyond a single device, Cease operation of certain hardware or physical areas where there is a reasonable belief the breach or compromise could be repeated, and Provide alternatives to affected area to maintain business operations. (4) Forensics: Forensics should support the overall investigation in determining the origination of the breach or compromise, the devices and or systems affected, the data compromised, and the possibility of re-occurrence. A forensic consultant may be contracted at the discretion of the division of information services and the division of business and finance in the absence of or in conjunction with a criminal forensic process. The need for a forensic consultant will be determined based on the type and scope of the breach or compromise or may be contractually required by one or more of the involved reporting agencies. Recovery/ External Notification / Remediation The information gathered during the investigation will allow for assessment of functional impact, informational impact, and remediation. DRAFT - Version 1.1, Revised: 10/25/18 4

(1) The division of information services and the division of finance and administration will be jointly responsible for the following: (e) (f) (g) Formal documentation of event. Notifying the cyber liability insurance carrier and coordinating the services provided under the policy with internal stakeholders. In consultation with the office of general counsel, notification and delivery of documentation will be made to the relevant reporting agencies as appropriate based on the nature and magnitude of the breach. In consultation with the division of university relations, prepare notification in the form deemed most appropriate and expedient to be sent to affected individuals. If deemed appropriate by legal statute or otherwise decided, prepare to offer free credit report resources to affected users. Determine if a call center, website, or email service should be offered to affected individuals. Coordinate regular update meetings during the investigative process and a debriefing meeting approximately two to four weeks post event. (2) The division of information services will be responsible for the following: Remediate any compromise to network or device security. Document scope of compromised data including names and contact information of affected individuals. Backup and provide any necessary network, log, scan, and device data to any investigative body within the legal requirements. Aid in providing resources necessary for the university to coordinate communication to all entities listed within this plan (for example: website, call center, email development and support). (3) The division of university relations will assume responsibility for disseminating information to the media in consultation with the division of finance and administration and the division of information services. (4) The division of information services with guidance from the office of general counsel will assume responsibility for the review and compliance of applicable state (Ohio Revised Code 1347.12) and federal statutes related to data breaches. Incident Response Plan Distribution and Review DRAFT - Version 1.1, Revised: 10/25/18 5

(1) The Incident Response Plan will be available on the office of security and access management website (https://www.kent.edu/is/policies-andprocedures) (2) Incident Response Plan training will occur annually or during employment orientation. (3) A mock event will be held annually to test the Incident Response Plan. (4) As part of the mock event, event controllers will be present not only to observe the plan in action, but also to assess the content, structure, and usability of the plan. (5) The division of information services will maintain current information on Information Security standards and policies as well as current contact information for the reporting agencies. (6) Training assessment, mock event evaluation, lessons learned from actual incidents, and security standards organizations as well as federal and state law will be used to appropriately modify existing controls and the Incident Response Plan as needed, at a minimum annually. Review and Revision History Original document 7/11/2018 Revision 1, citing policy and resilience 10/25/2018 DRAFT - Version 1.1, Revised: 10/25/18 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback