91探花

Search within:

Security incident response standard

Purpose

This standard outlines the process for notification of and response to a security incident involving data processed, stored, or transmitted by the University.

Scope

Where a security incident involving data processed, stored, or transmitted by the University is suspected, University employees, faculty, students, or other individuals, must report the suspected incident to the Office of Information Technology (OIT) Information Security Office (ISO), via the ISO website鈥檚 Report Information Security Incidents.

Standard

Security incident identification & reporting. An InfoSec incident is an event that poses a threat to the integrity, availability, or confidentiality of an IT system. Incidents must be reported immediately to the Information Security Office (ISO) after discovery.

Security incident investigation, classification and response. Upon notification of a suspected security incident the ISO will immediately deploy the processes outlined within the 91探花 Information Security Incident Response. The ISO or designee will act as the Incident Response Manager (IRM) for all reported cyber incidents. The ISO, with the assistance of the reporting entity will work together to coordinate all aspects of the incident response process. in accordance with 91探花 Information Security Incident Response. The ISO will conduct the investigation, and work with the reporting operating unit to identify the class and severity of the incident. As deemed appropriate by the incident classification (High, Medium, or Low), ISO will coordinate with the Critical Incident Response Team (CIRT), OHIO Breach Response Committee, and other stakeholders as necessary, to determine the actionable response to the incident.

Security Breach Notification Protocol. If upon investigation, it is determined that a security breach involving notice triggering information has occurred, the Chief Information Security Officer (CISO) will respond in accordance with the Data Breach Response Standard and the corresponding Administrative Procedure Notification of a Data Security Breach.

Responsibilities

The following University organizations act as University Authorities; those who are authorized to make requests and decisions regarding cyber security incident response at OHIO:

All individuals: Report concerns regarding suspected security breaches of private data to University Information Security at security@ohio.edu.

Chief Information Officer (CIO): Empowered to respond to IT security incidents by BOT Resolution 鈥淩egarding the Leadership, Responsibility, and Security of OHIO's Information Technology Infrastructure鈥

Chief Information Security Officer (CISO): Delegated authority by CIO to decide whether to activate CIRT.

OHIO Critical Incident Response Team (CIRT): A broad range of University stakeholders (see university Policy 44.100).

University Legal Counsel: Any law enforcement/legal actions, questions about information disclosure, legal aspects of the investigation.

University President: Personnel actions for staff.

Executive Vice President and Provost: Personnel actions for faculty.

University Internal Audit: Data integrity of critical University data, compliance with University procedures and fraud investigations.

University Risk Management: Alert regarding significant incidents and/or incidents involving critical data, coordinate with IUC-Risk Management & Insurance, compliance with insurance reporting requirements.

Division of Student Affairs/Student Conduct: Offenses by OHIO students

91探花 Police Department: Criminal matters

Departmental leadership: Engaged as applicable in coordination with designated University Data Stewards for regulatory compliance acts such as FERPA, HIPAA, PCI-DSS, etc.

NOTE: Requests from local, state, or federal law enforcement officials do not necessarily constitute proper authority. All requests from these agencies must first be made to University Counsel before contacting any university departmental personnel.

Definitions

Security incident: Anything that indicates a threat to computer systems or university data. Examples include but are not limited to: unauthorized use of university computers; log in attempts (successful or not) to gain access to someone else鈥檚 account; improper or unauthorized use of sensitive data, anything that diminishes the confidentiality, integrity or availability of university data or OHIO systems. Where confidentiality refers to measures taken to ensure privacy; integrity refers to accuracy, consistency, and trustworthiness of data; and availability refers to the accessibility of systems when needed.

Event: An event is an exception to the normal operation of Ohio Systems, infrastructure or services. Not all events become incidents.

Confidentiality: The requirement and need for preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Integrity: The necessity of guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

Availability: The requirement to ensure timely and reliable access to and use of information.

Security breach: An unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information stored, processed or transmitted by 91探花.

Notice-triggering information: Specific items of personal information identified in Ohio Revised Code Chapter 1347.12 Agency disclosure of security breach of computerized personal information data. This information includes an individual鈥檚 name in combination with social security number, driver鈥檚 license / state issued identification card number, health insurance information medical information, or financial account number such as credit card number, in combination with any required security code, access code, or password that would permit access to an individual鈥檚 financial account.

References

  • Policy 93.001 Data Classification
  • Policy 91.003 Acceptable Usage
  • Policy 91.005 Information Security
  • Ohio Revised Code Chapter 1347.12 Agency disclosure of security breach of computerized personal information data Security Incident Report Form
  • 91探花 Information Security Incident Response

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.

Request an exception:

Complete Exception request form.

Governance

This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:

  • Information Technology: Ed Carter (Chair)
  • Human Resources: Michael Courtney
  • Faculty: Hans Kruse
  • Finance and Administration: Chad Mitchell
  • Associate Dean: Shawn Ostermann
  • Regional Higher Education: Larry Tumblin
  • Research and Sponsored Programs: Maureen Valentine
  • Enterprise Risk Management and Insurance: Larry Wines

History

Draft versions of this policy were circulated for review and approved May 6, 2021.