(1) Procedure

This procedure describes the process used for assessing, responding to, and managing information security and privacy incidents (hereafter "incidents"). Incidents include, but are not limited to, unauthorized access, disclosure, modification, and destruction of institutional information and information systems.

(2) Incident Management

(A)   High Level Incident Management Process Flow

Figure 1 illustrates the high level incident management process flow and is described in the sections below.

(B)   Obligation to Report and Assist

Students, faculty, and staff shall immediately report potential incidents to their supervisor or Security Services department or designated office, as defined below. The incident reporting form is available on the Security Services website.

Third parties are contractually bound to limit the access, use, or disclosure of institutional information, information systems, computerized devices, or infrastructure technology, and shall promptly report potential incidents to the university employee who authorized their access, use, or disclosure. In addition, third parties are required to sign a non-disclosure agreement (NDA) and review university policies and procedures prior to commencement of any work.

Student, faculty, staff, and third parties shall provide full assistance with the investigation of any potential incident.

(C)   Analysis and Assessment

Based on the type of incident, the Chief Information Security Officer shall coordinate with the university designated offices identified in Table 1 in the analysis and assessment of a potential incident. Depending on the type of incident, the overall responsibility of the incident management process shall lie with the designated office.

Table 1. Designated Offices for Analysis and Assessment of Potential Incidents

Concurrent with the analysis and assessment, the designed office shall, where appropriate, work with data stewards and data custodians to obtain and preserve the necessary evidence associated with the incident.

If the designated office determines that an incident actually occurred, they shall conduct a risk assessment based on the sensitivity of the institutional information, impact to users, compliance requirements, criminal activity, and criticality of the information system to determine whether an incident should be referred to or shared with another designated office.

(D)  Incident Management

1. The Chief Information Security Officer shall, in collaboration with the designated office, assign an incident manager and assemble an incident management team that may include, but is not limited to, the following individuals or functional areas:

a. Chief Information Officer

b. Risk Management

c. Assistant Attorney General

d. Public Affairs

e. The appropriate data owner or data custodian

f. Executive heads of major university organizations

g. Chief Human Resources Officer

h. Academic and Student Life

i. University's subject matter experts on privacy laws or regulations related to the incident

2. The incident management team shall:

a. Review the initial analysis and assessment to determine the potential impact of the incident;

b. Assign additional resources, as needed, for further investigation and forensic analysis;

c. Develop and implement a plan to communicate within the University about the incident. The communication plan shall specify the recipients, content, and methods of communication; and

d. Determine whether notification of the incident to parties outside the university is necessary.

[02/21]

(E)   Notification

Notification of an incident shall be made as directed by the incident management team, and shall be carried out in accordance with applicable legal, regulatory, or contractual requirements. The incident manager, in collaboration with the designated office and the Public Affairs department, shall facilitate any notification to parties outside the university.

(F)   Reporting and Documentation

The incident management team shall prepare a written incident summary for each incident. The Chief Information Security Officer shall develop an incident log and perform a quarterly analysis of these summaries to identify trends.

(G)  Remediation

Remediation means efforts to address harm caused by the incident, if any, and efforts to address issues that led to the incident. Remediation may begin at any time, as appropriate, during the incident management process, provided evidence is preserved.

If an incident occurred and an incident management team is convened, the incident manager and designated office shall review and approve all proposed remediation actions. The designated office may also require the departmental unit(s) involved in the incident to develop a formal remediation plan.

If an incident did not occur and an incident management team was not convened, the Chief Information Security Officer will use the process described in Section (2)(C) to determine whether remediation is appropriate, and if so, the scope of any such effort.

[02/21]

(H)   Designated Office Responsibility

Each designated office shall develop, maintain, and follow an incident response plan that defines its procedures for analyzing and assessing a potential incident. The Chief Information Security Officer shall review and approve the incident response plans and the plans shall address, at minimum:

1. Documentation

2. Preserving evidence and chain of custody

3. Analysis and assessment

4. Referral and communication to designated official

5. Containment

6. Remediation

7. Reporting

(3) Procedure Maintenance

The Chief Information Security Officer shall review and recommend changes to this procedure statement at least annually or more frequently as needed to respond to changes within the institution and the regulatory environment.

 (4) Additional Information

For further information on this procedure or to report an incident, please contact the Security services department.

[5/04/2011; Responsibility: President’s Office; Authority: Cabinet/PAC; Reviewed/Endorsed by: Cabinet/PAC; Review/Effective Date: 6/4/2014; Approved by: James L. Gaudino, President]