Policy Number: 1.11.2.4
Category: Information Security
Effective: December 2, 2022
Revision History: Replaces Information Security Event Response Policy
originally effective April 25, 2016; updated May 15, 2019
Review Date: December 1, 2025
-
PURPOSE AND SCOPE
- The purpose of this Policy is to establish the rules that govern the response to Computer Security Incidents (“Security Incidents”) that occur at West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (collectively known as “University”).
-
This Policy applies to Computer Security Incidents that pose a threat to University
Information Systems or University Data. This Policy does not include the
following:
- Losses of or damage to a University Information System or University Data caused by natural disasters or power failures;
- Detected vulnerabilities to University Information Systems; or,
- Personally-owned computer assets that do not contain University Data
-
COMPUTER SECURITY INCIDENT CLASSIFICATION
- The University will classify the following occurrences as Security Incidents:
- A suspected, attempted, successful, or imminent threat to the confidentiality, integrity, and/or availability of University Data;
- Interference or Unauthorized Access to a University Information System; or
- A violation, or imminent threat of violation, of University information technology rules, policies, standards, and/or procedures.
- Security Incidents will be classified as either Major, Moderate, or Minor based
on the following factors:
- Current functional impact the Security Incident has on affected University Information Systems and future functional impact if it is not immediately contained;
- Effect of the Security Incident on the confidentiality, integrity, and availability of University Data and how this information exfiltration will impact the University’s overall mission; and,
- The effort necessary to recover from the Security Incident weighed against the value the recovery effort will create and any requirements related to Security Incident Response.
-
Major Security Incidents pose a substantial threat to University Information Systems
or University Data and meet the following criteria:
- Involves potential, accidental, or otherwise Unauthorized Access or disclosure of Sensitive Data as classified by the Sensitive Data Policy;
- Involves legal issues including criminal activity or may result in litigation;
- Has or may cause severe disruption to Mission Critical services; or,
- Is likely to cause harm to the University’s reputation.
- Security Incidents not classified as Major will be classified as Moderate or Minor based on the number and criticality of University Information Systems, records, persons, or accounts affected.
- The University will classify the following occurrences as Security Incidents:
-
COMPUTER SECURITY INCIDENT RESPONSE
- Security Incident Response at the University will be in accordance with established industry standards such as the National Institute of Standards and Technology (“NIST”) Special Publication 800-61, or a current equivalent.
- The University will measure the success of its Security Incident Response capabilities by developing appropriate metrics and testing Security Incident Response capabilities annually, at minimum.
- All Major Security Incidents will require investigation by a Computer Security Incident Response Team (“CSIRT”). All Moderate and Minor Security Incidents will be investigated by appropriate technical resources but do not require investigation by a CSIRT.
- The CSIRT will, at a minimum, include a Team Manager and an Incident Lead.
- The Team Manager is responsible for acting as a liaison with executive leadership and other teams and organizations, defusing crisis situations, and ensuring that the team has the necessary personnel, resources, and skills.
- The Incident Lead is responsible to serve as the primary point-of-contact for Incident Response and for oversight of the quality of the team’s technical work.
- Additional roles, including representation from legal, communications, technical resources, and functional business units impacted, may also be added.
- The CSIRT will respond to Major Security Incidents according to an approved
computer security incident response plan, which includes conducting the following
activities:
- Determining the extent, cause, and damage of the Security Incident;
- Directing the recovery, containment, and remediation of Security Incident, which may include authorizing and expediting changes to University Information Systems;
- Monitoring University Information Systems and retrieving communications or other relevant records related to specific users, including login session data and the content of individual communications;
- Notifying the appropriate individuals/groups to participate and identifying their roles. This includes coordinating communications with external parties when existing agreements place responsibility for Security Incident investigations on the external party;
- Providing status updates to specific individuals, groups, and/or the entire University. In coordination with the ITS Communications group, the CSIRT should plan and prepare several communication methods and select the methods that are appropriate for a Security Incident;
- Coordinating and sharing information with law enforcement; and,
- Coordinating and sharing information with government agencies, peer CSIRTs, and relevant Information Sharing and Analysis Centers (“ISACs”) in the identification and investigation of Security Incidents ensuring that any data shared does not identify a member of the University community.
-
COMPUTER SECURITY INCIDENT REPORTING
- Anyone who has knowledge or suspects that a Security Incident has occurred, must report the Security Incident to the University by email at defendyourdata@mail.wvu.edu or by submitting an Incident Report Form within 24 hours of occurrence.
- Pursuant to the Protected Health Information Privacy Policy, all Security Incidents involving reports of and complaints related to Unauthorized Disclosures, accesses, or uses of PHI must be made be reported to the University via an Incident Report Form.
- Failure to report an actual or suspected Security Incident is a violation of this Policy.
- If the Security Incident is reasonably expected to cause significant harm to
University employees or students, the University will make best efforts to
notify those individuals whose Personally Identifiable Information (PII)
may have been put at risk. Factors to consider in making this determination
include:
- Legal duty to notify;
- Length of compromise;
- Human involvement;
- Sensitivity of compromised data; and,
- Existence of evidence that data was compromised.
-
DEFINITIONS
- “Campus Network” means the collection of University Information Systems implemented with interconnected components such as routers, hubs, cabling, and telecommunications controllers.
- “Computer Security Incident” means a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of Incidents include an attacker commanding a botnet to send high volumes of connection requests to a web server, causing it to crash; users tricked into opening a ‘quarterly report’ sent via email that is actually malware; an attacker obtaining sensitive data and threatening that the details be released publicly if the organization does not pay a designated sum of money; or, a user providing or exposing sensitive information to others through peer-to-peer file sharing services.
- “Incident Response” means the mitigation of violations of security policies and recommended practices. Incident Response and Incident Handling are synonymous.
- “Information Sharing and Analysis Centers (ISACs)” means a nonprofit organization that provides a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information between the private and public sector.
- “Mission Critical” means a University Information System that houses information to which the loss, misuse, disclosure, or Unauthorized Access to or modification of, would have a debilitating impact on the mission of the University.
- “Personally Identifiable Information (PII)” means any information that that can be used to identify an individual either alone or when combined with other personal information. PII the University considers Sensitive is identified within the Sensitive Data Policy and includes, Social Security numbers, driver’s license numbers, passport or visa numbers, biometric images, and WVU Login credentials.
- “Unauthorized Access” means a person gains logical or physical access without permission to a University network, system, application, data, or other resource.
- “Unauthorized Disclosures” means the acquisition, access, use or disclosure of PHI in a manner not permitted under the Protected Health Information Privacy Policy which compromises the privacy of the PHI as described in 45 C.F.R. Section 164.400 et seq.
- “University Information System” means technology systems used for academic, administrative, outreach, and research operations at the University whether operated and managed by the University or a third-party vendor.
- “University Data” means data created, received, maintained, or transmitted by or on behalf of the University through the course of its academic, administrative, research, or outreach activities.
-
ENFORCEMENT AND INTERPRETATION
- Any employee who violates this Policy will be subject to appropriate disciplinary action.
- Any student who violates this Policy will be subject to appropriate disciplinary action in accordance with the Student Code of Conduct.
- Any individual affiliated with the University who violates this Policy will be subject to appropriate corrective action, including, but not limited to, termination of the individual’s relationship with the University.
- The University’s Chief Information Officer, supported by the Chief Information Security Officer, will coordinate with appropriate University entities on the implementation and enforcement of this Policy.
- Responsibility for interpretation of this Policy rests with the Chief Information Officer.
-
Authority & Cross References
- BOG Governance Rule 1.11 – Information Technology Resources and Governance
- All other University policies are also applicable to the electronic environment.
Relevant institutional policies include, but are not limited to:
- Acceptable Use of Data and Technology Resources
- Electronic Mail Policy
- Data Center Security Policy
- Data Classification Policy
- Sensitive Data Protection Standard
- Protected Health Information Privacy Policy
- National Institute of Standards and Technology (NIST) Computer Incident Handling Guide, Special Publication 800-61 Revision 2
- Faculty Handbook
- Code of Student Rights and Responsibilities (Code of Conduct)
- WVU Talent and Culture Policies
- ITS Computer Security Incident Response Plan