Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Title: Security Incident Management Policy
Subject: Information Security
Policy No: ISO:2013:12
Applies: University-Wide
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer
Responsible Officer: Information Security Officer
Date Adopted: 07/01/2013
Last Revision: 03 06/0614/2024
Last Review: 08/11/2023

...

  1. The Information Security Office (ISO) will manage the Security Incident Management program at Rowan University and is responsible for developing and managing the processes, tools, and policies necessary to respond to information security incidents.

  2. The Security Incident Review Board is responsible for monitoring and reviewing security incidents as defined in the Security Incident Management program.

  3. The Security Incident Management Program must ensure documentation and training is provided to ensure that:

    1. Security incidents are handled by appropriately authorized and skilled personnel identified by their roles and responsibility on the Security Incident Response Team.

    2. Appropriate levels of university management are informed of and involved in incident response.

    3. Security incidents are recorded and documented.

    4. Information is provided on the university website, and through other training and communications channels, that explains how information security incidents should be reported and encourages the reporting of all incidents whether they are actual, suspected, threatened, or potential.

    5. The impact of security incidents are understood and appropriate actions are taken to prevent further damage to the university.

    6. Evidence is gathered, recorded and maintained in a form that will withstand internal and external scrutiny.

    7. External bodies or data subjects are informed as required.

    8. Security incidents are dealt with in a timely manner and normal operations restored.

    9. Security incidents are reviewed by the Security Incident Review Board to identify improvements in policies and procedures.

  4. Required Reporting Actions

    1. All members of the Rowan community are responsible for promptly reporting any security event or incident to the Technology Support Center by emailing support@rowan.edu or calling 856-256-4400.

    2. Types of Security Events and or Security Incidents to report:

      1. Any security event believed to be suspicious or considered an unauthorized attempt to access, use, steal, or damage Rowan's electronic information, information systems, or information technology infrastructure. This includes anomalous computer activity, missing computer equipment, etc.

      2. Any security incidents a member of the Rowan Community may have been made aware of through other channels, including physical letters or emails from vendors of a product(s) used by the University currently or in the past

    3. The report should include:

      1. Date of security incident

      2. Date of discovery

      3. Type of security incident, such as fraud, data breach/exposure, theft, malware, phishing, etc.

      4. Estimated number of individuals impacted and/or records exposed/breached

      5. A brief description of what occurred

      6. How you became aware of the information security incident

      7. Any other pertinent information

  5. Response to an Information Security Incident Report

    1. The ISO has implemented a standard Security Incident Response methodology that consists of the following six sequential phases: Identify, Analyze, Contain/Mitigate, Eradicate/Remediate - Recover, and Lessons Learned.  An outline of each phase is presented below.

      1. Identify: The Security Incident Response Team will review all information security reports to understand the incident and the potential impact. The Incident Response Team consists of the following key members:

        1. Incident Commander (IC)

        2. Deputy

        3. Scribe

        4. Subject Matter Expert

        5. Customer Liaison/Internal Liaison



      2. Analyze: Reports that represent a risk to the University's Enterprise Information Systems or infrastructure require a response within 24 business hours by the incident response team to mitigate the risk to the University's assets, business services, and operations. Reports involving a breach of sensitive data (PHI, PII, HIPAA, FERPA, etc.) may have specific legal requirements for public announcement and reporting of the incident. All appropriate incidents must be reported to the New Jersey Cybersecurity and Communications Integration Cell as required by state law.

      3. Contain/Mitigate: Mitigation efforts will be made to prevent the spread of an incident and future occurrences of similar security incidents.

      4. Recover: All Security Incident Response procedures must be documented in the Rowan University Security Incident Response Management program to be reviewed and updated by the Information Security Office on an annual basis. 

      5. Lessons Learned: The Lessons Learned analysis provides feedback to improve the existing process and its related procedures. Following actions taken to resolve each security incident, this analysis shall be performed by the Security Incident Review Board, to evaluate the procedures taken and what further steps could have been taken to minimize the impact of the incident. A summary of all incidents must be presented as part of the post-mortem of the incident by the Information Security Officer to Officer to the Security Incident Review Board. Outstanding risks will be added to the Information Security Office Risk Registry and tracked through closure.

  6. Security Incident Response Stakeholder Authority and Responsibilities

    1. The Security Incident Response Stakeholders includes but is not limited to ISO and IRT. Roles and responsibilities for specific groups and individuals during information security events at Rowan University are outlined below:

      1. SVP and Chief Information Officer (CIO): The SVP/CIO provides information technology leadership across the entire university, advising on matters of information technology strategy, entrepreneurship, security, and investment. As necessary or appropriate, the SVP/CIO is responsible for being a conduit to other Rowan University executive officers during a suspected IT security incident.

      2. Information Security Officer: The Information Security Officer is the ultimate authority for interpretation and implementation of Information Security Incident Reporting, as well as for coordinating information security incident communications. The Information Security Officer will also act as Incident Commander. If the Information Security Officer is not available, the Incident Commander will be chosen by the Chief Information Officer and/or the Chief Technology Officer.

      3. Associate Director of Information Security: Serves as a backup to the Information Security Officer in the event they are not available with all the same responsibilities. In addition, the Associate Director of Information Security serves as the Security Incident Response Team leader and is responsible for maintaining and reviewing the Security Incident Management program on an annual basis.

      4. Security Incident Response Team (SIRT): This team is a group of individuals who have been trained in incident management, each having distinct response roles. The team works under the direction of the Information Security Officer and Associate Director of Information Security.

      5. Security Incident Review Board: The Security Incident Review Board is represented by senior leadership from various campus units. The board is responsible for reviewing security incidents, how the incident was handled, and any lessons learned from the security incident. In addition, the board meets as needed to discuss any ongoing incidents and lastly the board determines whether an incident is escalated to the Cyber Insurance carrier.

  7. Responsibilities of the Rowan Community
    1. The security of Rowan University, its data and information systems is the responsibility of all members of the Rowan community. Adherence to security policies, guidelines and best practices is required for all faculty, staff, students and affiliates.
    2. Members of faculty/staff, students and/or affiliates may be required to provide information, take action or otherwise participate as part of an investigation.
    3. While the incident response team will take reasonable actions to minimize inconvenience to employees and the University community, it may be necessary to contact individuals after hours, during classes, etc.

...