RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology



Similar documents
RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

University of Colorado at Denver and Health Sciences Center HIPAA Policy. Policy: 9.2 Latest Revision: 04/17/2005 Security Incidents Page: 1 of 9

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Security Awareness Training Policy

Information Security Incident Management Guidelines

Information Security Policy

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

UBC Incident Response Plan

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

Data Management & Protection: Common Definitions

Policy Title: HIPAA Security Awareness and Training

Standard: Information Security Incident Management

Data Security Incident Response Plan. [Insert Organization Name]

Network & Information Security Policy

How To Audit The Mint'S Information Technology

UCF Security Incident Response Plan High Level

Acceptable Use Policy

Wright State University Information Security

IMS-ISA Incident Response Guideline

Computer Security Incident Reporting and Response Policy

13. Acceptable Use Policy

Document Title: System Administrator Policy

Network Security Policy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

University of Wisconsin-Madison Policy and Procedure

Information Security Incident Management Policy and Procedure

Data Management Policies. Sage ERP Online

UF IT Risk Assessment Standard

Cal Poly Information Security Program

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

California State University, Chico. Information Security Incident Management Plan

Incident categories. Version (final version) Procedure (PRO 303)

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

OLYMPIC COLLEGE POLICY

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Utica College. Information Security Plan

R345, Information Technology Resource Security 1

region16.net Acceptable Use Policy ( AUP )

Iowa Health Information Network (IHIN) Security Incident Response Plan

Virginia Commonwealth University School of Medicine Information Security Standard

IT Security Standard: Computing Devices

How To Monitor The Internet In Idaho

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

INFORMATION SECURITY Humboldt State University

Information Technology Policy

NC DPH: Computer Security Basic Awareness Training

ISO IEC ( ) TRANSLATED INTO PLAIN ENGLISH

Incident Response Guidance for Unclassified Information Systems

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

STATE OF NEW JERSEY Security Controls Assessment Checklist

INFORMATION SECURITY California Maritime Academy

The University of Tennessee Chattanooga Incident Response Plan

ACE Advantage PRIVACY & NETWORK SECURITY

Attachment A. Identification of Risks/Cybersecurity Governance

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

Incident Reporting Guidelines for Constituents (Public)

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Information Security Incident Response

REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

Cyril Onwubiko Networking and Communications Group ncg.kingston.ac.

United Tribes Technical College Acceptable Use Policies for United Tribes Computer System

Internet Acceptable Use Policy

Incident Response Plan for PCI-DSS Compliance

FACT SHEET: Ransomware and HIPAA

CONSOLIDATED RECORDS MANAGEMENT SYSTEM (CRMS) USER AGREEMENT

Acceptable Use Policy

Cyber Incident Response

Contra Costa Community College District Business Procedure SECURITY CAMERA OPERATING PROCEDURE

Encryption Security Standard

CUNY New York Workplace Violence Policy and Procedures

B. Privacy. Users have no expectation of privacy in their use of the CPS Network and Computer Resources.

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

RUTGERS POLICY. Policy Name: Standards for Privacy of Individually Identifiable Health Information

Acceptable Use Policy

REGION 19 HEAD START. Acceptable Use Policy

Commercial in confidence TELSTRA WHOLESALE ACCEPTABLE USE POLICY. Commercial-in-Confidence. Issue Number 1.5, 20 November 2012

DBC 999 Incident Reporting Procedure

Camera Use. Policy Statement and Purpose. Table of Contents

Transcription:

RUTGERS POLICY Section: 70.2.20 Section Title: Legacy UMDNJ policies associated with Information Technology Policy Name: Information Security: Incident Management Formerly Book: 95-01-09-02:00 Approval Authority: Vice President for Information Technology & Chief Information Officer Responsible Executive: Vice President for Information Technology & Chief Information Officer Responsible Office: Office of Information Technology (OIT) Originally Issued: 8/21/2012 Revisions: 7/1/2013 Errors or changes? Contact: oitpolicy@rutgers.edu 1. Policy Statement Fostering a culture of proactive incident reporting will help reduce the number of security incidents at Rutgers, The State University of New Jersey. The University has a clear incident reporting mechanism in place which details the procedures for the identifying, reporting and recording of security incidents. 2. Reason for Policy To ensure that information security incidents are reported, assessed, and their harmful effects are mitigated to protect Rutgers businesses. 3. Who Should Read This Policy This policy applies to any individual responsible for the management, operation, and/or maintenance of the legacy UMDNJ information technology services and/or environment. If you are uncertain whether this policy applies to you, please contact your direct supervisor. 4. Related Documents N/A 5. Contacts oithelp@rutgers.edu Page 1 of 9

6. The Policy 70.2.20 INFORMATION SECURITY: INCIDENT MANAGEMENT Actions that may represent a risk to the University s electronic information, information systems, or information technology infrastructure require a timely response to mitigate the risk to those assets and to the University s business services and operations. To assist with these efforts, all members of the Rutgers community must report any computer activity they believe to be suspicious or consider an unauthorized attempt to access, use, steal, or damage Rutgers electronic information, information systems, or information technology infrastructure (this includes missing computer equipment). Such security events can potentially negatively impact the confidentiality, integrity, and/or availability of the University s electronic information and information systems and threaten its businesses and overall mission. Reporting these events helps the University assess the risk and respond accordingly. Members of the Rutgers community should use their best judgment and err on the side of caution when deciding whether to report activity they believe may be suspicious or that constitutes a threat to the University or their respective organization. I. Reporting Suspicious Computer Activity and/or Stolen Computer Equipment A. Users Managers 1. If they detect or believe computer activity to be suspicious, and/or computer equipment (including mobile devices and removable media) is missing, users must report it to their manager or other managerial authority in their organization. 2. Theft of computer equipment must also be reported to Public Safety and OIT. 1. On notification of the activity or theft, managers must contact the Compliance Department to initiate an assessment of the activity and/or initiate an investigation of the missing equipment. 2. If student information is potentially involved, managers must also contact their local Registrar office. II. Communications and Assessment A. Coordination and Compliance Assessment The Compliance Department is the lead assessor for all reports of suspicious activities and/or missing computer equipment. They will coordinate and manage the communications amongst all parties involved with response to the event. B. Information Technology Risk Assessment The Information Protection and Security Office and Rutgers IT services organizations will assess if the event presents a larger technology risk to the University s electronic information, information systems, or information technology infrastructure across a campus (or campuses). Page 2 of 9

III. Response To assist Compliance with the investigation and respond to reports of suspicious activity, Compliance may request the services of other departments or organizations with the University. Risk Management and Legal are to be informed of suspected data breaches to ensure the timely and appropriate engagement of the University's risk mitigation partners and service providers. The Information Protection and Security Office and IT Services organizations will keep the Security Incident Response Team (SIRT) apprised of any reports that involve potential threats to the University's information technology infrastructure, services, and dependent information systems across the campus. The Security Incident Response Team: Members of various Rutgers organizations may become engaged in the incident response, depending on its categorization. Decision-makers in regards to responding to incidents that threaten the University s information technology infrastructure, services, and dependent information systems across the campus. IV. Incident Categorization Security incidents must be categorized according to the standards listed in the appendix. Categorization is necessary in order to uniformly assess the risk to the University s operations and determine the appropriate response. V. Incident Handling And Reporting A. Investigation Timeframe 1. Management personnel, technology personnel, and security response teams must begin investigating a reported event within 24 hours of the initial report of suspicious activity. 2. The Office of Ethics, Compliance and Corporate Integrity must be informed of suspicious activity related to electronic patient health information (ephi). 3. The local Registrar office must be informed of suspicious activity related to education records. B. The Incident Report must include the elements listed in the appendix. C. Lessons Learned Prepare a Lessons Learned document for incidents. The document must include the standard incident report information and establish the steps necessary to prevent or limit the risk of the incident recurring. Page 3 of 9

D. Record Retention Prepare and retain documentation for all evaluations of suspicious activity and incidents. See the Requirements section for additional information about record retention. VI. Requirements A. Communications 1. All communications (electronic or physical documents) related to suspicious activity or actual events and incidents must be retained according to legal requirements and the University s records management requirements. 2. Communications that may affect the integrity of an investigation are not to be destroyed or altered in any manner. B. Physical Assets 1. Hardware Hardware related to an investigation of suspicious activity and that may affect the integrity of an investigation is not to be destroyed or altered in any manner. 2. Documents a. Physical and electronic documents related to an investigation of suspicious activity that may affect the integrity of an investigation are not to be destroyed or altered in any manner. b. Physical and electronic documents must be retained according to legal requirements and the University s records management requirements. VII. Responsibilities A. President, Chancellors, Vice President for Information Technology & Chief Information Officer, Executive Vice President, Senior Vice Presidents, Vice Presidents, and Deans shall: 1. Ensure the implementation of this policy by the organizations under their purview. 2. Ensure the support of investigations and remediation of information security events or incidents involving their organizations electronic information or information systems. B. Vice President for Information Technology & Chief Information Officer and Information Security Officer shall develop, implement, and maintain an Information Security Incident Response Plan. The plan will support the Office of Ethics, Compliance and Corporate Integrity Data Breach Policy and Response Plan. Page 4 of 9

C. Users shall: 1. Report to their manager or other managerial authority (within 24 hours of detection) any computer activity they believe is suspicious or outside the normal course of business, regardless if conducted by an outside person or member of the Rutgers community. 2. Report to their manager or other managerial authority and to Public Safety (within 24 hours of detection) the loss or theft of computer equipment. D. Department managers and supervisors shall immediately: 1. Report to their local compliance officer or the Office of Ethics, Compliance and Corporate Integrity reports of suspicious activity or loss or theft of computer equipment. 2. Report to their school s dean or unit s Vice President suspicious activity that potentially presents a risk to their organization and to the University. 3. Report suspicious activity involving education records to the local Registrar office. E. Office of Ethics, Compliance and Corporate Integrity shall: 1. Coordinate the reporting of and response to reports of suspicious activities, including those involving the loss or theft of computer equipment. 2. Assess and determine the classification (e.g., Confidential, Private) and type (e.g., ephi, Personally Identifiable Information (PII)) of information involved. 3. Collect from each Rutgers organization assisting with the response all information related to the issue reported. F. Information Protection and Security and Rutgers IT services organizations shall: 1. Assess the technology risks to the University s electronic information, information systems, and information technology infrastructure. 2. Report to the SIRT any technology risks that may impact the University s business services and operations across a campus (or campuses). 3. Remediate technology risks as deemed appropriate to secure the operations of the University. 4. Document lessons learned. G. Department of Risk Management and Insurance and the Office of the Senior Vice President and General Counsel shall engage the University s risk mitigation and service partners as appropriate. Page 5 of 9

VIII. Non-Compliance and Sanctions Failure to comply with this policy may result in denial or removal of access privileges to the University s electronic systems, disciplinary action under applicable University policies and procedures, civil litigation, and/or civil or criminal prosecution under applicable state and federal statutes. Page 6 of 9

APPENDIX I. EVENT CATEGORIZATION This list is not comprehensive and other categories may be added to help with the reporting process. Security events must be categorized according to the potential impact or threat to the confidentiality, integrity, and availability of the University s electronic information and/or information systems. Categorization is necessary in order to assess the risk to the University s business services and operations, and to determine the appropriate response. A. Incident Types TYPE Attempted Intrusion Denial of Service Malicious Code Policy Violation Reconnaissan ce Activity Social Engineering System Compromise/ Intrusion Unauthorized Use DESCRIPTION A significant and/or persistent attempted intrusion that stands out above the daily activity and could result in unauthorized access of the target electronic information or information system. Intentional or unintentional denial of service (successful or persistent attempts) that affects or threatens to affect a critical service or denies access to all or one or more large portions of the University s network. All instances of successful infection or persistent attempts at infection by malicious code, such as viruses, Trojan horses, or worms. Access or use of the university s electronic information or information systems that violates Rutgers policies and may present a risk to the University s electronic information or information systems. Instances of unauthorized port scanning, network sniffing, resourcing mapping probes and scans, and other activities that are intended to collect information about vulnerabilities in the University s network and to map network resources and available services. An instance (or instances) where an attacker uses human interaction to obtain or compromise information about the University, its personnel, or its information systems. All unintentional or intentional instances of system compromise or intrusion by unauthorized persons, including user-level compromises, root (administrator) compromises, and instances in which users exceed privilege levels. Any activity that is not recognized as being related to University business or normal use. B. Incident Severity Levels Rating the severity of an incident is a subjective measure of its threat to UMDNJ s operations. The severity level helps determine the priority for handling the incident, who manages the incident, and the incident response plan. The following factors help determine severity level: Scope of impact, such as department, school or unit, campus, or University-wide. Criticality of the information system. Sensitivity of the information stored on or accessed through the system or service. Page 7 of 9

Probability of propagation. Is the incident contained or can it spread beyond its current boundaries? SEVERITY Critical High Medium Low DESCRIPTION Potential operational disruption across a campus or all campuses. May have one or more of the following characteristics: Possible breach of multiple critical information systems. Involves a significant number of sensitive records. May result in a breach notification to a significant number of patients, students, and/or employees. Is likely to be the subject of national or regional press coverage. Is likely to result in notification to a federal or state regulator. Could otherwise negatively impact or present a significant to the University. Potential operational disruption of a school or unit (e.g., NJMS, UBHC). May have one or more of the following characteristics: Possible breach of multiple critical information systems. Involves a significant number of sensitive records. May result in a breach notification to a significant number of patients, students, and/or employees. Is likely to be the subject of national or regional press coverage. Is likely to result in notification to a federal or state regulator. Could otherwise negatively impact or present a significant risk to the University. Impact to a business unit that is serious and possibly results in an operational disruption. May have one or more of the following characteristics: Is the result of malicious activity. Could or has resulted in the breach of one or more of the business unit s critical information systems. May result in a breach notification to a significant number of patients, students, and/or employees. Involves a significant number of sensitive records handled by the business unit. Is an unauthorized attempt to access, use, or steal sensitive records handled by the business unit. Impact to a business unit is minor and may present an operational risk if not addressed immediately. May have one or more of the following characteristics: Is the result of intentional attempts to breach a critical information system? Is the result of multiple SPAM or virus attacks targeting the business unit? Page 8 of 9

II. INCIDENT HANDLING AND REPORTING The Incident Report must include: Name of the business unit. Name of the school or unit. Contact information of the person reporting the event (name, telephone, and email address). If the security event is an anonymous report forwarded by the Office of Ethics, Compliance and Corporate Integrity, use the name of the compliance officer who sent the report. Physical location of the affected information system. The classification of the information, i.e., confidential, private, internal, or public. The type of information, such as, ephi, student information, or financial information. Date and time when the suspicious activity was detected. Date and time when the suspicious activity was reported. Incident type and severity level. This information may change during the course of an investigation, and initially only reflects the assessment at the time of detection and reporting. The SIRT will update this information during the course of the investigation. Suspected method of intrusion or attack. Suspected origin or cause of event or incident. Remediation methods. Lessons Learned Prepare a Lessons Learned report for incidents. The report must include the standard incident report information and establish the steps necessary to prevent or limit the risk of the incident recurring. The report shall be submitted to the Vice President for Information Technology and Chief Information Officer, the Office of Ethics, Compliance and Corporate Integrity, the Office of Legal Management, and Risk Management. The report may be submitted to other University entities when necessary. Page 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information