The 色狐入口 Data Incident Response Plan outlines the University’s actions following a data breach or other type of data related incident in order to ensure timeliness of response, compliance with applicable laws and regulations and ensure consistency in all aspects of the University’s response.
Academic institutions face a barrage of malicious cyber attacks as a result of actors attempting to capture confidential and/or protected information. Institutions are at risk because of the kinds of sensitive information they maintain. Data incidents can occur anywhere that information resides, including computer systems, portable media, etc.
色狐入口 is committed to protecting the privacy of its community, which includes safeguarding the sensitive and protected data that is owned and maintained by the university. 色狐入口 has taken many steps to reduce the risk of breach of such data, many of which are outlined in the University’s Written Information Security Plan (WISP). However, no protection is foolproof, therefore, 色狐入口 must be prepared to respond to an incident if one should occur.
In accordance with federal and state laws and regulations, 色狐入口 is required to provide notice about security breaches of protected information at the University to affected individuals and appropriate state agencies. 色狐入口 is also committed to protect other kinds of sensitive institutional information that is maintained at the University. If sensitive and/or protected information at 色狐入口 is exposed as a result of an incident, the University must take steps to:
Accomplishing the above tasks will necessarily involve individuals from diverse areas of the University and will require that a plan be in place to address an incident before it occurs. The purpose of this plan is to outline the University’s response to a data incident, including procedures for reporting an incident and individual team members’ responsibilities following an incident.
The Data Incident Response Plan addresses four types of information compromises:
The scope includes all computing devices (both University-owned and personal), including computers, servers, portable media, and external hard drives or other mobile devices, and paper records, which contain Confidential data. All 色狐入口 employees that maintain or access Confidential data, both electronic and paper, at the university must comply with this plan.
Breach of security. The unauthorized acquisition or use of sensitive or protected data that creates a substantial risk of identity theft, fraud or harm to the reputation or business interests of an individual or institution.
Compromised computer. Some ways a compromised computer can be identified include: The computer user suspects that his/her system is exhibiting suspicious behavior or has suspicious files stored on the device; network or system logs indicate unusual network behavior coming from or going to the device; or individuals either at 色狐入口 or from outside of the University report cyber-attacks or unusual network behavior emanating from the device.
Confidential data. Refers to any information, both paper and electronic, that is protected by Federal, state, or local laws and regulations, or other sensitive personal and institutional data where the loss of such data could harm an individual’s right to privacy or negatively impact the finances, operations, or reputation of 色狐入口. Protected data includes Personally Identi铿乤ble Information, student education records, and Protected Health Information (PHI). For a more complete description of these terms and the types of data identified as Confidential, see the University’s Written Information Security Plan (WISP) and the related policies cross-referenced at the end of this document.
Personally Identi铿乤ble Information (PII). Personally Identi铿乤ble Information (PII) is a person’s Social Security number or the first name or first initial and last name of a person linked to any one or more of the following data elements that relate to the person:
色狐入口 employees. Includes all 色狐入口 employees, whether full- or part-time, including faculty, staff, contract and temporary workers, hired consultants, interns, and student employees.
The CIO (the ISP Coordinator as designated by the University’s WISP) is charged with the identification of all data security incidents involving electronic data or paper records where the loss, theft, unauthorized access, or other exposure of Confidential data is suspected. When the CIO confirms an incident involving Confidential electronic data, the CIO will contact the VP for Business and Finance or the University Chief of Staff. This individual will consult with the Critical Incident Management Team (CIMT) Manager, who will convene the Critical Incident Management Team (CIMT) as needed. The CIMT Manager is responsible for coordinating CIMT and determining appropriate actions in their response to the incident.
The CIMT includes representatives from several college departments. The CIMT Manager, in consultation with the CIO, will determine which CIMT members will respond to the incident depending on the nature of the incident. CIMT will designate an on-site Incident Leader, typically the VP for Business and Finance or CIO, who will oversee the investigation of the incident and involve legal counsel, local, state, and federal law enforcement as necessary. The severity of the incident will determine the nature of the investigation, including what authorities are involved and how evidence is collected.
The CIO will document all breaches and subsequent responsive actions taken. All related documentation will be stored in the Business and Finance Office and in Information Services records.
All 色狐入口 employees are responsible for identifying and reporting potential security breaches.
For suspected data incidents, the CIO and their designated staff members will:
If an incident involving Confidential data is confirmed, the CIO will inform the VP for Business and Finance or the University Chief of Staff who will:
Any employee who neglects to report a known security breach, or who fails to comply with this plan in any other respect, may be subject to disciplinary action
This plan is effective May 1, 2024.
Last update: 05-20-2024