I. PURPOSE
The intent of this policy is to establish the requirements for effective incident reporting, response, and escalation practices with regard to the security of data and information technology (IT) resources and systems.
II. DEFINITION
Incident: Any event that, regardless of accidental or malicious cause, results in:
- disclosure of university data to someone unauthorized to access it,
- unauthorized alteration of university data,
- loss of data for which the university is legally or contractually bound to protect or which support critical university functions,
- disrupted information technology services levels,
or otherwise is a violation of the university’s information security policies.
III. POLICY
- Requirements
- To avoid inadvertent violations of state or federal law, neither individuals nor departments may release University information, electronic devices or electronic media to any outside entity, including law enforcement organizations, before making the notifications required by this policy.
- The Information Security Office will ensure an Incident Response Plan is developed and maintained providing appropriate, efficient, and consistent response to incidents and must:
- define and categorize incidents;
- rely on the roles and responsibilities of all involved with handling incidents, as defined in the Security Roles and Responsibilities Policy;
- outline an appropriate process for notification through management channels;
- provide procedures and/or guidance for the appropriate response to incidents;
- be kept relevant and current.
- Any individual performing digital forensics as a part of an incident investigation must be certified to perform digital forensics as approved by the Information Security Officer (ISO).
- Incident details must be kept confidential.
- Notification
- All users, which includes employees, contractors and third party users, are responsible for promptly reporting any suspicious events to the Information Security Office either directly, through their supervisor, sponsor, or by contacting User Support Services or Campus Police.
- The Chief Information Officer (CIO) or designee, in agreement with senior university management, will authorize notification of appropriate external agencies as deemed necessary.
- The ISO will notify the CIO and Campus Police if further investigation is warranted.
IV. ENFORCEMENT
The University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible cancellation of IT resources and systems access privileges. Users of IT resources and systems at Longwood are subject to all applicable local, state and federal statutes. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.
Approved by the Board of Visitors, September 12, 2008.
Revised and approved by the Board of Visitors, March 25, 2011.
Revised and approved by the Board of Visitors, March 22, 2013.