It is vital to the University community that computer security incidents that threaten the security or privacy of confidential information are properly identified, contained, investigated, and remedied. According to Texas Senate Bill 122 Section 48.102, the University “shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure of any sensitive personal information collected or maintained in the regular course of business.”
The purpose of this policy is to provide the basis of appropriate response to incidents that threaten the confidentiality, integrity, and availability of university digital assets, information systems, and the networks that deliver the information. The Incident Response Policy provides a process for documentation, appropriate reporting internally and externally, and communication to the community as part of an ongoing educational effort. Finally, the policy establishes responsibility and accountability for all steps in the process of addressing computer security incidents.
The Incident Response Policy applies to all members of the Trinity University community. The Trinity University community (hereafter described as the “University community”) includes faculty and staff members, students, alumni, guests, and contractors. This Policy also includes computing or network devices owned, leased, or otherwise controlled by Trinity University. Additionally, incidents involving confidential information apply to any computing or network device, regardless of ownership, on which confidential or restricted information is stored or by which access to confidential or restricted information might be gained. (Examples include, but are not limited to: a home computer containing confidential data, a mobile device on which credentials are stored which could be used to access confidential data, a server housed in an off-site facility.)
Intrusion attempts, security breaches, theft or loss of hardware and other security related incidents perpetrated against the University must be reported to Information Technology Services (ITS). Anyone with knowledge, or a reasonable suspicion, of an incident which violates the confidentiality, integrity, or availability of digital information, will make an immediate report to the following e-mail address: infosec [at] trinity.edu.
The Director of Networks, Security and Systems, in collaboration with other appropriate staff, shall determine if a reported incident IS or IS NOT a confidential information Security Incident.
If the incident IS NOT considered a confidential information Security Incident, the incident shall be referred to a Systems Administrator who shall insure that the incident is handled in accordance with the procedures described herein. The Director of Network, Security, and Systems, shall inform the Director and Chief Information Officer. The Director and Chief Information Officer will inform the Director of Risk Management.
If the Director of Networks, Security and Systems, in collaboration with other appropriate staff, determines that the incident IS a confidential data security incident, an Incident Response Team is formed. The purpose of the Incident Response Team is to determine a course of action to appropriately address the incident. The Chief Information Officer shall designate the membership of the Incident Response Team. Normally, membership will include appropriate individuals from ITS, offices with primary responsibility for the compromised data, and the Office of Risk Management.
It is the responsibility of the Incident Response Team to assess the actual or potential damage to the University caused by the Confidential Data Security Incident, and to develop and execute a plan to mitigate that damage. Incident Response Team members will share information regarding the incident outside of the team only on a need-to-know basis and only after consultation with and consensus by the entire team.
The Incident Response Team should review, assess, and respond to the incident for which it was formed according to the following factors, in decreasing order of priority:
If, in the judgment of the Chief Information Officer, the incident might reasonably be expected to cause significant harm to the subjects of the data or to Trinity University, the Chief Information Officer may recommend to the President that a Senior Response Team be established. The Senior Response Team shall be comprised of senior-level administrators designated and recommended by the Chief Information Officer or Vice President and the Office of Risk Management. The Senior Response Team will determine whether Trinity University should make best efforts to notify individuals whose personally identifiable information might have been at risk due to the incident. In making this determination, the following factors shall be considered:
ITS shall maintain a log of all confidential information Security Incidents, recording the date, type of confidential information affected, number of subjects affected (if applicable), summary of the reason for the breach, and corrective measures taken.
ITS shall issue a report for every confidential information Security Incident describing the incident in detail, the circumstances that led to the incident, and a plan to eliminate the risk of a future occurrence.
ITS shall provide annually to the Chief Information Officer a report containing statistics and summary-level information about all known confidential information Security Incidents, along with recommendations and plans to mitigate the risks that led to those incidents.
Confidential Information - Sensitive personally-identifiable information that must be safeguarded in order to protect the privacy of individuals and the security and integrity of systems and to guard against fraud. This includes, but is not limited to:
Additionally, proprietary information, data, information, or intellectual property, in which the University has an exclusive legal interest or ownership right may also be considered confidential information. Examples include, but are not limited to:
Malware - Any software designed with malicious intent. Examples include, but aren't limited to:
Security Incident - Any event that threatens the confidentiality, integrity, or availability of University systems, applications, data, or networks. Examples of University systems include, but are not limited to:
Examples of Security Incidents include, but aren't limited to:
Sensitive Personal Information - As defined by the Texas Senate Bill 122 means “an individual’s first name or first initial and last name combination with any one or more of the following data elements (when the name or data element is not encrypted):
Any behavior in violation of this policy is cause for disciplinary action. Violations will be adjudicated, as appropriate, by the CIO, the Office of the Dean of Students, the Office of Housing and Residential Life, and/or the Office of Human Resources. Sanctions as a result of violations of this policy may result in, but are not limited to, any or all of the following:
Reports of data and systems compromises and the exposure of personal and restricted information should be immediately reported to: infosec [at] trinity.edu
Texas, Legislature of the State of Texas, Identity Theft Enforcement and Protection Act. By Juan Hinojosa. 2005. 27 March 2007. http://www.legis.state.tx.us/tlodocs/79R/billtext/pdf/SB00122F.pdf