Policy Portal

Administrative Policy: Operational

Data Security Incident Response Plan

Policy Number: 3349-OP-203
Effective Date: 07/01/2017
Updated:
Reviewed:
Responsible Department: Administration & Finance, Office of the General Counsel
Applies To: Any University employee, or any other person, who believes a breach or potential compromise

A. Purpose

including personally identifiable data, may have been subject to compromise. This incident response plan provides guidance for identification, containment, notification, verification, investigation, and remediation of such incidents.

B. Responsibility

Any University employee, or any other person, who believes a breach or potential compromise (both electronic and non-electronic) of student, employee, alumni and donor, financial or research data has occurred is required to adhere to the steps outlined in this Incident Response Plan.

C. Identification

The first step in an incident response is to identify a breach or potential compromise of data that personally identifies information. Identification of a breach can occur through (but is not limited to) the following methods:

  1. A report from a third party
  2. An anonymous complaint of unauthorized use or misuse of data
  3. An alert from a security monitoring system such as intrusion-detection, intrusion prevention, firewalls, file-integrity monitoring systems, and network infrastructure devices that detect suspicious wireless access points that are physically connected to the network and used to intentionally circumvent University policy and security controls
  4. The routine monitoring of activity and/or access logs
  5. Vulnerability scans; or
  6. Report from an internal user of the University systems.
  7. Suspicious circumstances beyond normal processes.

D. Containment

Containment is the next step to ensure limited exposure to the breached data, preserve potential evidence, and prepare for an investigation of the incident. Containment steps for an electronic device include:

  1. Not accessing or altering the compromised device
  2. Not removing power to the device
  3. Immediately terminate the network connection to the device or disabling the wireless adapter
  4. Isolating access to the device by others
  5. Documenting how the breach was detected and the state of the device at that point in time; and containment steps for non-electronic exposure includes:
    1. Identifying and collecting all documents that may have been compromised
    2. Documenting how the breach was detected; and
    3. Documenting the steps taken to contain and isolate the documents.
  6. Documenting the steps taken to contain and isolate the device.

E. Internal Notification

In the event of a breach or potential compromise of data, notification must be made immediately to the Chief Operating Officer at 330-325-6718 and to the Information Technology (IT) Senior Systems Manager at 330-325-6233. If it is after business hours, contact the NEOMED Police Department at 330-325-5911.

If the data breach involves the theft of physical property, the NEOMED Police Department should be contacted at 330-325-5911. A copy of the police report should be given to the Finance and Administration and IT Departments and the NEOMED Police Department should be given contact information to related departments for follow up. Upon verification of a breach of electronic data, the IT Department or other responsible area will be responsible for immediately assembling the Response Team. Upon verification of a breach of non-electronic data, the Office of General Counsel will be responsible for immediately assembling the response team.

F. Response Team

  1. The following Response Team will be assembled:
  1. Information Technology Department

Senior Systems Manager, 330-325-6233
Information Technology Director, 330-325-6799
Project Manager, 330-325-6238

  1. Risk Management

Chief Operating Officer, 330-325-6718

  1. NEOMED Police Department

Chief of Police, 330-325-5911

  1. General Counsel

General Counsel, 330-325-6356
Associate General Counsel, 330-325-6358

  1. Other Members as Needed May Include

Controller, 330-325-6375
Director of Human Resources, 330-325-6726
Director of Research and Sponsored Programs, 330-325-6498 (where funded research is uninvolved)
Director of Financial Aid, 330-325-6481

G. Verification

The Information Technology Department will lead preliminary efforts in verifying a breach of electronic data. The other relevant departments will lead efforts in verifying a breach of non-electronic data. If upon discovering evidence of a criminal offense occurring, the NEOMED Police Department will be notified whereupon they may collaborate with other federal, state, and local law enforcement agencies as appropriate. A criminal investigation may be conducted in parallel to, may supersede, or may require further authorization for any additional actions to be taken by the University.

H. Invesigation

    1. Breaches involving electronic data: For breaches of electronic data, the investigation will be the combined responsibility of the Information Technology Department and the NEOMED Police Department.  The investigation will include (though not limited to) the following:
        1. Interviewing the person(s) who discovered the breach or potential compromise of data.
        2. Requiring the person who identified the breach fill out page 1 of an Incident Response Form (located at the end of this document).
        3. Collecting and preserving evidence such as:
          1. Recording the scene (either through photos or video)
          2. Collect affected hardware
          3. Acquiring activity and/or access logs for the device
          4. Acquiring recent history of users of the device
          5. Retaining documentation of any associated alerts from security monitoring systems
          6. Obtaining video surveillance history and key swipe logs of area accessed without authorization; and
          7. Maintaining chain of custody records for evidence collected
        4. Determining the scope of the breach:
          1. Determining if the breach is likely to be duplicated, or is beyond a single device
          2. Ceasing operation of certain hardware or physical areas where there is a reasonable belief the breach could be repeated; and
          3. Providing alternatives to affected area to maintain business operations.
        5. Having the lead IT complete an Incident Response Report.
    2. Breaches involving non-electronic data: For breaches of non-electronic data, the investigation will be the combined responsibility of the Relevant Department and the NEOMED Police Department. The investigation will include (though not limited to) the following:
      1. Interviewing the person(s) who discovered the breach or potential compromise of data.
      2. Requiring the person who identified the breach provide a  statement for the Incident Response Report.
      3. Collecting and preserving evidence such as:
        1. Acquiring activity and/or access logs surrounding the breached data
        2. Acquiring recent history of users with access to the breached data
        3. Retaining documentation of any findings; and
        4. Maintaining chain of custody records for evidence collected.
      4. Determining the scope of the breach:
        1. Determining if the breach is likely to be duplicated
        2. Determining if there is a reasonable belief the breach could be repeated; and
        3. Providing alternatives to affected area to maintain business operations.
      5. Determining if notification is required.

I. Recovery/External Notification/Remediation

The information gathered during the investigation will allow for assessment of functional impact, informational impact, and remediation.

  1. The Information Technology Department will be responsible for the following:
    1. Remediating any compromise to network or device security
    2. Documenting data including names and contact information of affected parties
    3. Providing backup and any necessary network, log, scan, and device data to any investigative body within the legal requirements; and
    4. Aiding in providing resources necessary for the University to coordinate communication to all entities listed within this plan.
  2. The relevant or affected department will be responsible for the following:
    1. Formally documenting of the event
    2. Consulting with Office of the General Counsel, Risk Management personnel, and Public Relations Department to determine notification procedures and credit reporting resources; and
    3. Coordinating a follow-up, and update, to the investigation within an appropriate time frame.
  3. The Office of the General Counsel will be responsible for providing breach            notification to all affected parties as appropriate.
  4. The University’s Public Relations Department will be responsible for          disseminating information to the media in consultation with the Office of        General Counsel, and the Information Technology Department, if appropriate.

University Policies

Office of General Counsel