5.6 Incident Response
The primary purpose of this policy is to establish the baseline approach and appropriate response to any Information Technology (IT) Security Incidents that may threaten the confidentiality, integrity, and availability of college Information Technology Resources. The secondary purpose of the policy is to establish the responsibility and accountability for all steps in the process of addressing and remediating any IT Security Incident.
Information Technology Resource(s) – includes but is not limited to the following: computer and networking equipment, workstations, laptops, software, operating systems, storage devices and media, network accounts, email services and email accounts, Internet browsing and related services, voice mail, applications, scanning and fax systems, tablets, and smartphones.
Systems – same as Information Technology Resources.
User – faculty member, staff member, employee, agent, authorized representative, or student that has access to college Information Technology Resources.
Institutional Data - all data that is necessary to the management and operation of the college that exists in electronic, digital, printed, or other forms. This information is an asset of the college, is owned by the college, and is intended to be used solely for the operation of the college in carrying out its mission.
Identity Theft - fraud committed or attempted using the identifying information of another person without authority.
Personally Identifiable Information (PII) – any information about an individual including but not limited to education, financial transactions, medical history, criminal or employment history, and information which can be used to distinguish or trace an individual’s identity such as their first and last name, social security number, email address, date and place of birth, mother’s maiden name, biometric records, etc. including any other personal information which is linked or linkable to an individual. PII Data is classified as restricted data by the college.
IT Security Incident - the successful unauthorized access, use, disclosure, modification or destruction of data or interference with system operations in an information technology resource. Included in the definition is the loss of data through theft or device misplacement, loss or misplacement of hardcopy documents or the compromise of physical security.
IT Reportable Incident - the unauthorized acquisition, access, use, or disclosure of unencrypted PII or other data that is classified by the college as restricted in a manner not suitable for public release, or permitted under existing law or college policy.
Table Top Exercise – an exercise in which realistic scenarios are presented in a low-stress environment where plans are developed for responding to an unfolding situation.
General Policy Statements
This policy outlines the guidelines to be followed for the protection of college Information Technology Resources, the applicable laws to which the college adheres in the event that an IT Reportable Incident occurs and the responsibilities of each member of the Incident Response Team.
In order to facilitate the accurate and productive response to IT Incidents, all IT Incidents will be classified for severity when initially reported. As an IT Incident progresses, its classification may be reevaluated and changed as necessary to ensure proper handling and remediation.
Unsolicited PII from a student or parent transmitted through an unsecured manner is not considered an IT Reportable Incident.
Required Policy Actions
All Users are required to report immediately to the college Information Technology Security Officer any suspected or actual IT Security Incident. This includes:
- any unauthorized access to college Information Technology Resources, or,
- any attempt to compromise, alter, negatively impact, or destroy college Institutional Data or
Information Technology Resources, or,
- any unauthorized interception, monitoring or disabling of electronic communications, or,
- any suspected or actual weaknesses in the existing safeguards protecting the college Information Technology Resources or Institutional Data.
Any User who becomes aware of an Information Security Incident should disconnect the compromised system and equipment from the college network or can contact the ITS Help Desk to have it disconnected or communications disabled. The compromised system cannot be reconnected to the college computing infrastructure until such time that the Incident Response Team has concluded its investigation and authorizes the activity.
The Incident Response Team:
- is responsible for investigating suspected or actual IT Security Incidents or IT Reportable Incidents in a timely, cost-effective manner, and documenting and reporting the findings to college leadership.
- will invoke the process and procedures as defined in the IT Incident Response Procedures when an IT Security Incident or IT Reportable Incident is reported.
- Is authorized to take any appropriate steps deemed necessary to contain, mitigate or resolve any suspected IT Security Incident or IT Reportable Incident is reported.
- will conduct periodic table top exercises and the results of the exercises will be documented.
Any device not owned and/or authorized by the college which is using the college Information Technology Resources and is found to be the target, source or participant to an IT Incident may be subject to immediate suspension of services without notice until the threat has been remediated or the device in no longer deemed a threat.
During the course of the investigation of an IT Incident if it is determined that unencrypted PII or restricted data may have been compromised or leaked or that unauthorized access was obtained to any college Information Technology Resources, law enforcement officials and regulatory authorities will be notified.
Regulatory Notifications and Internal Reporting Requirements
The required regulatory and legal requirements will be adhered to for any IT Reportable Incident. The reporting requirements are detailed in the Information Technology Incident Response Procedures.
The Incident Response Team will invoke the internal escalated paths as defined in the Information Technology Incident Response Procedures.
Incident Response Team Responsibility Matrix
|IT Security Officer||
|Director – Systems||
|Director – Network and Infrastructure Services||
|Director – Financial Aid||
|Executive Director – Human Resources||
|Executive Director – Marketing and Public Relations||
|Executive Director – Security and Safety||
Risk Classification Matrix
|Level||Classification (derived from FIPS 199 Standard)||Characteristics||Incident Response Team Activation|
|Critical||The unauthorized disclosure, modification, destruction, or access to information could be expected to have a severe or catastrophic adverse effect on operations, assets, or individuals.||
|High||The unauthorized disclosure, modification, destruction, or access to information could be expected to have a serious or adverse effect on operations, assets, or individuals.||
|Medium||The unauthorized disclosure, modification, destruction, or access to information could be expected to have limited adverse effect on operations, assets, or individuals.||
|Low||Occurrences of minor focus that are deemed inconsequential with no negative effect on system operations.||
IT Security Officer & Vice President, Technology & CTO