Incident Response Policy

 
 
Document Number:
ITS-0012
Revision #:
v1.0
Document Owner:
Information Technology Service
Date Last Updated:
8/15/2019
Status:
Approved

General Description

Purpose:

It is vital to the University community that computer security incidents that threaten the security or privacy of confidential information are properly identified, contained, investigated, and remedied. According to Texas Senate Bill 122 Section 48.102, the University “shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure of any sensitive personal information collected or maintained in the regular course of business.”

The purpose of this policy is to provide the basis of appropriate response to incidents that threaten the confidentiality, integrity, and availability of university digital assets, information systems, and the networks that deliver the information. The Incident Response Policy provides a process for documentation, appropriate reporting internally and externally, and communication to the community as part of an ongoing educational effort. Finally, the policy establishes responsibility and accountability for all steps in the process of addressing computer security incidents.  

Scope:

The Incident Response Policy applies to all members of the Trinity University community. The Trinity University community (hereafter described as the “University community”) includes faculty and staff members, students, alumni, guests, and contractors. This Policy also includes computing or network devices owned, leased, or otherwise controlled by Trinity University. Additionally, incidents involving confidential information apply to any computing or network device, regardless of ownership, on which confidential or restricted information is stored or by which access to confidential or restricted information might be gained. (Examples include, but are not limited to: a home computer containing confidential data, a mobile device on which credentials are stored which could be used to access confidential data, a server housed in an off-site facility.)
Policy Content
Performance Evaluation

Consequences of Policy Violation:

Enforcement
Any behavior in violation of this policy is cause for disciplinary action. Violations will be adjudicated, as appropriate, by the CIO, the Office of the Dean of Students, the Office of Housing and Residential Life, and/or the Office of Human Resources. Sanctions as a result of violations of this policy may result in, but are not limited to, any or all of the following:
  • Attending a class or meeting on Security Incident issues, as well as successful completion of a follow up quiz;
  • Loss of University computing, email and/or voice mail privileges;
  • Disconnection from the residential hall network;
  • University judicial sanctions as prescribed by the student Code of Conduct;
  • Monetary reimbursement to the University or other appropriate sources;
  • Reassignment or removal from University housing and/or suspension or expulsion from the University;
  • Prosecution under applicable civil or criminal laws;
  • Employees may be subject to disciplinary action.
Violations:
Reports of data and systems compromises and the exposure of personal and restricted information should be immediately reported to: infosec@trinity.edu
Requirements

Approvals:

  • Chief Information Officer

Terms and Definitions:

Term:

Definition:

Confidential Information
Sensitive personally-identifiable information that must be safeguarded in order to protect the privacy of individuals and the security and integrity of systems and to guard against fraud. This includes, but is not limited to:
  • Social Security numbers
  • Credit and debit card numbers
  • Bank account or other financial account numbers
  • Salary information
  • FERPA protected information
  • HIPAA protected information
  • Passwords, passphrases, PIN numbers, security codes and access codes
  • Tax returns
  • Credit histories or reports
  • Background check reports
Additionally, proprietary information, data, information, or intellectual property, in which the University has an exclusive legal interest or ownership right may also be considered confidential information. Examples include, but are not limited to:
  • Financial information
  • Business planning data
  • Data, software, or other material from third parties which the University has agreed to keep confidential

Malware
Any software designed with malicious intent. Examples include, but aren't limited to:
  • Viruses
  • Worms
  • Trojan horses
  • Spyware

Security Incident
Any event that threatens the confidentiality, integrity, or availability of University systems, applications, data, or networks. Examples of University systems include, but are not limited to:
  • Servers
  • Desktop computers
  • Laptop computers
  • Workstations
  • Mobile devices
  • Network equipment
Examples of Security Incidents include, but aren't limited to:
  • Unauthorized access
  • Intentionally targeted but unsuccessful unauthorized access
  • Accidental disclosure of Confidential Data
  • Infection by malware
  • Denial-of-service (DoS) attack
  • Theft or loss of a University system
  • The theft or physical loss of computer equipment known to store SSNs
  • Loss or theft of tablets, smartphones or other mobile device
  • A server known to have sensitive data is accessed or otherwise compromised by an unauthorized party
  • A firewall accessed by an unauthorized entity
  • A DDoS (Distributed Denial of Service) attack
  • The act of violating an explicit or implied security policy
  • A virus or worm uses open file shares to infect from one to hundreds of desktop computers
  • An attacker runs an exploit tool to gain access to a University server’s password file

Sensitive Personal Information
As defined by the Texas Senate Bill 122 means “an individual’s first name or first initial and last name combination with any one or more of the following data elements (when the name or data element is not encrypted):
  • Social security number
  • Driver’s license or government issued identification number
  • Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
  • Does not include publicly available information that is lawfully made available to the general public from the Federal government or a state or a local government” (2-3).

Revision Management

Revision History Log:

Revision #:

Date:

Nature of Change:

Recorded By:

v1.0
8/14/2019 3:34 PM
New document
Courtney Cunningham