Security Incident Response

Background and Reasons for the Policy: The University of Connecticut views University data, in all its forms and throughout its life cycle, as an asset of the University. University data must be protected to comply with the policies of the University and to meet requirements of Federal and State laws such as the:

• Family Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Electronic Communications Privacy Act (ECPA)
• Gramm-Leach-Bliley Act (GLBA)
• Children's Online Privacy Protection Act (COPPA)
• Freedom of Information Action (FOIA)
• Connecticut Personal Data Act

Purpose of Policy: The purpose of this policy is to ensure that the University has implemented the processes needed to identify and respond to electronic security incidents that occur at the University.

Definitions:

University Data: Items of information that are collected, maintained, and utilized by the University for the purpose of carrying out institutional business subject to or limited by any overriding contractual or statutory regulations. University data may be stored either electronically or on paper and may be of many forms (including, but not limited to: text, graphics, images, sound, or video).

Information Security Incident: Any event that is known or suspected to have compromised the confidentiality, integrity or availability of University information technology resources.

Expected Institutional Outcome: This policy will help the University community to:

• Reduce the time required to respond to security incidents
• Reduce the time required to resolve security incidents
• Reduce the total impact of security incidents
• Reduce the probability of the recurrence of a type of security incident

Applicability of Policy: This policy applies to any Department within the University that stores, uses, or transmits University Data or electronic data that is subject to State or Federal regulations that require security protections for data covered by those regulations.  The policy is also recommended for all departments that have other data that should be protected from unauthorized disclosure, interrupted availability, or damage.

 
Policy Statement: The Council of Data Stewards will work with designated data custodians and support services to develop processes and controls for identifying and responding to security incidents that involve information technology resources (including the facility, equipment, software and data) that are under its control.  Data users will use the processes as appropriate to report incidents and participate in their resolution.  At a minimum, these processes will include:

1. Response:  Process(es) for identifying and responding to security incidents that involve computing resources or data managed by the department.  When responsibilities for responding to security incidents have been delegated to persons external to the department, the department will provide appropriate access and assistance to those people when they respond to identified incidents.
2. Documentation:  Process(es) for documenting responses to security incidents that involve computing resources or data managed by the department. 
3. Mitigation:  Process(es) for mitigating the impacts of security incidents and measures to be taken to prevent repeat occurrences of those incidents. 

Responsibilities:  University officials with delegated responsibilities for data as defined in the Policy on Roles and Responsibilities with Respect to University Data are responsible for the security of the information technology resources (including the facility, equipment, software and data) that are within their control and/or protection.  They are also responsible for ensuring that they remain knowledgeable about regulatory and University security requirements impacting their data.  They may delegate the security management processes for those resources to the system administrators who they may appoint to manage the resources for them.

Departments and units must adhere to Responsibilities of Individual Departments and Units policy when developing required processes.  The University security policies set a minimum level of protection for information technology resources.  The processes and technologies instituted by departments must achieve that level of protection.  They may provide additional protections as needed when stricter requirements apply to the departments or operating units.  When designing or implementing security policies, procedures, or technical solutions that respond to unique departmental needs, the departments should ensure that they are in compliance with the Physical Network Access policy.

Information Security Incidents involving a breach to University Data must be reported to the Director of IT Security.

Enforcement and Review:

The Chief Information Officer for Information Services has overall responsibility for this policy.

The Chief Information Officer for Information Services will review this policy on a bi-annual basis and respond to formal complaints resulting from the implementation of this policy.

Any individual who suspects a violation of this policy may report it to the Office of Audit, Compliance and Ethics at (860) 486-4526, or anonymously through the Reportline (https://www.compliance-helpline.com/uconncares.jsp). Violations of this policy may result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

Policy Implementation Guidelines: Departments required to implement these Incident Response processes should also refer to http://itpolicy.uconn.edu/ , where UITS maintains a set of documents for policies, procedures, guidelines, and standards that provide additional detail.

Last updated: August 2008