30.14 - Cyber Incident Reporting and Response

Contents:

1. Purpose
2. Scope
3. Definitions
4. Policy
5. Non-Compliance
6. Exceptions
7. Contact Information
8. References

A. Purpose

The university is obligated to protect the confidentiality, integrity, and availability of information in its care. Unauthorized access to certain types of information may obligate the university to individual, university, state, federal, and contractual investigative and reporting requirements and result in fines and reputational impact.

Timely response to reported and detected incidents is critical to prevent adverse effects to individuals, to meet external reporting requirements, and to protect the university mission and reputation.

This policy establishes individual responsibility in reporting incidents, and the university responsibility to plan, respond, and escalate, in accordance with our legal and contractual requirements.

B. Scope

This policy applies to all technology resources, including information systems, institutional data, and networks and any person or device that gains access to these systems or data, regardless of affiliation, location, funding source, or contract status.

C. Definitions

C-1. Computer Security Incident Response Team (CSIRT): A function of the Information Security Office responsible for receiving, reviewing, and coordinating the response to computer security incident reports and activity involving university technology resources.

C-2. Data breach: Per Idaho Code § 28-51-104, a “breach of the security of the system,” referred to in this policy as a “data breach,” means “the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one (1) or more persons maintained by an agency, individual, or commercial entity.”

C-3. Incident Response Plan: Also known as the Technology Security Incident Response Plan, or “IR Plan,” is the required documentation in support of this policy which addresses specific procedures and details for handling incident response, consistent with applicable laws.

C-4. Security Event: A security event is the discovery of any piece of information that could indicate the actual or potential threat to data or systems.

C-5. Security Incident: A security incident is a security event that indicates the present or imminent threat to the confidentiality, integrity, or availability of university technology resources, or violations of security policy or standards.

C-6. University Data: Data in any format, collected, developed, maintained, or managed by or on behalf of the university, or within scope of university activities. (See also APM 30.11)

D. Policy

D-1. Reporting incidents. Any actual or suspected security incidents or events must be reported immediately to the Information Security Office through one of the following designated channels:.

D-2. Reporting incident response requirements. All members of the university community establishing relationships with entities or handling data with unique incident response reporting requirements must report those requirements to the Information Security Office for inclusion in the Incident Response plan.

D-3. Registering systems and applications. All devices using university networks must be registered in the OIT Network Management System and contact information must be kept current. Cloud applications and vendors must be registered with the OIT Application Portfolio and updated when changes occur.

D-4. CSIRT membership. The CSIRT is composed of the Chief Information Security Officer (CISO) and their designated incident handler staff, and representation from the Office of General Counsel, Risk Management, Human Resources, Public Safety and Security, and University Communications. Other members and subject matter experts may be requested by the CISO or designated by the Vice President for Information Technology/CIO and approved as part of the Incident Response plan, or on an as-needed basis.

D-5. Investigations. The CSIRT, under direction of the CISO, is authorized to:

a. Monitor all relevant technology resources and information to correlate and detect events and determine whether an incident has occurred.

b. Activate the incident response plan and direct the analysis, containment, recovery, and remediation of an incident.

c. Expedite changes to information systems when necessary to respond to or prevent an incident. This may include proactive measures to disable accounts, networks, devices, integrations, or other resources.

d. In cooperation with General Counsel, report incidents to required third parties when required by state, federal, or contractual requirements, or to activate cyber liability coverage.

e. Track and document incidents using a standard taxonomy for security incidents.

f. Coordinate with law enforcement, government agencies, peer CSIRTs, and relevant Information Sharing and Analysis Centers (ISACs) in the identification and investigation of security incidents. The CSIRT is authorized to share external threat and incident information with these organizations that does not identify individuals, or as otherwise approved by General Counsel or related data owners.

D-6. Disclosure. Public disclosure of a data breach must be reviewed and approved by the VP for IT/CIO in consultation with General Counsel, University Communications, and other relevant university stakeholders.

D-7. Plan requirements. The OIT Information Security Office is responsible for coordinating the U of I Technology Security Incident Response Plan (IR plan), keeping the contact and subject matter expert list updated, and testing and exercising the plan at least annually.

E. Noncompliance

Noncompliance with this policy may result, depending upon the nature of the noncompliance, in the user’s account or access being suspended to U of I technology resources as stated in APM 30.12 (Acceptable Use of Technology).

F. Exceptions

Requests for exceptions to this policy may be submitted through the OIT Support Portal. The U of I Chief Information Security Officer will assess the risk and make a recommendation to the U of I Vice President for Information Technology and Chief Information Officer.

G. Contact Information

The OIT Information Security Office can assist with questions regarding this policy and related standards and the plan. Questions should be submitted through the OIT Support Portal.

H. References

NIST SP800-61 Rev. 2

HIPAA 45 CFR § 164.308(a)(6)

Idaho Code - §§ 28-51-104, 105, 106, 107

Idaho Technology Authority P4110

APM 30.11 – Data Classifications and Standards

APM 30.12 – Acceptable Use Policy

UI Privacy Statement

Version History

Amended January 2023. Rewritten to reflect cyber security practices required by HIPAA and NIST and to address the current state of cyber security threat faced by UI.

Adopted January 2007.