Information Security Incident Response and Reporting

Similar documents
Subject: University Information Technology Resource Security Policy: OUTDATED

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Virginia Commonwealth University School of Medicine Information Security Standard

The University of British Columbia Board of Governors

Standard for Security of Information Technology Resources

Red Flags Program. Purpose

Cyber Security Program

University of Wisconsin-Madison Policy and Procedure

01.0 Policy Responsibilities and Oversight

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

UTAH VALLEY UNIVERSITY Policies and Procedures

Privacy Breach Policy

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Information Security Incident Response Plan

Access to University Data Policy

Information Security Incident Response Plan

Credit Card Data Compromise: Incident Response Plan

Red Flags/Identity Theft Prevention Policy: Purpose

Security and Privacy Breach Notification

PHYSICAL & ENVIRONMENTAL PROTECTION GUIDE

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Data Privacy Breach Policy and Procedure

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

Freedom of Information and Protection of Privacy (FOIPOP)

University of North Texas System Administration Identity Theft Prevention Program

Access to personal accounts and lawful business monitoring

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Responsible Officer Approved by

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

DETAILED POLICY STATEMENT

Information technology security and system integrity policy.

RMU-IT-SEC-01 Acceptable Use Policy

POLICY 8200 NETWORK SECURITY

Summary Comparison of Current Data Security and Breach Notification Bills

Opportunity Lives Here

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

I. PURPOSE III. PROCEDURE

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) ITS Responsible Use of Telephone, Telecommunications, and Networking Resources ISUPP 2280

State of Rhode Island Department of Administration Division of Information Technol

INFORMATION TECHNOLOGY POLICY

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

POLICIES AND PROCEDURES

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Privacy & Information Security Protocol: Breach Notification & Mitigation

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Ohio Supercomputer Center

This regulation outlines the policy and procedures for the implementation of wireless networking for the University Campus.

Putting It All Together:

Information Privacy Statement

Policies & Regulations

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Data Governance Framework

Acceptable Use Policy (AUP)

Guest Wireless Policy

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

MNsure Privacy Program Strategic Plan FY

Wireless Network Policy and Procedures Version 1.5 Dated November 27, 2002

ISSP Network Security Plan

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Institute of Technology, Sligo. Information Security Policy. Version 0.2

SECURITY & PRIVACY DOCUMENTATION

Policy. Policy Information. Purpose. Scope. Background

IDENTITY THEFT PREVENTION Policy Statement

University-Wide EIT Information Technology Security Policies and Procedures

Information Security Data Classification Procedure

Table of Contents. PCI Information Security Policy

HIPAA For Assisted Living WALA iii

Employee Security Awareness Training Program

Data Center Access Policies and Procedures

University of Ulster Standard Cover Sheet

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Accessibility Implementation Plan

OUTDATED. Policy and Procedures 1-12 : University Institutional Data Management Policy

Cleveland State University General Policy for University Information and Technology Resources

Cellular Site Simulator Usage and Privacy

LOYOLA UNIVERSITY MARYLAND. Policy and Guidelines for Messaging to Groups

SECURITY PLAN CREATION GUIDE

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

NYSVMS WEBSITE PRIVACY POLICY

GOCO.IO, INC TERMS OF SERVICE

Herkimer County Community College. Department of Information Services Computer Use Policy and Guidelines

University Policies and Procedures ELECTRONIC MAIL POLICY

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

State of West Virginia Department of Health and Human Resources (DHHR) Office of Management Information Services (OMIS)

Security Surveillance Camera and Video Policy

Red Flag Policy and Identity Theft Prevention Program

Privacy Policy on the Responsibilities of Third Party Service Providers

Cybersecurity in Higher Ed

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

Juniper Vendor Security Requirements

1. Policy Responsibilities & Oversight

Seattle University Identity Theft Prevention Program. Purpose. Definitions

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

PROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO

Transcription:

Information Security Incident Response and Reporting Original Implementation: July 24, 2018 Last Revision: None This policy governs the actions required for reporting or responding to information security incidents involving Stephen F. Austin State University (SFA) information and/or information technology resources to ensure effective and consistent reporting and handling of such events. SCOPE This policy applies to all who are granted access to SFA information resources, including, but not limited to, faculty, staff, students, alumni, vendors, contractors and visitors. DEFINITIONS Chief Information Security Officer (CISO) - Staff member responsible for providing and administering the overall information security program for the university. Data Custodian An SFA employee who is responsible for day-to-day maintenance of SFA Information Resources. In some instances this may be assigned to a third-party vendor. Data Owner The manager or agent responsible for the business function supported by the information resource or the individual upon whom the responsibility rests for carrying out the program using the information resource. Incident Response Team (IRT) The group of individuals who determine if a security incident is reportable to state authorities. The members include the chief information officer (CIO), chief information security officer (CISO), general counsel, and the chief audit executive. Other individual(s) may be included as the IRT deems necessary. A team member may assign a designee to serve on the IRT. Information Resources - The procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. This may include, but not limited to, any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices, pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services. Information Security Administrator (ISA) - A staff member who, in close cooperation with the information security office, provides assistance with the implementation and administration of information security initiatives and data owner security needs. 14.14 Information Security Incident Response and Reporting Page 1 of 5

Information Security Incident An event which results in unauthorized access, loss, disclosure, modification, disruption or destruction of information resources, whether accidental or deliberate. Response Planning Team (RPT) - The group that plans and implements notification of affected individuals when an information security incident occurs. Members include the CIO, CISO, chief audit executive, general counsel, and other individual(s) the RPT deems necessary. A team member may assign a designee to serve on the RPT. RESPONSIBILITIES Data Owner Chief Audit Executive Executive Director, University Marketing and Communications Chief Information Officer Chief Information Security Officer General Counsel Incident Response Team Determines when a reportable incident has occurred, and determines individuals involved and who should be notified. Determines course of action in response to an information security incident. A designee of the IRT will notify the appropriate division head of the information security incident. 14.14 Information Security Incident Response and Reporting Page 2 of 5

Response Planning Team Plans and implements notifications when an incident has occurred, including what information is provided and how the incident will be communicated. Drafts pertinent communications to affected individuals. PROCEDURES Information Security Incident Monitoring The CISO will aggregate information security incident data and share it on a regular basis with SFA's executive oversight compliance committee and CIO. If criminal activity is suspected, the CISO will notify the University Police Department. This data may include number and type(s) of security incidents and other information. Reporting Security Incidents Any member of the SFA community who suspects the occurrence of a security incident must report incidents through the following channels: 1. All suspected information security events must be reported directly to the CISO or information security office as quickly as possible by phone, e-mail, or in person. If the CISO or a representative of the information security office cannot be reached, the CIO must be contacted. 2. For suspected security incidents occurring in areas with departmental IT support, suspected incidents must also be reported to the departmental IT support staff or ISA. 3. Any attempt to interfere with, prevent, obstruct, retaliate for or dissuade the reporting of an information security incident, critical security concern, policy violation, or information resource vulnerability is strictly prohibited and may be cause for disciplinary action. Information Security Incident Investigation and Identification 1. Upon notification of a potential information security incident, the CISO shall promptly assess and gather information to determine the impacted data, systems and business processes. When applicable, the data owner will be required to complete and submit a statement describing the stored or processed data and submit it to the CISO. The CISO may also require copies of files. 2. The IRT will determine whether an actual information security incident has occurred and provide input on whether the incident warrants notification to affected individuals. 3. If a security incident is confirmed, the following individuals shall be notified: unit or department head, and dean (if in an academic area). 14.14 Information Security Incident Response and Reporting Page 3 of 5

Information Security Incident Containment 1. In some cases, action will be necessary to limit the magnitude and scope of the information security incident. 2. Should any action be necessary which has a likelihood of having a substantial impact on business processes, the unit or department head or data owner, CIO and data custodians will be notified in advance. 3. Reasonable efforts will be made by Information Technology Services to minimize the impact. 4. In rare cases it may be necessary to take action without receiving input from individuals who manage the affected information resources. Information Security Incident Responsive Actions 1. The affected unit is responsible for taking action to identify and either eliminate or mitigate the vulnerabilities resulting in the security incident. 2. The CISO will provide recommendations to the affected unit and coordinate any remaining efforts needed to eliminate or mitigate the vulnerabilities. Information Security Incident Notification 1. The CISO will notify state and federal entities as required by law. 2. If a decision has been made to notify individuals affected by the information security incident, the RPT will develop and implement a data breach notification process. 3. Individuals will be notified as expediently as possible without unreasonable delay. Note that the creation and dissemination of the communications may be assigned outside of the RPT. 4. Any media inquiries regarding the information security incident are to be directed to the executive director, University Marketing and Communications. Information Security Incident Follow-up 1. The CISO will develop a security incident report summarizing the information security incident and outlining recommended actions. 2. The security incident report will be amended to include the responsible unit head's action plan and action plan progress and will be shared with the RPT. COMPLIANCE All users of SFA information technology resources are required to comply with this policy. SFA reserves the right to deny, limit, restrict, or extend privileges and access to its information technology accounts and systems. Cross Reference: 1 Tex. Admin. Code Ch. 202; Information Security Management (14.1) Responsible for Implementation: Vice President for University Affairs 14.14 Information Security Incident Response and Reporting Page 4 of 5

Contact for Revision: Chief Information Security Officer Forms: None Board Committee Assignment: Academic and Student Affairs Committee 14.14 Information Security Incident Response and Reporting Page 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback