ROWAN UNIVERSITY POLICY
Title: Security Incident Management Policy
Subject: Information Security
Policy No: ISO:2013:11
Applies: University-wide
Issuing Authority: Information Security Office - Chief Information Security Officer
Responsible Officer: Vice President for Information Resources and Chief Information Officer
Date Adopted: 07-01-2013
Last Revision: 06-01-2014
Last Review: 09-01-2014
I. PURPOSE
To ensure that information security incidents are reported, assessed, and their harmful effects are mitigated to protect Rowan University's information.
II. ACCOUNTABILITY
Under the direction of the President, the Chief Information Officer and the Chief Information Security Officer shall implement and ensure compliance with this policy. The Executive Vice President, Senior Vice Presidents, Vice Presidents, Deans, and other members of management shall ensure compliance with this policy and support investigations and remediation of information security events or incidents involving their respective organizations' electronic information or information systems.
III. APPLICABILITY
This policy applies to all members of the Rowan community including faculty, staff, non-employees, students, attending physicians, contractors, covered entities, and agents of Rowan, as well as visitors, who have been explicitly and specifically authorized to access and use the University's information systems
IV.DEFINITIONS
...
- Application – a computer program that processes, transmits, or stores University information and which supports decision-making and other organizational functions. It typically presents as a series of records or transactions. These records and transactions are generally accessible by more than one user.
...
- Availability – the expectation that information is accessible by Rowan when needed.
...
- Business Unit – the term applies to multiple levels of the University, such as a revenue generating unit or a functional unit (e.g., Compliance, Human Resources, IR&T, Legal, Finance, etc.). It may also be comprised of several departments (e.g., IR&T).
...
- Confidential Information – the most sensitive information, which requires the strongest safeguards to reduce the risk of unauthorized access or loss. Unauthorized disclosure or access may 1) subject Rowan to legal risk, 2) adversely affect its reputation, 3) jeopardize its mission, and 4) present liabilities to individuals (for example, HIPAA/HITECH penalties). See University policy, Information Classification for additional clarification.
...
- Confidentiality – the expectation that only authorized individuals, processes, and systems will have access to Rowan's information.
...
- Directory Information – information identified by Rowan that may be released without prior consent of the student. (See Family Educational Rights and Privacy Act policy (00-01-25-05:00) for a comprehensive list of information categorized as Directory Information.)
...
- EPHI – electronic patient health information.
...
- Information System – consists of one or more components (e.g., application, database, network, or web) that is hosted in a University campus facility, and which may provide network services, storage services, decision support services, or transaction services to one or more business units.
...
- Personally Identifiable Information (PII) – examples include full name, personal identification number (such as Social Security number, passport number, driver's license number, taxpayer identification number, bank information, or credit card number), mailing or email address, personal characteristics (such as photographic image, fingerprints, or other biometric information), or any combination of these.
...
- Private Information – sensitive information that is restricted to authorized personnel and requires safeguards, but which does not require the same level of safeguards as confidential information. Unauthorized disclosure or access may present legal and reputational risks to the University. See University policy, Information Classification for additional clarification.
...
- Service Desk – the University technology service team that receives and handles requests for technical support and requests for new or changes to technology and voice services
...
- Security Event – a possible unauthorized attempt to compromise the confidentiality, integrity, or availability of the University's electronic information or information systems. It may be a local threat that can or has evolved to present a larger risk to the University.
...
- Security Incident – an actual or possible breach of the University's safeguards that protect its electronic information, information technology infrastructure or services, or information systems (or dependent information systems), and presents a significant business risk to the University.
...
- Sensitive Information – protected sensitive electronic information; information classified as confidential or private (such as intellectual property or other information deemed sensitive by a department, school, or unit).
...
- SIRT – Security Incident Response Team.
V. REFERENCES
A. Family Educational Rights and Privacy Act 00-01-25-05:00
...
A. Attachment 1, Appendix
B. Attachment B, Reporting Suspicious Computer Activity and/or Stolen Computer Equipment
C. Attachment C, Response To Suspicious Computer Activity and/or Stolen Computer Equipment
By Direction of the CIO:
__________________________________
Mira Lalovic-Hand,
VP and Chief Information Officer
...
SEVERITY | DESCRIPTION |
---|---|
Critical | Potential operational disruption across a campus or all campuses. May have one or more of the following characteristics:
|
High | Potential operational disruption of a school or unit (e.g., Camden or SOM University Hospitals). May have one or more of the following characteristics:
|
Medium | Impact to a business unit that is serious and possibly results in an operational disruption. May have one or more of the following characteristics:
|
Low | Impact to a business unit is minor and may present an operational risk if not addressed immediately. May have one or more of the following characteristics:
|
...
REPORTING SUSPICIOUS COMPUTER ACTIVITY and/or STOLEN COMPUTER EQUIPMENT
A. Users
- If they detect a security breach or believe computer activity to be suspicious, and/or computer equipment (including mobile devices and removable media) is missing, users must report it to their manager or other managerial authority in their organization.
- Theft of computer equipment must also be reported to Public Safety and the Information Security Office (ISO).
B. Managers
- On notification of the activity or theft, managers must contact their local compliance officer and the ISO to initiate an assessment of the activity and/or initiate an investigation of the missing equipment.
- If student information is potentially involved, managers must also contact their local Registrar office.
C. Communications and Assessment
- Coordination and Compliance Assessment
- The Office of Ethics, Compliance and Corporate Integrity is the lead assessor for all reports of suspicious activities and/or missing computer equipment. They will coordinate and manage the communications amongst all parties involved with response to the event.
- Information Security Risk Assessment
- The Information Security Office (ISO) will assess if the event presents a larger security risk to the University's electronic information, information systems, or information technology infrastructure across a campus (or campuses).
...
C. Incident Handling And Reporting
- Investigation Timeframe
- Management personnel, technology personnel, and security response teams must begin investigating a reported event within 24 hours of the initial report of suspicious activity.
- The Office of Ethics, Compliance and Corporate Integrity must be informed of suspicious activity related to EPHI.
- The local Registrar office must be informed of suspicious activity related to education records.
- The Incident Report must include the elements listed in the appendix.
- Lessons Learned
Prepare a Lessons Learned document for incidents. The document must include the standard incident report information and establish the steps necessary to prevent or limit the risk of the incident recurring. - Record Retention
Prepare and retain documentation for all evaluations of suspicious activity and incidents. See the Requirements section for additional information about record retention.
D. Requirements
- Communications
- All communications (electronic or physical documents) related to suspicious activity or actual events and incidents must be retained according to legal requirements and the University's records management requirements.
- Communications that may affect the integrity of an investigation are not to be destroyed or altered in any manner.
- Physical Assets
- Hardware
- Hardware related to an investigation of suspicious activity and that may affect the integrity of an investigation is not to be destroyed or altered in any manner.
- Documents
- Physical and electronic documents related to an investigation of suspicious activity that may affect the integrity of an investigation are not to be destroyed or altered in any manner.
- Physical and electronic documents must be retained according to legal requirements and the University's records management requirements.
- Physical and electronic documents related to an investigation of suspicious activity that may affect the integrity of an investigation are not to be destroyed or altered in any manner.
- Hardware
...
- The Chief Information Security Officer shall develop, implement, and maintain an Information Security Incident Response Plan. The plan will support the Office of Ethics, Compliance and Corporate Integrity Data Breach Policy and Response Plan.
- Users shall:
- Report to their manager or other managerial authority (within 24 hours of detection) any computer activity they believe is suspicious or outside the normal course of business, regardless if conducted by an outside person or member of the Rowan community.
- Report to their manager or other managerial authority and to Public Safety (within 24 hours of detection) the loss or theft of computer equipment and/or electronic storage media such as USB drives, disks, etc.
- Department managers and supervisors shall immediately:
- Report to their local compliance officer or the Office of Ethics, Compliance and Corporate Integrity reports of suspicious activity or loss or theft of computer equipment.
- Report to their school's dean or unit's Vice President suspicious activity that potentially presents a risk to their organization and to the University.
- Report suspicious activity involving education records to the local Registrar office.
- Office of Ethics, Compliance and Corporate Integrity shall:
- Coordinate the reporting of and response to reports of suspicious activities, including those involving the loss or theft of computer equipment.
- Assess and determine (along with the Office of Legal Management) the classification (e.g., Confidential, Private) and type (e.g., EPHI, PII) of information involved.
- Collect from each Rowan organization assisting with the response all information related to the issue reported.
- The Information Security Office (ISO):
- Assess the information and technology risks to the University's electronic information, information systems, and information technology infrastructure.
- Report to the SIRT any technology risks that may impact the University's business services and operations across a campus (or campuses).
- Remediate technology risks as deemed appropriate to secure the operations of the University.
- Document lessons learned.
- The ISO and the Office of Legal Management shall engage risk mitigation service partners as appropriate.