Information Services -
Data Security Incident Response Policy
Information Services Links
|
 |
|
|
Reason for this Policy
A formal policy for the reporting of and response to IT
Incidents is necessary to ensure the secure operation of
IT Resources, to protect the data security and privacy
of students, faculty, and staff, and respond
appropriately to IT Incidents.
This policy sets forth a set of general requirements for
the efficient response to IT Incidents in order to
maintain the security and privacy of IT Resources, data
and other assets, as well as satisfy requirements of
state and federal law.
Definitions
Word
|
Definition
|
IT Incident:
|
Any event involving University IT Resources
which:
- violates local, state or U.S. federal
law, or
- violates regulatory requirements which
Purdue is obligated to honor, or
- violates a Purdue University policy, or
- is determined to be harmful to the
security and privacy of University data,
or IT Resources associated with,
students, faculty, staff and/or the
general public, or
- constitutes harassment under applicable
law or University policy, or
- involves the unexpected disruption of
University services.
|
CIR:
|
The CIR, or Coordinator of Incident
Response, is the party responsible for
managing University-wide IT Incident
response. The AVP for IT fulfills the role
of CIR.
|
CIRT:
|
A CIRT, or Computer Incident Response Team,
is a group of skilled individuals designated
to respond to any IT Incident which requires
coordination across multiple departments, or
which cannot in the reasonable judgment of
the CIR be adequately addressed by a single
department, or when it is otherwise
determined to be appropriate to employ such
a team by the CIR. The CIR is responsible
for defining the specific procedures for and
operations of CIRTs.
|
SC:
|
Security Contact is the person or persons
assigned to coordinate IT Incident response
for an individual business unit,
college/school, or department. The SC is
responsible for interacting with the CIR.
|
IT Resource:
|
All tangible and intangible computing and
network assets provided by or for the
University to further its mission of
discovery, learning, and engagement.
Examples of such assets include, but are not
limited to, hardware, software, network
bandwidth, mobile devices, electronic
information resources, printers, and paper.
|
IP Address:
|
Internet Protocol Address. A unique
numerical address that identifies computers
connected to the Internet or other IP
networks.
|
Reporter:
|
A person who notifies the CIR of an event he
or she believes to be an IT Incident.
|
Statement of Policy
Classification:
In order to facilitate the accurate and productive
response to IT Incidents, all IT Incidents must be
classified and assessed by the CIR for severity at their
onset. As the IT Incident progresses its classification
may be reevaluated and changed as necessary to ensure
proper handling.
In some cases, IT Incidents may fall under multiple
classifications. When this happens, the classification
with the highest severity should generally dictate the
course of IT Incident response.
The CIR is responsible for providing and maintaining
appropriate IT Incident classification guidelines and
resolution procedures.
Receiving Reports
Reported events become IT Incidents only after they have
been received and evaluated by the CIR. All event
reports should be sent first to the CIR for assessment
and assignment. The CIR upon receiving a report is
responsible for assessing its veracity, determining
whether or not the event constitutes an IT Incident and
classifying the IT Incident, and initiating handling
procedures.
The CIR reserves the right, subject to applicable law
and other applicable University policies, to use the
following resources for IT Incident detection and/or
response:
- System and application logs
- Passive network traffic monitoring (e.g.,
IDS, and other network packet analyzers)
- Active scanning of systems suspected of
violating university policy, or systems
exhibiting symptoms of compromise
- Other resources as determined appropriate by
the CIR and as allowed by Purdue policy and
applicable law.
To facilitate accurate reporting, handling, and record
keeping, the CIR is responsible for providing a protocol
by which the CIR, SC, and Reporters of potential IT
Incidents can communicate. The CIR should also maintain
a record of communication and data collection for all
events reported to the CIR. In addition, the CIR is
responsible for providing a formal operations guide.
This guide shall outline the specific processes and
methods for handling IT Incidents.
Reporting Incidents
When any event is observed which appears to satisfy the
definition of an IT Incident, it must be reported to the
CIR. If it is unclear as to whether or not an event
constitutes an IT Incident, such an event should be sent
to the CIR for evaluation. Events that may constitute an
IT Incident may be reported to the CIR via email at abuse@pnc.edu . The person who reports the event, including complaints
relayed on behalf of customers, should document and
report any available relevant information about the
event, including, but not limited to dates, times,
persons/resources involved, and IP addresses.
Situations which are suspected to be crimes should be
reported immediately to the appropriate law enforcement
agencies by the person who possesses first-hand
knowledge of the facts or circumstances related to a
suspected crime. Those events which are suspected to be
both a crime and an IT Incident should be reported first
to the appropriate law enforcement agencies, and then a
notification that a police report has been filed should
be sent to the CIR. However, it should be noted that in
such situations the CIR would not generally act on the
report unless asked to do so by said law enforcement
agencies.
Purdue North Central students, faculty, and staff should
report crimes to the University Police Department. Those
persons external to the University should report crimes
to their local law enforcement agency.
Response
After receiving a report, assessing its veracity,
determining whether or not the event constitutes an IT
Incident, and classifying the IT Incident, the CIR will
determine if the IT Incident warrants a formal response.
IT Incidents that do not warrant formal response will be
remanded to the appropriate SC for handling. All
reported events or IT Incident must be documented
throughout the response process.
If an event report does warrant formal IT Incident
response procedures by the CIR, it is the responsibility
of the CIR to coordinate the appropriate resources for
such response. If deemed appropriate by the CIR, a CIRT
will be formed and led by the handler assigned to the IT
Incident.
The CIR is responsible for documenting appropriate
procedures for responding to event reports and IT
Incidents, and coordinating CIRTs.
Business Continuity
In the course of responding to an IT Incident it may be
necessary, subject to applicable laws and University
policies, to require the suspension of involved or
targeted services/systems in order to:
·
Protect students, faculty, staff, IT Resources, other
systems, data, and University assets from threats posed
by the involved services/systems
·
Protect the service/system in question
·
To preserve evidence and facilitate the IT Incident
response process
The decision to suspend operations will be made by the
CIR.
In the case of mission critical applications, the CIR
will make a good-faith effort to consult with the
appropriate SC, and if available, service/application
owner before such suspensions are carried out. If, in
the judgment of the CIR an excessive amount of time
(giving due weight to the relative severity of the IT
Incident) has passed without response from the
appropriate SC or service/application owner, suspension
may occur without consultation. In other cases, the
appropriate SC will be notified of suspension of
service.
Any equipment not owned by the University which is using
University IT Resources, and is found to be the target,
source, or party to an IT Incident may be subject to
immediate suspension of services without notice until
the issue has been resolved, or the subject system is no
longer a threat.
In all cases, it is the CIR who shall determine if and
when a service suspension may be lifted.
In order to facilitate proper and timely handling of IT
Incident responses, it is necessary that
network-connected devices can be identified and located
as soon as possible. To this end, SCs are required to
maintain an inventory of network-connectable devices
under their control, per guidelines to be established by
the CIR. Absent these guidelines, SCs are required to
maintain a list of all such devices which includes, at a
minimum, the primary location of the device, and the
physical addresses for all network interfaces used by
the device (i.e., MAC address).
Scope
This policy covers students, faculty, staff, and all
individuals or entities using any PNC IT Resources and
all uses of such IT Resources. Any individual or entity
using PNC IT Resources consents to all of the provisions
of the preceding policy and agrees to comply with all of
the terms and conditions set forth herein, all other
applicable University policies, regulations, procedures
and rules, and with applicable local, state and federal
law and regulations.
Violations of this policy or any other University policy
or regulation may result in the revocation or limitation
of IT Resource privileges as well as other disciplinary
actions and may be referred to appropriate external
authorities.
Who Should Know This Policy
- Chancellor
- Vice Chancellors
- Asst Vice Chancellors
- Deans
- Directors/Department Heads/Chairs
- Principal Investigators
- Business Office Staff
|
- Faculty
- Administrative and Professional Staff
- Clerical and Service Staff
- All Employees
- Undergraduate Students
- Graduate Students
|
If you have any questions, concerns, or suggestions, please contact the Help Desk at ext. 5511
or submit a trouble ticket online at: 
