General Description
Purpose:
The purpose of this policy is to provide the basis of appropriate response to incidents that threaten the confidentiality, integrity, and availability of university digital assets, information systems, and the networks that deliver the information. The Incident Response Policy provides a process for documentation, appropriate reporting internally and externally, and communication to the community as part of an ongoing educational effort. Finally, the policy establishes responsibility and accountability for all steps in the process of addressing computer security incidents.
Scope:
Policy Content
Safety - If the system involved in the incident affects human life or safety, responding in an appropriate, rapid fashion is the most important priority.
Urgent concerns - Departments and offices may have urgent concerns about the availability or integrity of critical systems or data that must be addressed promptly. Appropriate ITS staff shall be available for consultation in such cases.
Scope - Work to promptly establish the scope of the incident and to identify the extent of systems and data affected.
Containment - After life and safety issues have been resolved, identify and implement actions to mitigate the spread of the incident and its consequences. Such actions might well include requiring that affected systems be disconnected from the network.
Preservation of evidence - Promptly develop a plan to identify and implement steps for the preservation of evidence, consistent with needs to restore availability. The plan might include steps to clone a hard disk, preserve log information, or capture screen information. Preservation of evidence should be addressed as quickly as possible in order to restore availability of the affected systems as soon as practicable.
Investigation - Investigate the causes and circumstances of the incident, and determine future preventative actions.
Incident-specific risk mitigation - Identify and recommend strategies to mitigate the risk of harm arising from this incident.
Legal duty to notify
Length of compromise
Human involvement
Sensitivity of compromised data
Existence of evidence that data were compromised
Existence of evidence that affected systems were compromised for reasons other than accessing and acquiring data
Additional factors recommended for consideration by members of the Incident Response Team
ITS shall maintain a log of all confidential information Security Incidents, recording the date, type of confidential information affected, number of subjects affected (if applicable), summary of the reason for the breach, and corrective measures taken.
ITS shall issue a report for every confidential information Security Incident describing the incident in detail, the circumstances that led to the incident, and a plan to eliminate the risk of a future occurrence.
ITS shall provide annually to the Chief Information Officer a report containing statistics and summary-level information about all known confidential information Security Incidents, along with recommendations and plans to mitigate the risks that led to those incidents.
Performance Evaluation
Consequences of Policy Violation:
Any behavior in violation of this policy is cause for disciplinary action. Violations will be adjudicated, as appropriate, by the CIO, the Office of the Dean of Students, the Office of Housing and Residential Life, and/or the Office of Human Resources. Sanctions as a result of violations of this policy may result in, but are not limited to, any or all of the following:
- Attending a class or meeting on Security Incident issues, as well as successful completion of a follow up quiz;
- Loss of University computing, email and/or voice mail privileges;
- Disconnection from the residential hall network;
- University judicial sanctions as prescribed by the student Code of Conduct;
- Monetary reimbursement to the University or other appropriate sources;
- Reassignment or removal from University housing and/or suspension or expulsion from the University;
- Prosecution under applicable civil or criminal laws;
- Employees may be subject to disciplinary action.
Reports of data and systems compromises and the exposure of personal and restricted information should be immediately reported to: infosec@trinity.edu
Terms & Definitions
Terms and Definitions:
Term: |
Definition: |
---|---|
Confidential Information |
Sensitive personally-identifiable information that must be safeguarded in order to protect the privacy of individuals and the security and integrity of systems and to guard against fraud. This includes, but is not limited to:
Additionally, proprietary information, data, information, or intellectual property, in which the University has an exclusive legal interest or ownership right may also be considered confidential information. Examples include, but are not limited to:
|
Malware |
Any software designed with malicious intent. Examples include, but aren't limited to:
|
Security Incident |
Any event that threatens the confidentiality, integrity, or availability of University systems, applications, data, or networks. Examples of University systems include, but are not limited to:
Examples of Security Incidents include, but aren't limited to:
|
Sensitive Personal Information |
As defined by the Texas Senate Bill 122 means “an individual’s first name or first initial and last name combination with any one or more of the following data elements (when the name or data element is not encrypted):
|
Revision Management
Revision History Log:
Revision #: |
Date: |
Recorded By: |
---|---|---|
v1.0 | 8/14/2019 3:34 PM | Courtney Cunningham |
Vice President Approval:
Name: |
Title: |
---|---|
Gary Logan | Vice President for Finance & Administration |