- The President, Chief Information Security Officer, Vice Presidents, and Deans shall:
- Ensure the implementation of this policy by the organizations under their purview.
- Ensure the support of investigations and remediation of information security events or incidents involving their organizations' electronic information or information systems.
- The Chief Information Security Officer shall develop, implement, and maintain an Information Security Incident Response Plan. The plan will support the Office of Ethics, Compliance and Corporate Integrity Data Breach Policy and Response Plan.
- Users shall:
- Report to their manager or other managerial authority (within 24 hours of detection) any computer activity they believe is suspicious or outside the normal course of business, regardless if conducted by an outside person or member of the Rowan community.
- Report to their manager or other managerial authority and to Public Safety (within 24 hours of detection) the loss or theft of computer equipment and/or electronic storage media such as USB drives, disks, etc.
- Department managers and supervisors shall immediately:
- Report to their local compliance officer or the Office of Ethics, Compliance and Corporate Integrity reports of suspicious activity or loss or theft of computer equipment.
- Report to their school's dean or unit's Vice President suspicious activity that potentially presents a risk to their organization and to the University.
- Report suspicious activity involving education records to the local Registrar office.
- Office of Ethics, Compliance and Corporate Integrity shall:
- Coordinate the reporting of and response to reports of suspicious activities, including those involving the loss or theft of computer equipment.
- Assess and determine (along with the Office of Legal Management) the classification (e.g., Confidential, Private) and type (e.g., EPHI, PII) of information involved.
- Collect from each Rowan organization assisting with the response all information related to the issue reported.
- The Information Security Office (ISO):
- Assess the information and technology risks to the University's electronic information, information systems, and information technology infrastructure.
- Report to the SIRT any technology risks that may impact the University's business services and operations across a campus (or campuses).
- Remediate technology risks as deemed appropriate to secure the operations of the University.
- Document lessons learned.
- The ISO and the Office of Legal Management shall engage risk mitigation service partners as appropriate.
VII. NON-COMPLIANCE AND SANCTIONS
Failure to report or respond to an event or incident can expose the University to regulatory and/or statutory penalties, costly litigation, and undermine its mission and standing in the community. Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University as well as civil and criminal penalties. Sanctions shall be applied consistently to all violators regardless of job titles or level in the organization.
A. Attachment 1, Appendix