Information Technology Policies

X-99.11(A)

UMB IT Incident Response Policy

Information Technology   |   Approved September 11, 2017

Responsible VP/AVP

Peter J. Murray, PhD, CAS, MS

Revision History

Technical revisions updated September 11, 2017.

Policy Statement

Computer security incident response has become an important component of information technology (IT) programs. 

Security-related threats have become not only more numerous and diverse but also more damaging and disruptive.   An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services.

An information security incident is any event that results in a loss or compromise of data or a loss of the ability to work with those data. Security threats can arise from accidental or intentional acts. Threats may come from external parties or internally from the workforce. While preventive measures lessen a threat, they cannot eliminate it. Organizations must be able to detect, respond to, report and learn from security incidents.

Information – whether in printed, verbal, or electronic form – and information systems have become critical parts of the infrastructure supporting UMB’s operations and innovations. This increased dependence has occurred against a backdrop of increasing uses of information for business purposes, technological complexity, security and privacy threats, legal mandates, and ethical expectations leading to more significant operational, reputational, and financial consequences of service interruptions and unauthorized information exposures or modifications.

Yet, in spite of the most vigilant efforts to minimize them, incidents will occur that jeopardize the security and privacy of information and information systems. The institution's process of preparing for, preventing, detecting, responding to, and tracking these events has a significant impact on reducing their frequency and severity.

Legal and contractual mandates increasingly require expeditious reporting of certain breaches to regulatory or governmental authorities, in some cases as soon as 24 hours after discovery, and/or to the individuals affected.

Therefore, a coordinated, consistent, efficient, and effective approach to identifying, investigating, and handling potential information and information system breaches is needed.

Scope

Information – whether in printed, verbal, or electronic form – created, collected, stored, manipulated, transmitted or otherwise used in the pursuit of UMB’s mission, regardless of the ownership, location, or format of the information.

Information systems used in the pursuit of UMB’s mission irrespective of where those systems are located.

Individuals encountering such information or information systems regardless of affiliation.

Responsibilities

To comply with the USM IT Security Standards which requires USM institutions to implement formal controls on all institutionally owned systems that store and/or access nonpublic information.

Definitions

Breach -the acquisition, access, use, or disclosure of information in a manner not permitted under existing law or university policy that compromises the security or privacy of the information (i.e. poses a significant risk of financial, reputational, or other harm to the individual and/or university).

Education Records (Family Educational Rights and Privacy Act (FERPA)) - any record, files, documents, and other materials that are maintained by an educational agency or institution, or by a person acting for such agency or institution.  Education records generally include, but are not limited to, student transcripts, GPA, grade, social security numbers, academic evaluations, psychological evaluations, reference letters and resumes. In addition, any Educational Records, as defined and when protected by 20 U.S.C. §1232g; 34 CFR Part 99 (FERPA), in the authoritative system of recorded for student grades.  While FERPA itself does not contain specific breach notification requirements, it requires the recordation of each incidence of data disclosure.

Information system -a discrete set of information resources, procedures and/or techniques, organized or designed, for the classification, collection, accessing, use, processing, manipulation, maintenance, storage, retention, retrieval, display, sharing, disclosure, dissemination, transmission, or disposal of information. An information system can be as simple as a paper-based filing system or as complicated as a tiered electronic system.

Personally Identifiable Information (PII):Under Maryland State Government Article, §10-1301 (SB 676 - 2012), personal information is defined as:

An individual’s first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements, a social security number; a driver’s license number, state identification card number, or other individual identification number issued by a unit; a passport number or other identification number issued by the united states government; an individual taxpayer identification number; or a financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s account.

Protected Health Information (PHI) -any information created, maintained or received, via any communication or record retention format, by any entity such as a provider, insurance plan, employer, or university that identifies an individual and any services regarding their health care or health payments relating to their past, present, or future health status.  In addition, any Protected Health Information (PHI), as the term is defined in 45 Code of Federal Regulations 160.103 (HIPAA)

Security Incident -the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. Security incident also means the loss of data through theft or device misplacement, loss or misplacement of hardcopy documents, misrouting of mail, or compromise of physical security, all of which may have the potential to put the data at risk of unauthorized access, use, disclosure, modification or destruction.

Policy

Per the procedures below, all individuals are required to immediately report to the UMB Information Security Officer any:

Suspected or actual security breaches of personally identifiable information (PII) – whether in printed, verbal, or electronic form – or of information systems used in the pursuit of the university's mission.

Suspected or actual security breaches of Family Educational Rights and Privacy Act (FERPA) related information– whether in printed, verbal, or electronic form – or of information systems used in the pursuit of the university's mission.

Abnormal systematic unsuccessful attempts to compromise information – whether in printed, verbal, or electronic form – or information systems used in the pursuit of the university's mission.

Suspected or actual weaknesses in the safeguards protecting information – whether in printed, verbal, or electronic form – or information systems used in the pursuit of the university's mission.

The UMB Information Security Officer will:

Oversee and guide the incident management process to promote a coordinated, consistent, efficient, and effective response, and to ensure compliance with applicable breach notification laws and regulations, including any required notifications of individuals and/or regulatory or government officials. 

Leverage and coordinate with the experience, expertise, and resources of other university offices including applicable compliance offices and officers as necessary and appropriate.

Although the UMB Information Security Officer will coordinate incident response, ownership of the incident remains with the unit experiencing the incident, which must allocate unit resources to resolve the incident in a timely manner.

Reporting

Immediately report via the Online Incident Response Form any:

suspected or actual incidents of a breach, loss, inappropriate disclosure, or inappropriate exposure of information used in the pursuit of the university's mission – whether in printed, verbal, or electronic form – including but not limited to those incidents involving the following information, systems, or processes:

  • Critical information such as personally identifiable information (PII), personal health information (PHI), credit card numbers, Social Security numbers, driver’s license numbers, or bank account numbers.
  • Lost or stolen mobile devices or media such as laptops, tablets, smart phones, USB drives, and flash drives.
  • Viewing of information without a demonstrated need to know (e.g., snooping).
  • abnormal systematic unsuccessful attempts to compromise information – whether in printed, verbal, or electronic form – or information systems used in the pursuit of the university's mission, such as:
  • Abnormal unsuccessful login attempts, probes, or scans.
  • Repeated attempts by unauthorized individuals to enter secured areas.
  • suspected or actual weaknesses in the safeguards protecting information – whether in printed, verbal, or electronic form – or information systems used in the pursuit of the university's mission, such as:
    • Weak authentication processes.
    • Ability to access information you are not authorized to access.
    • Weak physical safeguards such as locks and access controls.
    • Lack of secure transport methods.

In cases where a unit has an information security, privacy, or compliance officer, incidents should be reported to both the UMB Information Security Officer and the unit officer.

If it is unclear as to whether a situation should be considered a security incident, the UMB IT Security Officer should be contacted to evaluate the situation.

With the exception of steps outlined below, it is imperative that any investigative or corrective action be taken only by the UMB IT Security Officer or authorized personnel. When faced with a potential situation, faculty and staff should do the following:

If the incident involves a compromised computer system

Do not alter the state of the computer system, the computer system should remain on and all of the currently running computer programs left as is, do not shutdown or restart the computer.

Immediately disconnect the computer from the network by removing the patch cable from the back of the computer.

Document any information you know while waiting for the UMB IT Security Officer to respond to the incident. This may include date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner.

Incident Response

Upon receiving a report, the UMB Information Security Officer will:

  1. Attempt to determine if the security incident justifies a formal incident response. In cases where a security incident does not require an incident response, the situation will be forwarded to the appropriate area to ensure that all technology support services required are rendered.
  2. Ensure appropriate information and evidence is collected and logged.
  3. Immediately assess initial actual or potential loss, corruption, inappropriate disclosure, inappropriate exposure, or breach of information.
  4. Immediately advise and assist in containing and limiting the loss, corruption, inappropriate disclosure, inappropriate exposure, or breach.
  5. Invoke incident response procedures commensurate with the situation.
  6. Inform the University Chief Information Officer (CIO) and/or the University Chief Operating Officer (COO) of the initial situation and update throughout the investigation.
  7. As appropriate, ensure that Office of the President and executive administration is informed of the initial situation and kept updated throughout the investigation.
  8. As appropriate, contact Campus Police and outside law enforcement for assistance.
  9. As appropriate, assemble an Incident Team to advise and assist in ongoing investigation and decision making. The nature of the incident and the type(s) of information involved will determine the make-up of the Incident Team, and it typically will include representatives from the unit experiencing the incident, Legal Counsel, Communications and Public Affairs, and/or the Compliance Officer for the school or department involved (e.g., the HIPAA Privacy and/or HIPAA Security Officer).
  10. As appropriate, perform forensics or other specialized technical investigation or recommend a third party to assist in the investigation.
  11. As appropriate, provide technical advice to the school or department IT staff, and ensure legal, compliance, Data Steward, media, and executive administration advice is made available to school and department administration in a timely manner.
  12. Initiate steps to warn other UMB schools and/or department if the situation has the potential to affect other university information or information systems.
  13. Confirm actual or probable events from investigatory information and facilitate decision-making by the Incident Team.
  14. In coordination with the Incident Team members and following internal procedures, determine if notification to individuals and/or regulatory or governmental authorities is required and/or desired, and invoke breach notification procedures commensurate with the situation.
  15. Ensure appropriate university approvals are obtained prior to any notifications to individuals or regulatory and government officials.
  16. Document decisions and any notifications made to individuals or regulatory and government officials.
  17. Schedule a debriefing meeting with the unit and Incident Team after the response, to ensure appropriate corrective action in the affected school or department is taken, to identify any actions that could be taken to reduce the likelihood of a future similar incident, and to continuously improve the response processes.

Financing the Incident

The unit(s) experiencing the incident is/are responsible for all monetary, staff, and other costs related to investigations, cleanup, and recovery activities resulting from the compromise, response, and recovery. The unit(s) may consult with the Office of Insurance, Loss Control, and Claims as to methods for funding the incident.

Incident Confidentiality

Information regarding security incidents will be kept confidential by all parties involved. Only authorized personnel may disclose such information.

Fill out my online form.