ROWAN UNIVERSITY POLICY
Title: Security Incident Management Policy
Subject: Information Security
Policy No: ISO:2013:
Senior Vice President for Information Resources and Technology and Chief Information
Chief Information Security Officer
Date Adopted: 07
The purpose of this policy is to ensure that information security incidents are reported, assessed, and
mitigated to protect Rowan University's information assets.
Under the direction of the President, the Chief Information Officer and the Chief Information Security Officer shall implement and ensure compliance with this policy. The
Executive Vice President, Senior Vice Presidents, Vice Presidents, Deans, and other members of management
shall ensure compliance with this policy and support investigations and remediation of information security events or incidents involving their respective organizations' electronic information or information systems.
This policy applies to all members of the Rowan community.
A. Application – a computer program that processes, transmits, or stores University information and which supports decision-making and other organizational functions. It typically presents as a series of records or transactions. These records and transactions are generally accessible by more than one user.
B. Availability – the expectation that information is accessible by Rowan when needed.
C. Business Unit – the term applies to multiple levels of the University, such as a revenue generating unit or a functional unit (e.g., Compliance, Human Resources, IR&T, Legal, Finance, etc.). It may also be comprised of several departments (e.g., IR&T).
D. Confidential Information – the most sensitive information, which requires the strongest safeguards to reduce the risk of unauthorized access or loss. Unauthorized disclosure or access may 1) subject Rowan to legal risk, 2) adversely affect its reputation, 3) jeopardize its mission, and 4) present liabilities to individuals (for example, HIPAA/HITECH penalties). See University policy, Information Classification for additional clarification.
E. Confidentiality – the expectation that only authorized individuals, processes, and systems will have access to Rowan's information.
F. Directory Information – information identified by Rowan that may be released without prior consent of the student. (See Family Educational Rights and Privacy Act policy (00-01-25-05:00) for a comprehensive list of information categorized as Directory Information.)
G. EPHI – electronic patient health information.
H. Information System – consists of one or more components (e.g., application, database, network, or web) that is hosted in a University campus facility, and which may provide network services, storage services, decision support services, or transaction services to one or more business units.
I. Personally Identifiable Information (PII) – examples include full name, personal identification number (such as Social Security number, passport number, driver's license number, taxpayer identification number, bank information, or credit card number), mailing or email address, personal characteristics (such as photographic image, fingerprints, or other biometric information), or any combination of these.
J. Private Information – sensitive information that is restricted to authorized personnel and requires safeguards, but which does not require the same level of safeguards as confidential information. Unauthorized disclosure or access may present legal and reputational risks to the University. See University policy, Information Classification for additional clarification.
K. Service Desk – the University technology service team that receives and handles requests for technical support and requests for new or changes to technology and voice services
L. Security Event – a possible unauthorized attempt to compromise the confidentiality, integrity, or availability of the University's electronic information or information systems. It may be a local threat that can or has evolved to present a larger risk to the University.
M. Security Incident – an actual or possible breach of the University's safeguards that protect its electronic information, information technology infrastructure or services, or information systems (or dependent information systems), and presents a significant business risk to the University.
N. Sensitive Information – protected sensitive electronic information; information classified as confidential or private (such as intellectual property or other information deemed sensitive by a department, school, or unit).
O. SIRT – Security Incident Response Team.
P. Rowan Community – faculty, staff, non-employees, students, attending physicians, contractors, covered entities, and agents of Rowan
Q. User – refers to any member of the Rowan community, as well as visitors, who have been explicitly and specifically authorized to access and use the University's information systems
, including faculty, staff, non-employees, students, attending physicians, contractors, covered entities, agents of Rowan, and visitors, who have been explicitly and specifically authorized to access and use any information asset, product or service that requires processing, transmitting, or storage of Rowan data or information.
Refer to Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.
The Information Security Office (ISO) will manage the Security Incident Management program at Rowan University and is responsible for developing and managing the processes, tools, and policies necessary to respond to information security incidents.
The Security Incident Board is responsible for monitoring and reviewing security incidents as defined in the Security Incident Management program.
The Security Incident Management Program must ensure documentation and training is provided to ensure that:
Security incidents are handled by appropriately authorized and skilled personnel identified by their roles and responsibility on the Security Incident Response Team.
Appropriate levels of university management are informed of and involved in incident response.
Security incidents are recorded and documented.
Information is provided on the university website, and through other training and communications channels, that explains how information security incidents should be reported and encourages the reporting of all incidents whether they are actual, suspected, threatened, or potential.
The impact of security incidents are understood and appropriate actions are taken to prevent further damage to the university.
Evidence is gathered, recorded and maintained in a form that will withstand internal and external scrutiny.
External bodies or data subjects are informed as required.
Security incidents are dealt with in a timely manner and normal operations restored.
Security incidents are reviewed by the Security Incident Review Board to identify improvements in policies and procedures.
Required Reporting Actions
All members of the Rowan community are responsible for promptly reporting any security event or incident to the Technology Support Center by emailing email@example.com or calling 856-256-4400.
Types of Security Events and or Security Incidents to report:
Any security event believed to be suspicious or considered an unauthorized attempt to access, use, steal, or damage Rowan's electronic information, information systems, or information technology infrastructure
. This includes anomalous computer activity, missing computer equipment
A. Reporting Suspicious Computer Activity and/or Stolen Computer Equipment
- If they detect a security breach or believe computer activity to be suspicious, and/or computer equipment (including mobile devices and removable media) is missing, users must report it to their manager or other managerial authority in their organization.
- Theft of computer equipment must also be reported to Public Safety and the Information Security Office (ISO).
- On notification of the activity or theft, managers must contact their local compliance officer and the ISO to initiate an assessment of the activity and/or initiate an investigation of the missing equipment.
- If student information is potentially involved, managers must also contact their local Registrar office.
B. Communications and Assessment
- Coordination and Compliance Assessment
The Office of Ethics, Compliance and Corporate Integrity is the lead assessor for all reports of suspicious activities and/or missing computer equipment. They will coordinate and manage the communications amongst all parties involved with response to the event.
- Information Security Risk Assessment
The Information Security Office (ISO) will assess if the event presents a larger security risk to the University's electronic information, information systems, or information technology infrastructure across a campus (or campuses).
To assist Compliance with the investigation and respond to reports of suspicious activity, Compliance may request the services of Public Safety, the Office of Legal Management, the Information Security Office.
The Office of Legal Management is to be informed of suspected data breaches to ensure the timely and appropriate engagement of the University's risk mitigation partners and service providers.
The Information Security Office and IRT management will keep the SIRT apprised of any reports that involve potential threats to the University's information technology infrastructure, services, and dependent information systems across the campus.
- Security Incident Response Team
- Consists of representatives from the Information Security Office, IRT, Office of Emergency Management, Office of Legal Management, Office of Ethics, Compliance and Corporate Integrity, and Department of Public Safety.
- Members of other Rowan organizations may become engaged in the incident response, depending on its categorization.
D. Incident Categorization
Security incidents must be categorized according to the standards listed in the appendix. Categorization is necessary in order to uniformly assess the risk to the University's operations and determine the appropriate response.
E. Incident Handling And Reporting
- Investigation Timeframe
- Management personnel, technology personnel, and security response teams must begin investigating a reported event within 24 hours of the initial report of suspicious activity.
- The Office of Ethics, Compliance and Corporate Integrity must be informed of suspicious activity related to EPHI.
- The local Registrar office must be informed of suspicious activity related to education records.
- The Incident Report must include the elements listed in the appendix.
- Lessons Learned
Prepare a Lessons Learned document for incidents. The document must include the standard incident report information and establish the steps necessary to prevent or limit the risk of the incident recurring.
- Record Retention
Prepare and retain documentation for all evaluations of suspicious activity and incidents. See the Requirements section for additional information about record retention.
- All communications (electronic or physical documents) related to suspicious activity or actual events and incidents must be retained according to legal requirements and the University's records management requirements.
- Communications that may affect the integrity of an investigation are not to be destroyed or altered in any manner.
- Physical Assets
Hardware related to an investigation of suspicious activity and that may affect the integrity of an investigation is not to be destroyed or altered in any manner.
- Physical and electronic documents related to an investigation of suspicious activity that may affect the integrity of an investigation are not to be destroyed or altered in any manner.
- Physical and electronic documents must be retained according to legal requirements and the University's records management requirements.
- The President, Chief Information Security Officer, Vice Presidents, and Deans shall:
- Ensure the implementation of this policy by the organizations under their purview.
- Ensure the support of investigations and remediation of information security events or incidents involving their organizations' electronic information or information systems.
- The Chief Information Security Officer shall develop, implement, and maintain an Information Security Incident Response Plan. The plan will support the Office of Ethics, Compliance and Corporate Integrity Data Breach Policy and Response Plan.
- Users shall:
- Report to their manager or other managerial authority (within 24 hours of detection) any computer activity they believe is suspicious or outside the normal course of business, regardless if conducted by an outside person or member of the Rowan community.
- Report to their manager or other managerial authority and to Public Safety (within 24 hours of detection) the loss or theft of computer equipment and/or electronic storage media such as USB drives, disks, etc.
- Department managers and supervisors shall immediately:
- Report to their local compliance officer or the Office of Ethics, Compliance and Corporate Integrity reports of suspicious activity or loss or theft of computer equipment.
- Report to their school's dean or unit's Vice President suspicious activity that potentially presents a risk to their organization and to the University.
- Report suspicious activity involving education records to the local Registrar office.
- Office of Ethics, Compliance and Corporate Integrity shall:
- Coordinate the reporting of and response to reports of suspicious activities, including those involving the loss or theft of computer equipment.
- Assess and determine (along with the Office of Legal Management) the classification (e.g., Confidential, Private) and type (e.g., EPHI, PII) of information involved.
- Collect from each Rowan organization assisting with the response all information related to the issue reported.
- The Information Security Office (ISO):
- Assess the information and technology risks to the University's electronic information, information systems, and information technology infrastructure.
- Report to the SIRT any technology risks that may impact the University's business services and operations across a campus (or campuses).
- Remediate technology risks as deemed appropriate to secure the operations of the University.
- Document lessons learned.
- The ISO and the Office of Legal Management shall engage risk mitigation service partners as appropriate.
Any security incidents a member of the Rowan Community may have been made aware of through other channels, including physical letters or emails from vendors of a product(s) used by the University currently or in the past
The report should include:
Date of security incident
Date of discovery
Type of security incident, such as fraud, data breach/exposure, theft, malware, phishing, etc.
Estimated number of individuals impacted and/or records exposed/breached
A brief description of what occurred
How you became aware of the information security incident
Any other pertinent information
Response to an Information Security Incident Report
The ISO has implemented a standard Security Incident Response methodology that consists of the following six sequential phases: Identify, Analyze, Contain/Mitigate, Eradicate/Remediate - Recover, and Lessons Learned. An outline of each phase is presented below.
Identify: The Security Incident Response Team will review all information security reports to understand the incident and the potential impact. The Incident Response Team consists of the following key members:
Incident Commander (IC)
Subject Matter Expert
Customer Liaison/Internal Liaison
Analyze: Reports that represent a risk to the University's Enterprise Information Systems or infrastructure require a response within 24 business hours by the incident response team to mitigate the risk to the University's assets, business services, and operations. Reports involving a breach of sensitive data (PHI, PII, HIPAA, FERPA, etc.) may have specific legal requirements for public announcement and reporting of the incident.
Contain/Mitigate: Mitigation efforts will be made to prevent future occurrences of similar security incidents.
Recover: All Security Incident Response procedures must be documented in the Rowan University Security Incident Response Management program to be reviewed and updated by the Information Security Office on an annual basis.
Lessons Learned: The Lessons Learned analysis provides feedback to improve the existing process and its related procedures. Following actions taken to resolve each security incident, this analysis shall be performed by the Security Incident Board, to evaluate the procedures taken and what further steps could have been taken to minimize the impact of the incident. A summary of all incidents must be presented on a quarterly basis by the CISO to the Security Incident Board.
Security Incident Response Stakeholder Authority and Responsibilities
The Security Incident Response Stakeholders includes but is not limited to ISO and IRT. Roles and responsibilities for specific groups and individuals during information security events at Rowan University are outlined below:
SVP and Chief Information Officer (CIO): The SVP/CIO provides information technology leadership across the entire university, advising on matters of information technology strategy, entrepreneurship, security, and investment. As necessary or appropriate, the SVP/CIO is responsible for being a conduit to other Rowan University executive officers during a suspected IT security incident.
Chief Information Security Officer (CISO): The Chief Information Security Officer is the ultimate authority for interpretation and implementation of Information Security Incident Reporting, as well as for coordinating information security incident communications.
Associate Director of Information Security: Serves as a backup to the Chief Information Security Officer in the event they are not available with all the same responsibilities. In addition, the Associate Director of Information Security serves as the Security Incident Response Team leader and is responsible for maintaining and reviewing the Security Incident Management program on an annual basis.
Security Incident Response Team (SIRT): This team is a group of individuals who have been trained in incident management, each having distinct response roles. The team works under the direction of the Chief Information Security Officer and Associate Director of Information Security.
Security Incident Review Board: The Security Incident Review Board is represented by senior leadership from various campus units. The board is responsible for reviewing security incidents, how the incident was handled, and any lessons learned from the security incident. In addition, the board meets quarterly to discuss any incidents that occurred during that specific timeline and lastly the board determines whether an incident is escalated to the Cyber Insurance carrier.
VI. POLICY COMPLIANCE
Failure to report or respond to an event or incident can expose the University to regulatory and/or statutory penalties, costly litigation, and undermine its mission and standing in the community.
Violations of this policy
may subject the violator to
disciplinary actions up to
A. Attachment 1, Appendix
A. Event Categorization
This list is not comprehensive and other categories may be added to help with the reporting process. Security events must be categorized according to the potential impact or threat to the confidentiality, integrity, and availability of the University's electronic information and/or information systems. Categorization is necessary in order to assess the risk to the University's business services and operations, and to determine the appropriate response.
A significant and/or persistent attempted intrusion that stands out above the daily activity and could result in unauthorized access of the target electronic information or information system.
Denial of Service
Intentional or unintentional denial of service (successful or persistent attempts) that affects or threatens to affect a critical service or denies access to all or one or more large portions of the University's network.
All instances of successful infection or persistent attempts at infection by malicious code, such as viruses, Trojan horses, or worms.
Access or use of the university's electronic information or information systems that violates Rowan policies and may present a risk to the University's electronic information or information systems.
Instances of unauthorized port scanning, network sniffing, resourcing mapping probes and scans, and other activities that are intended to collect information about vulnerabilities in the University's network and to map network resources and available services.
An instance (or instances) where an attacker uses human interaction to obtain or compromise information about the University, its personnel, or its information systems.
All unintentional or intentional instances of system compromise or intrusion by unauthorized persons, including user-level compromises, root (administrator) compromises, and instances in which users exceed privilege levels.
Any activity that is not recognized as being related to University business or normal use.
Incident Severity Levels
Rating the severity of an incident is a subjective measure of its threat to Rowan's operations. The severity level helps determine the priority for handling the incident, who manages the incident, and the incident response plan.
The following factors help determine severity level:
- Scope of impact, such as department, school or unit, campus, or University-wide.
- Criticality of the information system.
- Sensitivity of the information stored on or accessed through the system or service.
- Probability of propagation. Is the incident contained or can it spread beyond its current boundaries?
Potential operational disruption across a campus or all campuses. May have one or more of the following characteristics:
Potential operational disruption of a school or unit (e.g., Camden or SOM University Hospitals). May have one or more of the following characteristics:
Impact to a business unit that is serious and possibly results in an operational disruption. May have one or more of the following characteristics:
Impact to a business unit is minor and may present an operational risk if not addressed immediately. May have one or more of the following characteristics:
B. INCIDENT HANDLING AND REPORTING
The Incident Report must include:
- Name of the business unit.
- Name of the school or unit.
- Contact information of the person reporting the event (name, telephone, and email address). If the security event is an anonymous report forwarded by the Office of Ethics, Compliance and Corporate Integrity, use the name of the compliance officer who sent the report.
- Physical location of the affected information system.
- The classification of the information, i.e., confidential, private, internal, or public.
- The type of information, such as, EPHI, student information, or financial information.
- Date and time when the suspicious activity was detected.
- Date and time when the suspicious activity was reported.
- Incident type and severity level. This information may change during the course of an investigation, and initially only reflects the assessment at the time of detection and reporting. The SIRT will update this information during the course of the investigation.
- Suspected method of intrusion or attack.
- Suspected origin or cause of event or incident.
- Remediation methods.
Prepare a Lessons Learned report for incidents. The report must include the standard incident report information and establish the steps necessary to prevent or limit the risk of the incident recurring. The report shall be submitted to the Chief Information Officer, the Office of Ethics, Compliance and Corporate Integrity, and the Office of Legal Management. The report may be submitted to other University entities when necessary.
termination of employment or dismissal from school, subject to applicable collective bargaining agreements and may subject the violator to penalties stipulated in applicable state and federal statutes. Students who fail to adhere to this policy or the procedures and standards will be referred to the Office of Student Affairs and may be expelled. Contractors and vendors who fail to adhere to this policy and the procedures and standards may face termination of their business relationships with the University. Sanctions shall be applied consistently to all violators identified in Section III Applicability regardless of job titles or level in the organization per the Acceptable Use Policy.
By Direction of the CIO:
SVP and Chief Information Officer