Major Information Security Incident POLICY TITLE:

Similar documents
Data Privacy Breach Policy and Procedure

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Cyber Security Program

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Information Security Incident

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

The University of British Columbia Board of Governors

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

Lessons Learned: A Real Life Data Breach. Jigar Kadakia Partners HealthCare

01.0 Policy Responsibilities and Oversight

Information Security Incident Response Plan

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Information Security Incident Response Plan

Standard for Security of Information Technology Resources

Credit Card Data Compromise: Incident Response Plan

Information Security Data Classification Procedure

Cybersecurity: Incident Response Short

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

NUKG Business Solutions Pvt Ltd. Information Security Incident Management Procedure (IS-IMG)

PTLGateway Data Breach Policy

LCU Privacy Breach Response Plan

Cleveland State University General Policy for University Information and Technology Resources

NIC- Computer Emergency Response Team (CERT) Information Security Incident Management Policy

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Guest Wireless Policy

Virginia Commonwealth University School of Medicine Information Security Standard

Privacy Breach Policy

REPORTING INFORMATION SECURITY INCIDENTS

POLICY 8200 NETWORK SECURITY

Information Security Incident Response and Reporting

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

Judiciary Judicial Information Systems

NebraskaLink Acceptable Use Policy

Protecting Your Gear, Your Work & Cal Poly

ISSP Network Security Plan

Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice

INCIDENT RESPONSE POLICY AND PROCEDURE

Information Security Incident Reporting Policy

Acceptable Use Policy

Privacy & Information Security Protocol: Breach Notification & Mitigation

Ulster University Standard Cover Sheet

Data Breach Notification Policy

Name of Policy: Computer Use Policy

The University of Tennessee, Knoxville Incident Response Plan

Information Security Strategy

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

EA-ISP-009 Use of Computers Policy

INFORMATION TECHNOLOGY SECURITY POLICY

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Jacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope

Subject: University Information Technology Resource Security Policy: OUTDATED

Information technology security and system integrity policy.

SDR Guide to Complete the SDR

Juniper Vendor Security Requirements

Unit Compliance to the HIPAA Security Rule

The Role of the Data Protection Officer

DETAILED POLICY STATEMENT

Data Loss Assessment and Reporting Procedure

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Managed Security Services - Endpoint Managed Security on Cloud

Acceptable Use Policy

II.C.4. Policy: Southeastern Technical College Computer Use

External Supplier Control Obligations. Cyber Security

Clyst Vale Community College Data Breach Policy

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Ex Libris Security Incident Response Policy

Cyber Incident Response Plan

UW-Madison Cybersecurity Risk Management Policy

ISO27001 Preparing your business with Snare

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Checklist: Credit Union Information Security and Privacy Policies

Adopter s Site Support Guide

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

DISASTER RECOVERY PRIMER

Security and Privacy Breach Notification

University of North Texas System Administration Identity Theft Prevention Program

IT Security Standard Operating Procedure

Recommendations for Implementing an Information Security Framework for Life Science Organizations

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

UTAH VALLEY UNIVERSITY Policies and Procedures

Security Policies and Procedures Principles and Practices

Data Compromise Notice Procedure Summary and Guide

Incident Command: The far side of the edge

Security Incident Management in Microsoft Dynamics 365

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Cyber Security Incident Report

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

Use Of Mobile Communication Devices Within Healthcare Premises Policy

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

Date of Next Review: May Cross References: Electronic Communication Systems- Acceptable Use policy (A.29) Highway Traffic Act

SECURITY & PRIVACY DOCUMENTATION

PHYSICAL & ENVIRONMENTAL PROTECTION GUIDE

The Cost of Denial-of-Services Attacks

Apex Information Security Policy

HIPAA Security and Privacy Policies & Procedures

Acceptable Use Policy (AUP)

Information Governance Incident Reporting Policy

Transcription:

Major Information Security Incident POLICY TITLE: Management Policy POLICY #: CIO-ITSecurity 09.1 Initial Draft By - Position / Date: D. D. Badger - Dir. PMO /March-2010 Initial Draft reviewed by ITSC/June 12-2010 Final Draft reviewed by ITSC/Apr 26-2010 Approved By / Date: Final Draft (revised): 2011-May DDB/GB Final Draft (revised): 2017-March - SW Last Revised Date: Approved: 2017-June-SW/DW/RG Next Review Date: This Policy defines a standard University-wide process for managing major information technology security incidents, references BRIEF DESCRIPTION: related University Policies, outlines preparations in advance of incidents occurring, and specifies a coordinated and managed response and escalation process. Contents Introduction... 2 Scope... 2 Policy Statements... 3 Information Security Incidents Defined... 3 Incident Reporting and Management... 5 Responsibilities... 5 Related Policies and References... 8 Definitions... 9 Version, Change and Approval History... 10 Page 1 of 10

Introduction All University of Guelph faculty, staff, students and contractors are guided by the Acceptable Use Policy for Computing and Networking Facilities (AUP). The AUP specifies the responsibilities of individual users, system administrators, information technology (IT) service providers and management with regard to the utilization of University IT services and resources. The AUP also specifies the complaint and resolution process of alleged acceptable use violations. The AUP will generally provide acceptable guidance for minor IT-related security incidents. This Policy defines a standard University-wide process for managing major information security incidents in advance of their occurrence, and provides guidance in initiating rapid responses and appropriate escalation when a major information security incident does occur (or is suspected). This Policy charters a standby Information Security Incident Coordination Team (ISICT). The University Chief Information Officer (CIO) is the executive sponsor of the ISICT. The Information Security Incident Coordination Process documents when the ISICT would be activated and may involve University administration, judicial processes, Campus Community Police, and technical resources. This Policy references the University s Emergency Management Plan which details responsibility for major campus emergency situations or disruptions. This Policy references the University s policy on roles and responsibilities of groups and individuals for information technology security CIO-ITSecurity-02.1 Roles and Responsibilities. Scope This policy applies to all University of Guelph students, staff, faculty and contractors, and all information technology systems, services, data and infrastructure owned by or operated for the University. Page 2 of 10

Policy Statements 1. This Policy defines major information security incidents, a standard process for managing incidents, and specifies individual responsibilities including the protocol for incident reporting, resolution and follow-up activity. 2. This Policy establishes a stand-by Information Security Incident Coordination Team (ISICT) which will be invoked as required by the CIO (or designate). 3. ISICT will manage and support major incident response activities, including remediation, escalation and closure. 4. ISICT will assign technical resources as required to conduct immediate investigation of the sources or causes of major incidents. 5. When criminal activity is alleged or suspected, Campus Community Police Services must be engaged. 6. When unauthorized disclosure of sensitive/confidential data or personal information (as per Freedom of Information and Protection of Privacy (FIPPA) legislation) is alleged or suspected, the University Secretariat must be engaged. 7. This Policy authorizes assigned resources to take necessary measures to prevent the spread of any malware, and lock compromised computing accounts. Information Security Incidents Defined As of January 2016, Information Security classifies security incidents into three categories: Severity Minor Incident Description Minor security incidents involve a reported security issue that may impact a single individual, a non-critical system, or a policy violation that does not have a widespread impact and is not criminal in nature. These incidents are managed by the Information Security team following standard operation procedures (SOP). Examples include, but are not limited to: AUP violations Copyright complaints Page 3 of 10

Compromised student accounts Single non-critical system malware or virus infections Spam/phishing message reports. Significant Incident A significant security incident has greater scope than a minor incident, involves multiple parties, critical systems, or teams. Typically these have a larger impact or service level disruption on University services or systems, may involve publically facing systems, or affect an external organization. These incidents are managed by the Information Security team, and may require the assistance from technical support teams from other groups on campus. Examples include, but are not limited to: Localized denial of service attacks Compromised administrator credentials Targeted or high volume spam/phishing Malware affecting several systems Malware affecting sensitive/critical systems. Major Incident Major information security incidents include, but are not limited to: Denial-of-service attacks on enterprise application systems or IT infrastructure Theft or misuse of data Data breaches Criminal acts or violations of privacy legislation. A significant service level disruption to the University networking infrastructure or any major application system may be escalated to a major incident if the suspected root cause is security related. Any unauthorized intrusion that impacts the availability or integrity of critical IT services such as email, telephone, administrative systems, Internet access, or that affects large numbers of users will be considered a major security incident. Major security incidents also include enterprise application systems and/or databases that have been compromised by malware, by unauthorized use of administrative accounts, unauthorized disclosure of personal or sensitive information, and either loss or corruption of data. Page 4 of 10

Incident Reporting and Management All members of the University community, including third-party contractors are required to report information security incidents (as defined within this Policy or the AUP). It is recommended that notification be provided to both the applicable Unit Manager/Chair and to the University Information Security team (ext. 58006, email: incident@uoguelph.ca). The process of incident management includes defined accountability and consistent, documented procedures. In addition to rapid response to incidents, important related actions include logging, analysis, reporting, communications, involvement of management, required notification to external parties, and debriefing. All information security incidents will be categorized and tracked in the centrally managed ticketing system, and reports will be generated on a monthly basis by the Information Security team. These reports will be made available to the CIO and other parties approved by the CIO as necessary. Responsibilities All Members of the University Community including faculty, staff, students and contractors are responsible for the following: 1. Report any unusual or suspected improper computer activity (i.e. violations of the AUP) to their applicable supervisor, and the University Information Security team (ext. 58006, email: incident@uoguelph.ca). Designated system support technicians and network administrators are responsible for the following: 1. Report any unusual or suspected improper computer activity, security incident or alleged AUP violation to their applicable Unit Head/Department Chair and the University Information Security team. Suspected criminal activity (e.g. child pornography), or theft of IT assets should be reported directly to University of Guelph Community Police Services. 2. Avoid making any modifications to systems/equipment involved (or suspected of involvement) in the security incident until receiving instruction from the University Information Security team. Disconnection from the network is the recommended action, however the system should not be Page 5 of 10

powered off or rebooted unless instructed to do so by the Information Security team. Department Chairs/Managers/Unit Heads are responsible for the following: 1. Ensure any unusual or suspected improper computer activity, security incident or alleged AUP violation is reported to the University Information Security team and their applicable Dean/Director. 2. Ensure any suspected criminal activity (e.g. child pornography), or theft of IT assets is reported to University of Guelph Community Police Services. The Information Security Team is responsible for the following: 1. Record/log and document all reports of major IT incidents. 2. Verify the existence (and boundary extent if possible) of reported incidents. 3. Make a preliminary assessment of the incident s impact and current status (N.B. Refer to Appendix 1: ISICT). 4. Report major incidents to the Chief Information Officer (CIO). 5. Follow the established CCS major incident communications plan. 6. Establish and maintain communication with applicable Department Chairs or Managers of the affected units or systems. 7. Recommend the CIO convene the Information Security Incident Coordination Team (ISICT) when appropriate (see Appendix 1). 8. Advise University of Guelph Community Police Services when criminal activity is alleged. 9. Advise University Secretariat if a data breach involving confidential records or personal information is alleged. 10. Liaise with University of Guelph Community Police Services and external forensic consultants (if required) to gather evidence as may be required. Page 6 of 10

The Chief Information Officer (CIO) is responsible for the following: 1. Receive notice of major IT incidents from the Information Security team or other source (internal or external to the University). 2. Receive recommendations from the Information Security team to convene the Information Security Incident Coordination Team (see Appendix 1). 3. Authorize the convening of the ISICT when necessary. 4. Ensure senior management is kept apprised of the incident, including members of the Campus Control Group. 5. Coordinate communications with relevant stakeholders and the University community as necessary. Page 7 of 10

Related Policies and References 1. University of Guelph Emergency Management Plan. The Emergency Management Plan is triggered when an incident has the potential to interrupt the normal activities of the University for an extended period of time. 2. Acceptable Use Policy. All University of Guelph faculty, staff, students and contractors are guided by the AUP regarding the use of Computing and Networking Facilities. The purpose of the Acceptable Use Policy (AUP) is to identify situations where unacceptable use of systems or networks affects the teaching, learning, research, services or administrative missions of University or compromises the security of systems or data. It also outlines the complaint and resolution process used to resolve any allegations of inappropriate activity. 3. CIO-ITSecurity-02.1 Roles and Responsibilities for Information Technology Security. This Policy defines the roles and responsibilities of groups and individual members of the University community who are responsible for information technology assets and security processes. 4. University Access and Privacy Policies. Reference the University Secretariat web-pages for detailed information regarding Freedom of Information and Protection of Privacy (FIPPA) legislation, and required actions if a privacy breach occurs. 5. Information Security Incident Coordination Process. Documents when the ISICT would be activated and may involve University administration, judicial processes, Campus Community Police, and technical resources. Page 8 of 10

Definitions Data Breach: A data breach is an incident in which sensitive, protected or confidential data has been accessed, stolen or altered by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), confidential information or intellectual property. Denial of Service attacks: A denial of service (DoS) or distributed denial of service (DDoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. The most common kind of DoS attack is simply to send more traffic to a network address than it was designed to receive. Service Level Disruption: An interruption or degradation of system/service availability or performance. Classification as major would be dependent upon the duration, severity and impact of the disruption (e.g. performance degradation versus lack of availability), the criticality of the application/service, and the suspected source of the disruption (i.e. security related). Page 9 of 10

Version, Change and Approval History Approved: Final Draft w/revisions: Final Draft w/revisions: Final Draft w/revisions: Final Draft w/revisions: Final Draft Issued: Circulation Draft Changes: Initial Draft Changes: Initial Draft Changes: Initial Draft Changes: June 21, 2017 Rebecca Graham, CIO March 27, 2017 - SW May 2, 2011 - GB April 8, 2011 - DDB Feb. 1, 2011 - DDB Dec. 1, 2010 - DDB Nov. 12, 2010 - DDB June 11, 2010 - DDB May 18, 2010 - DDB April 30, 2010 - DDB Initial Draft Written: March, 2010 Authored by: D. D. Badger, CGA, CISA, CGEIT Director, IT PMO & Systems Assurance Page 10 of 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback