Information Security Incident Response Policy

Sponsor:

Information Technology Services

Contact:

Chief Information Security Officer

Category:

Information Security and Technology

Number:

1000.014

Effective Date:

7/20/2021

Implementation History:

First draft 7/2021

Keywords:

Breach, Cyber Security, Incident Response

Background Information:

This policy details how SUNY Empire will follow the SUNY Cyber Security Incident Notification Contacts and Procedures.

Purpose

The College is committed to securing and protecting the information within its possession.  As an institution of higher education operating in New York State (NYS) and within the State University of New York (SUNY) system, the College must comply with federal, state and SUNY confidentiality and information safeguarding laws and policies, as well as meet data protection requirements imposed by its accrediting agency, the Middle States Commission on Higher Education (“MSCHE”) and the EU General Data Protection Regulation (GDPR). The Incident Response Policy establishes procedures and assigns responsibilities for reporting, and responding to suspected and known information security incidents that result in unauthorized access or alteration of college business records, or attempts to deny or impede legitimate access to those records.

Definitions

An information security incident- is considered to be any adverse event that threatens the confidentiality, integrity or availability of University or affiliate information resources.  These events include, but are not limited to, the following activities:

  • Suspected criminal use of systems or services, including:
    • Identity theft
    • Disclosure, destruction, or alteration of college or affiliate - managed systems or data
  • Loss or theft of devices that contain or enable access to University records
  • Compromise of a web page
  • Compromised credentials
  • Attempts (either failed or successful) to gain unauthorized access to a system or its data
  • Unwanted disruption or denial of service (DoS)
  • Unauthorized use of a system for the transmission, processing or storage of data
  • Changes to system hardware, firmware or software characteristics without the University’s or affiliate’s knowledge, instruction or consent
    • Execution of malicious code, often referred to as malware, such as viruses, Trojans, worms or botnets
    • Unauthorized changes to system configurations
  • Attempts (either failed or successful) to cause failures in critical infrastructure services, loss of critical supervisory control and data acquisition (SCADA) systems
  • A potential or suspected ‘Personal data breach’ as defined by GDPR which includes “of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”
  • A cyber security incident involving PII*, HIPAA*, or FERPA* data
  • A cyber event that could significantly impact or put at risk campus operations
  • An information loss that raises to the level outlined in the NYS Information Security Breach and Notification Act

* Personally Identifiable Information * Health Insurance Portability and Accountability Act of 1996 * Family Educational Rights and Privacy Act of 1974

General Data Protection Regulation (GDPR) - Effective May of 2018 this regulation applied to all enterprises doing business in the European Union (EU) countries and requires business and institutions to protect the personal data and privacy of all individuals conserved EU data subjects.

Personal Data in relationship to GDPR -  any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Personally Identifiable Information - As   defined   in   State   Technology   Law,   shall   mean   personal information in combination with any one or more of the following data elements, when either the personal information or the data element is  not  encrypted  or  encrypted  with  an  encryption  key  that  has  also been acquired:

(1) social security number;

(2) driver's license number or non-driver identification card number; or

3) account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual's financial account.

 

Private  information  does  not  include  publicly  available  information that  is  lawfully  made  available  to  the  general  public  from  federal, state, or local government records.

Statements

Any employee or college affiliate that observes or suspects a security incident must report the incident by submitting an incident ticketed to the Information Technology Service Desk using the ticketing system at https://www.esc.edu/service-desk/ or by calling 1-888-HELP-009 (888-435-7009) as soon as possible. The Service Desk attendant receiving the report must contact the ISO as soon as possible via email and/or phone. The ISO will verify they have received the report. If the Service Desk does not receive receipt of the report from the ISO within 8 hours (or first thing the next business day if 8 hours is past hours of operation), the Service Desk attendant will contact the designee by the ISO and await receipt of the report.

The ISO or designee will determine if the incident is a high risk. If the incident is high risk, the ISO or designee will respond in accordance with the SUNY Cyber Security Incident Notification Contacts and Procedures, which includes notification to the proper NYS entity. The president, or officer in charge of the college, executive vice president of administration and chief information officer will also be notified.

The ISO or designee, in consultation with SUNY counsel, will determine if the incident is considered a personal data breach in relationship to GDPR. If the incident is considered a personal data breach in relationship to GDPR the ISO or designee will respond in accordance with GDPR Articles 33 and 34. The president of the college, executive vice president of administration, chief information officer and GDPR executive committee will also be notified.

If it is determined by NYS, SUNY, and/or the ISO, that communications about the incident are necessary the ISO will work with SUNY counsel, the ESC chief information officer, the ESC chief of staff and director of government relations, and the ESC director of communications to communicate with the people affected by the incident in accordance with NYS regulations and GDPR Article 34.

The ISO will investigate all information security incidents and implement corrective actions to reduce the risk of reoccurrence.

Every employee will receive cyber security training annually.

Applicable Legislation and Regulations

Procedures

Any employee or college affiliate that observes or suspects a security incident must report the incident by submitting an incident ticketed to the Information Technology Service Desk using the ticketing system at https://www.esc.edu/service-desk/ or by calling 1-888-HELP-009 (888-435-7009) as soon as possible.

Related Policies

SUNY Policy 6900 “Information Security Policy”

SUNY “Security Incident Response Process”

NYS Information Security Breach & Notification Law

NYS Cyber Security Policy P03-002: Information Security Policy

NYS Cyber Security Policy P03-001: Cyber Incident Reporting Policy

General Data Protection Regulation (GDPR) Article 33 and 34.

Related References, Policies, Procedures, Forms and Appendices