CONTENTS. Introduction Page 2. Scope.Page 2. Policy Statements Pages 2-3. Major IT Security Incidents Defined... Page 3



Similar documents
CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Standard: Information Security Incident Management

Data Security Incident Response Plan. [Insert Organization Name]

Computer Security Incident Reporting and Response Policy

IT Security Incident Management Policies and Practices

Computer Security Incident Response Team

Wellesley College Whistleblower Policy Adopted April 2009

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

Information Security Incident Management Guidelines

Incident Response Plan for PCI-DSS Compliance

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

Marist College. Information Security Policy

DUUS Information Technology (IT) Incident Management Standard

Computer Security Incident Response Team

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Information Technology Policy

Privacy and Security Incident Management Protocol

California State University, Chico. Information Security Incident Management Plan

DBC 999 Incident Reporting Procedure

UF IT Risk Assessment Standard

University of Colorado at Denver and Health Sciences Center HIPAA Policy. Policy: 9.2 Latest Revision: 04/17/2005 Security Incidents Page: 1 of 9

Responsible Access and Use of Information Technology Resources and Services Policy

Privacy Incident and Breach Management Policy

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

HIPAA Security Alert

PRIVACY BREACH POLICY

Information Technology Services Information Security Incident Response Plan

Information Security Program CHARTER

Iowa Health Information Network (IHIN) Security Incident Response Plan

The intended audience is system administrators, Directors, and Department Heads.

Data Security Breach Management Procedure

University System of Maryland University of Maryland, College Park Division of Information Technology

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

Wright State University Information Security

The statements in this policy document establish HEALTHeLINK's expectations with respect to incident management.

How To Audit The Mint'S Information Technology

INFORMATION SECURITY INCIDENT REPORTING POLICY

Utica College. Information Security Plan

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

The University of Tennessee Chattanooga Incident Response Plan

CRITICAL/NON CRITICAL INCIDENT MANAGEMENT AND REPORTING PROCEDURE

Ohio Supercomputer Center

New River Community College. Information Technology Policy and Procedure Manual

Business & Finance Information Security Incident Response Policy

California State Polytechnic University, Pomona. Network Monitoring Guidelines

Network Security Policy

Personally Identifiable Information (PII) Breach Response Policy

INFORMATION TECHNOLOGY POLICY

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Information Security Incident Response

Information Security Incident Management Policy

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

UBC Incident Response Plan

Incident Reporting Guidelines for Constituents (Public)

Incident categories. Version (final version) Procedure (PRO 303)

Cal Poly Information Security Program

INCIDENT RESPONSE POLICY & PROCEDURES

INFORMATION TECHNOLOGY SECURITY STANDARDS

TABLE OF CONTENTS. University of Northern Colorado

Information Incident Management Policy

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

ICT Security Incident Policy ITD

UCF Security Incident Response Plan High Level

Security Incident Policy

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Christine M. Frye, CIPP/US, CIPM, Chief Privacy Officer, Bank of America

PBGC Information Security Policy

Computer Use Policy Approved by the Ohio Wesleyan University Faculty: March 24, 2014

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee

Contact: Henry Torres, (870)

Cablelynx Acceptable Use Policy

Virginia Commonwealth University Information Security Standard

NC DPH: Computer Security Basic Awareness Training

EMERGENCY PREPAREDNESS AND CRISIS MANAGEMENT PLAN

COMPUTER AND NETWORK USAGE POLICY

Corporate Information Security Policy

DHHS Information Technology (IT) Access Control Standard

Audit, Business Risk and Compliance Committee Charter Pact Group Holdings Ltd (Company)

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Network & Information Security Policy

R345, Information Technology Resource Security 1

University of Maryland Baltimore Information Technology Acceptable Use Policy

Data Breach Management Policy and Procedures for Education and Training Boards

Information Security Plan May 24, 2011

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

POLICY TEMPLATE. Date initially approved: November 5, 2013 Date of last revision: same

Helpful Tips. Privacy Breach Guidelines. September 2010

Incident Response Team Responsibilities

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

Third Party Security Requirements Policy

Whistleblower. Category: Governance Number: Audience: All University Employees and Board of Governors Issued: February 10, 2014

Transcription:

POLICY TITLE: Policy POLICY #: CIO-ITSecurity 09.1 Initial Draft By - Position / Date: D. D. Badger - Dir. PMO /March-2010 Initial Draft reviewed by ITSC/June 12-2010 Approved By / Date: Final Draft reviewed by ITSC/Apr 26-2010 Final Draft(revised): 2011-May DDB/GB Last Revised Date: Approved: 2011-May-04 Michael Ridley Next Review Date: This Policy defines a standard University-wide process for managing major information technology security incidents, references related University Policies, outlines BRIEF DESCRIPTION: preparations in advance of incidents occurring, and specifies a coordinated and managed response and escalation process. A Policy Appendix charters an Information Security Incident Coordination Team (ISICT). CONTENTS Introduction Page 2 Scope.Page 2 Policy Statements Pages 2-3 Major IT Security Incidents Defined... Page 3 Incident Reporting and Management....Page 3 Responsibilities... Pages 4-5 Related Policies and References.. Page 6 Definitions.. Page 7 Version/Change and Approval History.. Page 7 Appendix.....Pages 8-9 Page 1 of 9

Introduction: All University of Guelph faculty, staff, students and contractors are guided by the Acceptable Use Policy for Computing and Networking Facilities (AUP). The AUP specifies the responsibilities of individual users, system administrators, IT service providers and management with regard to the utilization of University information technology (IT) services and resources. The AUP also specifies the complaint and resolution process of alleged acceptable use violations. The AUP will generally provide acceptable guidance for minor IT-related security incidents. This Policy defines a standard University-wide process for managing major IT security incidents in advance of their occurrence, and provides guidance in initiating rapid responses and appropriate escalation when a major IT security incident does occur (or is suspected). This Policy charters a standby Information Security Incident Coordination Team (ISICT). The University Chief Information Officer (CIO) is the executive sponsor of the ISICT. Appendix 1 documents when the ISICT would be activated and may involve University administration, judicial processes, Campus Community Police, and technical resources. This Policy references the University s Emergency Management Plan which details responsibility for major campus emergency situations or disruptions. This Policy references the University s policy on roles and responsibilities of groups and individuals for information technology security CIO-ITSecurity-02.1 Roles and Responsibilities. Scope: This policy applies to all University of Guelph students, staff, faculty and contractors, and all information technology systems, services, data and infrastructure owned by or operated for the University. Policy Statements: 1. This Policy defines major IT security incidents, a standard process for managing incidents, and specifies individual responsibilities including the protocol for incident reporting, resolution and follow-up activity. Page 2 of 9

2. This Policy establishes a stand-by Information Security Incident Coordination Team (ISICT) which will be invoked as required by the CIO (or designate). 3. ISICT will manage and support major incident response activities, including remediation, escalation and closure. 4. ISICT will assign technical resources as required to conduct immediate investigation of the sources or causes of major incidents. 5. When criminal activity is alleged or suspected, Campus Community Police Services must be engaged. 6. When unauthorized disclosure of sensitive/confidential data or personal information (as per Freedom of Information and Protection of Privacy (FIPPA) legislation) is alleged or suspected, the University Secretariat must be engaged. 7. This Policy authorizes assigned resources to take necessary measures to prevent the spread of any malware, and lock compromised computing accounts. Major IT Security Incidents Defined: Major IT-related security incidents include (but are not limited to) denial-ofservice attacks on enterprise application systems or IT infrastructure, theft or misuse of data, data breaches, criminal acts or violations of privacy legislation. A significant service level disruption to the University networking infrastructure or any major application system may be escalated to a major incident if the suspected root cause is security related. Any unauthorized intrusion that impacts the availability or integrity of critical IT services such as email, telephone, administrative systems, Internet access, or that affects large numbers of users will be considered a major security incident. Major security incidents also include enterprise application systems and/or databases that have been compromised by malware, by unauthorized use of administrative accounts, unauthorized disclosure of personal or sensitive information, and either loss or corruption of data. Page 3 of 9

Incident Reporting and Management: All members of the University community, including third-party contractors are required to report information security incidents (as defined within this Policy or the AUP). It is recommended that notification be provided to both the applicable Unit Manager/Chair and to the University IT Security Officer (ext. 58006, email: incident@uoguelph.ca). The process of incident management includes defined accountability and consistent, documented procedures. In addition to rapid response to incidents, important related actions include logging, analysis, reporting, communications, involvement of management, required notification to external parties, and debriefing. Responsibilities: All Members of the University Community including faculty, staff, students and contractors are responsible for the following: 1. Report any unusual or suspected improper computer activity (i.e. violations of the AUP) to their applicable supervisor, and the University IT Security Officer (ext. 58006, email: incident@uoguelph.ca). Designated system support technicians and network administrators are responsible for the following: 1. Report any unusual or suspected improper computer activity, security incident or alleged AUP violation to their applicable Unit Head/Department Chair and the University IT Security Officer. Suspected criminal activity (e.g. child pornography), or theft of IT assets should be reported directly to University of Guelph Community Police Services. 2. Avoid making any modifications to systems/equipment involved (or suspected of involvement) in the security incident until receiving instruction from the IT Security Officer. Disconnection from the network is the recommended action. Page 4 of 9

Department Chairs/Managers/Unit Heads are responsible for the following: 1. Ensure any unusual or suspected improper computer activity, security incident or alleged AUP violation is reported to the University IT Security Officer and their applicable Dean/Director. 2. Ensure any suspected criminal activity (e.g. child pornography), or theft of IT assets is reported to University of Guelph Community Police Services. The IT Security Officer is responsible for the following: 1. Record/log and document all reports of major IT incidents. 2. Verify the existence (and boundary extent if possible) of reported incidents. 3. Make a preliminary assessment of the incident s impact and current status (N.B. Refer to Appendix 1: ISICT). 4. Report major incidents to the Chief Information Officer (CIO). 5. Establish and maintain communication with applicable Department Chairs or Managers of the affected units or systems. 6. Recommend the CIO convene the Information Security Incident Coordination Team (ISICT) when appropriate (see Appendix 1). 7. Advise University of Guelph Community Police Services when criminal activity is alleged. 8. Advise University Secretariat if a data breach involving confidential records or personal information is alleged. 9. Liaise with University of Guelph Community Police Services and external forensic consultants (if required) to gather evidence as may be required. The Chief Information Officer (CIO) is responsible for the following: 1. Receive notice of major IT incidents from the IT Security Officer or other source (internal or external to the University). 2. Receive recommendations from the IT Security Officer to convene the Information Security Incident Coordination Team (see Appendix 1). 3. Authorize the convening of the ISICT when necessary. Page 5 of 9

4. Ensure senior management is kept apprised of the incident, including members of the Campus Control Group. 5. Coordinate communications with relevant stakeholders and the University community as necessary. Related Policies and References: 1. University of Guelph Emergency Management Plan. The Emergency Management Plan is triggered when an incident has the potential to interrupt the normal activities of the University for an extended period of time. 2. Acceptable Use Policy. All University of Guelph faculty, staff, students and contractors are guided by the AUP regarding the use of Computing and Networking Facilities. The purpose of the Acceptable Use Policy (AUP) is to identify situations where unacceptable use of systems or networks affects the teaching, learning, research, services or administrative missions of University or compromises the security of systems or data. It also outlines the complaint and resolution process used to resolve any allegations of inappropriate activity. 3. CIO-ITSecurity-02.1 Roles and Responsibilities for Information Technology Security. This Policy defines the roles and responsibilities of groups and individual members of the University community who are responsible for information technology assets and security processes. 4. University Access and Privacy Policies. Reference the University Secretariat web-pages for detailed information regarding Freedom of Information and Protection of Privacy (FIPPA) legislation, and required actions if a privacy breach occurs. Page 6 of 9

Definitions: Data Breach: A data breach is an incident in which sensitive, protected or confidential data has been accessed, stolen or altered by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), confidential information or intellectual property. Denial of Service attacks: A denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. The most common kind of DoS attack is simply to send more traffic to a network address than it was designed to receive. Service Level Disruption: An interruption or degradation of system/service availability or performance. Classification as major would be dependent upon the duration, severity and impact of the disruption (e.g. performance degradation versus lack of availability), the criticality of the application/service, and the suspected source of the disruption (i.e. security related). Version, Change and Approval History Final Draft w/revisions: Final Draft w/revisions: Final Draft w/revisions: Final Draft Issued: Circulation Draft Changes: Initial Draft Changes: Initial Draft Changes: Initial Draft Changes: May 2, 2011 - GB April 8, 2011 - DDB Feb. 1, 2011 - DDB Dec. 1, 2010 - DDB Nov. 12, 2010 - DDB June 11, 2010 - DDB May 18, 2010 - DDB April 30, 2010 - DDB Initial Draft Written: March, 2010 Authored by: D. D. Badger, CGA, CISA, CGEIT Director, IT PMO & Systems Assurance Page 7 of 9

Appendix 1 INFORMATION SECURITY INCIDENT COORDINATION TEAM Introduction: Incident management includes both detecting and responding to security incidents and taking proactive steps to prevent incidents from occurring. A formalized Incident Coordination Team has responsibility for managing and supporting rapid response to major IT security incidents. Purpose: The rationale for chartering an Security Incident Coordination Team is to: 1. Create the capability for planning for major IT security incidents in advance. 2. Specify a consistent predetermined course of action for investigations and incident resolution. 3. Identify the individuals and units that need to be involved in investigating and resolving a major IT security incident. 4. Facilitate rapid response to major disruptions of IT systems or services. 5. Develop consistent escalation and notification processes for managing major IT security incidents. Goals: Create a stable cadre of staff who understand both major functional business processes and the general nature of the University s information technology infrastructure and enterprise systems. Develop familiarity with the fundamentals of incident handling processes. Develop standard protocols for classifying, prioritizing, responding to and containing security incidents, and escalation. Consult with IT experts and appropriate University units with specific technical expertise as required. Refer incidents and/or findings to appropriate University tribunal and/or grievance processes consistent with relevant University policies. Analyze incidents after resolution to identify weaknesses in response processes, applications and infrastructure. Page 8 of 9

ISICT Charter: The Chief Information Officer (CIO) is the formal sponsor of the Information Security Incident Coordination Team (ISICT). The CIO will appoint each member of the ISICT in conjunction with their applicable Unit Manager. The ISICT will be a stand-by team of individuals selected for their institutional knowledge of business processes and the University s technology infrastructure. An important aspect of the ISICT capability is planning in advance for adverse events. When a major incident (disruption or attack) is in progress, decisions have to be made quickly. The ISICT has a mandate to develop standard protocols and capabilities for timely responses which are appropriate, efficient, and thorough. The IT Security Officer will chair the ISICT as the CIO s designate, and manage the logistics of arranging immediate response to the applicable incident. ISICT Activation: The ISICT will normally be convened when deemed necessary upon the recommendation of the IT Security Officer, subject to the approval of the CIO (or designate). The applicable supervisors of each ISICT member will be notified (concurrently with the members) when the ISICT is convened. The Charter (above) provides for convening of the ISICT in advance of major incidents for incident response planning and development of standard practices. Major security incidents which trigger the (recommended) activation of the ISICT can not be fully anticipated or documented herein. ISICT activation would normally be recommended based on a preliminary assessment of the incident s characteristics and operational impact, but could be triggered by any of the following: 1) A data breach (i.e. unauthorized exposure) of sensitive or confidential University data (including personally identifiable information), the source or cause of which is initially unknown or uncertain. 2) A serious and on-going disruption of an enterprise business system or central technology service/infrastructure, the cause of which is suspected to be security-related. 3) A multi-site (or multi-node) security event, affecting multiple computers or many users. 4) An intrusion in progress with the potential to seriously damage or disrupt operations. 5) A security-related threat, not currently active, but having campus-wide scope or involving enterprise/critical systems or infrastructure. 6) Any security-related incident which involves external media (press), or a potential breach of legislative compliance (e.g. FIPPA). Page 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information