Policy No: 2028 Responsible Office: Office of Information Security Last Review Date: 05/27/2020 Next Required Review: 05/27/2023
Incident Response Policy
The purpose of this policy is to clearly define roles and responsibilities for the reporting, investigation and response of computer security incidents and data breaches.
All members of the University community are responsible for promptly reporting any suspected or confirmed security incident involving University of South Alabama data or an associated information system, even if they have contributed in some way to the event or incident. Members of the University community must cooperate and assist with incident investigations and encourage their staff and others to report an incident and cooperate with an investigation.
USA Data includes, but is not limited to, the following: personnel data, student data (FERPA), credit card/payment data as defined by the Payment Card Industry Data Security Standards (PCI DSS), protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA) regulation, and controlled unclassified information (CUI).
4. Policy Guidelines
The University of South Alabama's Cyber Risk Team (CRT) was formed to review and enhance the University’s information security programs. The CRT investigates security events to determine whether an incident has occurred, and the extent, cause and damage of incidents. The CRT is composed of a diverse team of University staff from various departments.
The CRT directs the recovery, containment and remediation of security incidents and may authorize and expedite changes to information systems necessary to do so. The CRT coordinates response with external parties when existing agreements place responsibility for incident investigations on the external party.
During the conduct of security incident investigations, the CRT is authorized to monitor relevant USA IT resources and retrieve communications and other relevant records of specific users of USA IT resources, including login session data and the content of individual communications without notice or further approval.
Any external disclosure of information regarding information security incidents must be reviewed and approved by the Office of General Counsel.
The CRT coordinates with law enforcement, government agencies, peer CRTs and relevant Information Sharing and Analysis Centers (ISACs) in the identification and investigation of security incidents. The CRT may share threat and incident information with these organizations that does not identify any member of the South Alabama community.
This policy applies to information systems, regardless of ownership or location, used to store, process, transmit or access USA Data as well as all personnel including employees, students, temporary workers, contractors, those employed by contracted entities and others authorized to access USA enterprise assets and information resources.
All suspected information security (IS) incidents must be reported. The following courses of action need to be taken in the event of discovering an information security incident:
5.1 If the incident involves Protected Health Information (PHI) in electronic or paper form:
- Call USA Chief HIPAA Compliance Officer at (251) 470-5802 or the Office of Compliance at (251) 460-7115.
5.2 For all other incidents, notify your departmental IT Contact and/or the CSC Help Desk (6-6161). The IT Contact or Help desk will also notify the Information Security Department of any suspected IS incident by calling (251) 460-6161 and/or sending email to firstname.lastname@example.org. It is highly recommended to make a phone call. Include particular information if the incident involves:
- Inadvertent release, exposure, or compromise of confidential data, the loss or compromise of portable computing devices or removable media containing sensitive data, or the discovery of unauthorized access to sensitive data on a computer or data storage device;
- The use of USA computing resources in the commission of fraudulent activities.
- Systems used to process or store Controlled Unclassified Information (CUI).
5.3 If the suspected incident involves any of the following, the Information Security Department will work to also report:
- Credit or debit card account information, notify the Tax Accounting Office, (251) 414-8297, and speak to the PCI Coordinator;
- Notify USA Chief HIPAA Compliance Officer at (251) 470-5802 or the Office of Compliance at (251) 460-7115;
- Fraudulent activity committed using USA computing resources; notify the Department of Internal Audit at (251) 460-7087;
- Criminal activity committed using USA computing resources; notify the USA Police Department at (251) 460-6312;
- Controlled Unclassified Information (CUI) related incident (systems and/or data), the Director, IT Risk and Compliance at 251-460-7994.;
- FERPA does not require data breach disclosure but The University Registrar Office should be contacted.
When a subpoena or court order is issued pursuant to any investigation related to information technology the USA Office of General Counsel must be notified and will direct the actions to be taken. University Police and Office of General Counsel will serve as liaison with all external law enforcement agencies (FBI, other federal, state, local) for all IT security investigations.
The University encourages stakeholders to report other concerns, suspected violations, or criminal activity to their supervisor or other campus entities as appropriate. Departmental IT Contacts are responsible for dissemination of this policy to their departments. The Cyber Response Team (CRT) is responsible for responding to High Severity incidents according to established procedures. The Director of Information Security is responsible for coordinating the CRT and augments staff with subject matter experts as necessary.
Any USA employee found to have intentionally violated this policy or mislead an incident response investigation will be subject to disciplinary action up to and including loss of employment.
7. Related Documents