Computer Security Incident Response
This policy defines the reporting and response to any Computer Security Incident. There are two types of Security Incidents: Computer Security Incidents and Confidential Data Security Incidents.
A Computer Security Incident is any event that threatens the confidentiality, integrity, or availability of University systems, applications, data, or networks. University systems include, but are not limited to: servers, desktops, laptops, workstations, tablets, telephony, network servers/processors, or any other electronic data storage or transmission device.
Examples of Computer Security Incidents include, but are not limited to:
- Unauthorized access
- Intentionally targeted but unsuccessful unauthorized access
- Infection by malware (Viruses, Worms, Trojan horses, Spyware, etc.)
- Denial-of-service attack
- Theft or loss of a University system
A Confidential Data Security Incident is a subset of Computer Security Incidents that specifically threatens the security or privacy of Confidential University Data.
Examples of Confidential Data Security Incidents include, but are not limited to, the unauthorized or accidental release or sharing of:
1. Sensitive personally-identifiable information
Information relating to an individual that reasonably identifies the individual and, if compromised, could cause significant harm to that individual or to Southwestern University.
Examples include, but are not limited to:
- Social Security Numbers
- Credit card account numbers
- Salary information
- FERPA protected information
- HIPAA protected information
- Passwords and other access credentials
2. Proprietary information
Data, information, or intellectual property, in which the University has an exclusive legal interest or ownership right and which, if compromised, could cause significant harm to Southwestern University.
Examples include, but are not limited to:
- Financial information
- Business planning data
- Data, software, or other material from third parties which the University has agreed to keep confidential
3. Any other data, the disclosure of which could cause significant harm to Southwestern University.
This policy applies to all users of Southwestern data, information or computing resources. . It applies to any computing devices owned, leased otherwise controlled by Southwestern University that experience a Security Incident. It also applies to any computing device regardless of ownership, which either is used to store Confidential University Data, or which, if lost, stolen, or compromised, and based on its privileged access, could lead to the unauthorized disclosure of Confidential University Data. Confidential Data Security Incidents additionally apply to any computing or network device, regardless of ownership, on which is stored Confidential Data or by which access to Confidential Data might be gained.
Examples include, but are not limited to:
- A home or other personally owned computer containing Confidential Data.
- A mobile device on which credentials are stored which could be used to access Confidential Data.
- A server housed in an off-site facility.
The Associate Vice President for Information Technology is responsible for managing the response to all computer security incidents. This policy defines the steps that staff and users must follow to ensure that Computer Security Incidents and Confidential Data Security Incidents are identified, contained, investigated, and remedied.
All computer security and confidential data security incidents must be promptly reported to Information Technology staff. Reporting can be done by:
- Calling extension 7333 or 512-819-7333 from off campus
- Calling the campus operators at 512-863-6511 during non-business hours
- Visiting the InfoDesk in the SLC
If the reported incident is described or identified to be either a Confidential Data Security Incident or a Computer Security Incident, the notified party will immediately:
- Report the incident to the Associate Vice President for Information Technology.The AVP, in collaboration with other IT appropriate staff, will determine if the incident is a Computer Security Incident or a Confidential Data Security Incident.
- If the determination is affirmed as a Confidential Data Security or Computer Security Incident, the AVP will inform the Vice President for Finance & Administration and assemble the Incident Response Team. The AVP for IT is responsible for logging and investigating security incidents, and is responsible for working with the senior administration, legal counsel and reporting on all security incidents.
INCIDENT RESPONSE TEAM
The purpose of the Incident Response Team is to determine a course of action to appropriately address this incident.
The AVP for IT shall designate the membership of the Incident Response Team. Normally, membership will include appropriate individuals from Information Services, offices with primary responsibility for the compromised data, and, if necessary, the police department and legal counsel.
The responsibility of the Incident Response Team is to assess the actual or potential damage to the University caused by the Computer Security or Confidential Data Security Incident, and to develop and execute a plan to mitigate that damage.
Incident Response Team members will share information regarding the incident outside of the team only on a need-to-know basis and only after consultation with the AVP for IT and in some cases, legal counsel.
The Incident Response Team should review, assess, and respond to the incident for which it was formed according to the following factors, in decreasing order of priority:
If the system involved in the incident affects human life or safety, responding in an appropriate, rapid fashion is the most important priority.
Departments and offices may have urgent concerns about the availability or integrity of critical systems or data that must be addressed promptly. Appropriate Information Services staff shall be available for consultation in such cases.
Work to promptly establish the scope of the incident and to identify the extent of systems and data affected
- identification of the person reporting the breach (name, contact info, etc.)
- record of the location, timeframe, and apparent cause of the breach
- preliminary identification of confidential data that may be at risk
Communication about breach to authorized individuals
- AVP for IT
- chief of police (if physical entry or hardware theft are involved)
- president and senior officers (depending on severity of data compromised)
- legal counsel (depending on severity of data compromised)
- security experts (consultants to assist with breach notification)
After life and safety issues have been resolved, identify and implement actions to mitigate the spread of the incident and its consequences. Such actions might well include requiring that affected systems be disconnected from the network.
Preservation of evidence
Promptly develop a plan to identify and implement steps for the preservation of evidence and the chain of evidence, consistent with needs to restore availability. The plan might include steps to clone a hard disk, preserve log information, or capture screen information. Preservation of evidence should be addressed as quickly as possible in order to restore availability of the affected systems as soon as practicable.
- Investigate the causes and circumstances of the incident, and determine future preventative actions.
- confirmation/inventory of confidential materials at risk
- security measures that were defeated or circumvented
- forensic evidence
- likelihood of recovering data (or stolen equipment
- utilize outside assistance if needed
Incident-specific risk mitigation and remediation
- Identify and recommend strategies to mitigate the risk of harm arising from this incident.
- insure that missing data (e.g., passwords) cannot be used to access further information or cause harm in other ways to Southwestern’s electronic or other resources;
- pursue all reasonable means to recover the lost data (e.g., if the missing equipment has software that provides location information);
- identify individuals affected by the breach (e.g., those whose loss of confidential information may put them at risk of identity theft or other adverse consequences)
- determine if lost data can be restored from backups; take appropriate steps
- determine if lost data can be neutralized by changing account access, ID information, and taking other steps
- modify procedures, software, equipment, etc., as needed to prevent future data breaches of a similar nature;
- take appropriate actions if personnel negligence caused or contributed to the incident.
Notification of breach
Senior officers, AVP for IT and legal counsel will determine need and method(s) to:
- notify affected individuals
- notify Board of trustees chair
- notify Southwestern community
- notify public
SENIOR RESPONSE TEAM FORMATION
If, in the judgment of the AVP for IT or VP for Finance & Administration, the incident might reasonably be expected to cause significant harm to the subjects of the data or to Southwestern University, they may recommend to the President that a Senior Response Team be established. The Senior Response Team shall be comprised of senior-level institutional administrators designated by the President.
The Senior Response Team will determine, with assistance and input from legal counsel, whether Southwestern University should make best efforts to notify individuals whose personally identifiable information might have been at risk due to the incident. In making this determination, the following factors shall be considered
- Legal duty to notify
- Length of compromise
- Human involvement
- Sensitivity of compromised data
- Existence of evidence that data were compromised
- Existence of evidence that affected systems were compromised for reasons other than accessing and acquiring data
- Additional factors recommended for consideration by members of the Incident ResponseTeam or Senior Response Team
COMMUNITY AND PUBLIC NOTIFICATIONS
If it is determined that community and/or public notifications are indicated, the AVP for IT, legal counsel and Southwestern University communications staff will develop and issue messages that cover the following points
- nature and scope of missing data
- general circumstances of the breach (e.g., stolen laptop, hacked database etc.)
- rough timeline of the breach (e.g., date of breach, date of discovery)
- steps the university has taken to investigate and assess the breach
- any involvement of law enforcement or other third parties
- knowledge of any misuse of the missing data
- university-provided credit-watch service for affect individuals for one year
- security experts steps on behalf of affected individuals
- steps that the university is taking to prevent future breaches of this nature
Log of security incidents
Information Technology shall maintain a log of all Computer Security and Confidential Data Security Incidents, recording the date, type of Confidential Data affected, number of subjects affected (if applicable), summary of the reason for the breach, and corrective measures taken.
Information Technology shall issue a report for every Computer Security and Confidential Data Security Incident describing the incident in detail, the circumstances that led to the incident, and a plan to eliminate the risk of a future occurrence.
Annual summary report
Information Technology shall provide annually to the VP for Finance & Administration a report containing statistics and summary-level information about all known Computer Security and Confidential Data Security Incidents, along with recommendations and plans to mitigate the risks that led to those incidents.