Data Security Incident Response Policy

Reason for this Policy

A formal policy for the reporting of and response to IT Incidents is necessary to ensure the secure operation of IT Resources, to protect the data security and privacy of students, faculty, and staff, and respond appropriately to IT Incidents.

This policy sets forth a set of general requirements for the efficient response to IT Incidents in order to maintain the security and privacy of IT Resources, data and other assets, as well as satisfy requirements of state and federal law.


Definitions

Word Definition
IT Incident: Any event involving University IT Resources which:

  • violates local, state or U.S. federal law, or
  • violates regulatory requirements which Purdue is obligated to honor, or
  • violates a Purdue University policy, or
  • is determined to be harmful to the security and privacy of University data, or IT Resources associated with, students, faculty, staff and/or the general public, or
  • constitutes harassment under applicable law or University policy, or
  • involves the unexpected disruption of University services.
CIR: The CIR, or Coordinator of Incident Response, is the party responsible for managing University-wide IT Incident response. The AVP for IT fulfills the role of CIR.
CIRT: A CIRT, or Computer Incident Response Team, is a group of skilled individuals designated to respond to any IT Incident which requires coordination across multiple departments, or which cannot in the reasonable judgment of the CIR be adequately addressed by a single department, or when it is otherwise determined to be appropriate to employ such a team by the CIR. The CIR is responsible for defining the specific procedures for and operations of CIRTs.
SC: Security Contact is the person or persons assigned to coordinate IT Incident response for an individual business unit, college/school, or department. The SC is responsible for interacting with the CIR.
IT Resource: All tangible and intangible computing and network assets provided by or for the University to further its mission of discovery, learning, and engagement. Examples of such assets include, but are not limited to, hardware, software, network bandwidth, mobile devices, electronic information resources, printers, and paper.
IP Address: Internet Protocol Address. A unique numerical address that identifies computers connected to the Internet or other IP networks.
Reporter: A person who notifies the CIR of an event he or she believes to be an IT Incident.

Statement of Policy

Classification:

In order to facilitate the accurate and productive response to IT Incidents, all IT Incidents must be classified and assessed by the CIR for severity at their onset. As the IT Incident progresses its classification may be reevaluated and changed as necessary to ensure proper handling.

In some cases, IT Incidents may fall under multiple classifications. When this happens, the classification with the highest severity should generally dictate the course of IT Incident response.

The CIR is responsible for providing and maintaining appropriate IT Incident classification guidelines and resolution procedures.

Receiving Reports

Reported events become IT Incidents only after they have been received and evaluated by the CIR. All event reports should be sent first to the CIR for assessment and assignment. The CIR upon receiving a report is responsible for assessing its veracity, determining whether or not the event constitutes an IT Incident and classifying the IT Incident, and initiating handling procedures.

The CIR reserves the right, subject to applicable law and other applicable University policies, to use the following resources for IT Incident detection and/or response:

      1. System and application logs
      2. Passive network traffic monitoring (e.g., IDS, and other network packet analyzers)
      3. Active scanning of systems suspected of violating university policy, or systems exhibiting symptoms of compromise
      4. Other resources as determined appropriate by the CIR and as allowed by Purdue policy and applicable law.

To facilitate accurate reporting, handling, and record keeping, the CIR is responsible for providing a protocol by which the CIR, SC, and Reporters of potential IT Incidents can communicate. The CIR should also maintain a record of communication and data collection for all events reported to the CIR. In addition, the CIR is responsible for providing a formal operations guide. This guide shall outline the specific processes and methods for handling IT Incidents.

Reporting Incidents

When any event is observed which appears to satisfy the definition of an IT Incident, it must be reported to the CIR. If it is unclear as to whether or not an event constitutes an IT Incident, such an event should be sent to the CIR for evaluation. Events that may constitute an IT Incident may be reported to the CIR via email at abuse@pnc.edu. The person who reports the event, including complaints relayed on behalf of customers, should document and report any available relevant information about the event, including, but not limited to dates, times, persons/resources involved, and IP addresses.

Situations which are suspected to be crimes should be reported immediately to the appropriate law enforcement agencies by the person who possesses first-hand knowledge of the facts or circumstances related to a suspected crime. Those events which are suspected to be both a crime and an IT Incident should be reported first to the appropriate law enforcement agencies, and then a notification that a police report has been filed should be sent to the CIR. However, it should be noted that in such situations the CIR would not generally act on the report unless asked to do so by said law enforcement agencies.

Purdue North Central students, faculty, and staff should report crimes to the University Police Department. Those persons external to the University should report crimes to their local law enforcement agency.

Response

After receiving a report, assessing its veracity, determining whether or not the event constitutes an IT Incident, and classifying the IT Incident, the CIR will determine if the IT Incident warrants a formal response. IT Incidents that do not warrant formal response will be remanded to the appropriate SC for handling. All reported events or IT Incident must be documented throughout the response process.

If an event report does warrant formal IT Incident response procedures by the CIR, it is the responsibility of the CIR to coordinate the appropriate resources for such response. If deemed appropriate by the CIR, a CIRT will be formed and led by the handler assigned to the IT Incident.

The CIR is responsible for documenting appropriate procedures for responding to event reports and IT Incidents, and coordinating CIRTs.

Business Continuity

In the course of responding to an IT Incident it may be necessary, subject to applicable laws and University policies, to require the suspension of involved or targeted services/systems in order to:

  • Protect students, faculty, staff, IT Resources, other systems, data, and University assets from threats posed by the involved services/systems
  • Protect the service/system in question
  • To preserve evidence and facilitate the IT Incident response process

The decision to suspend operations will be made by the CIR.

In the case of mission critical applications, the CIR will make a good-faith effort to consult with the appropriate SC, and if available, service/application owner before such suspensions are carried out. If, in the judgment of the CIR an excessive amount of time (giving due weight to the relative severity of the IT Incident) has passed without response from the appropriate SC or service/application owner, suspension may occur without consultation. In other cases, the appropriate SC will be notified of suspension of service.

Any equipment not owned by the University which is using University IT Resources, and is found to be the target, source, or party to an IT Incident may be subject to immediate suspension of services without notice until the issue has been resolved, or the subject system is no longer a threat.

In all cases, it is the CIR who shall determine if and when a service suspension may be lifted.

In order to facilitate proper and timely handling of IT Incident responses, it is necessary that network-connected devices can be identified and located as soon as possible. To this end, SCs are required to maintain an inventory of network-connectable devices under their control, per guidelines to be established by the CIR. Absent these guidelines, SCs are required to maintain a list of all such devices which includes, at a minimum, the primary location of the device, and the physical addresses for all network interfaces used by the device (i.e., MAC address).

Scope

This policy covers students, faculty, staff, and all individuals or entities using any PNC IT Resources and all uses of such IT Resources. Any individual or entity using PNC IT Resources consents to all of the provisions of the preceding policy and agrees to comply with all of the terms and conditions set forth herein, all other applicable University policies, regulations, procedures and rules, and with applicable local, state and federal law and regulations.

Violations of this policy or any other University policy or regulation may result in the revocation or limitation of IT Resource privileges as well as other disciplinary actions and may be referred to appropriate external authorities.


Who Should Know This Policy

  • Chancellor
  • Vice Chancellors
  • Asst Vice Chancellors
  • Deans
  • Directors/Department Heads/Chairs
  • Principal Investigators
  • Business Office Staff
  • Faculty
  • Administrative and Professional Staff
  • Clerical and Service Staff
  • All Employees
  • Undergraduate Students
  • Graduate Students

 

If you have any questions, concerns, or suggestions, please contact the Help Desk at ext. 5511 or submit a trouble ticket online at: services@pnc