Policy Number: 18.104.22.168
Category: Information Security
Effective: May 15, 2019
Revision History: Replaces Information Security Event Response Policy originally effective April 25, 2016
Review Date: May 14, 2022
PURPOSE AND SCOPE
- The purpose of this Policy is to establish the rules that govern the response to Computer Security Incidents (“Security Incidents”) that occur at West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (collectively known as “University”).
This Policy applies to Security Incidents that are computer-related as set forth
in Section 2 and pose a threat to University Information Systems or University
Data. This Policy does not include the following:
- Losses of or damage to a University Information System or University Data caused by natural disasters or power failures;
- Detected vulnerabilities to University Information Systems; or,
- Personally-owned computer assets that do not contain University Data
COMPUTER SECURITY INCIDENT CLASSIFICATION
- The University will classify the following occurrences as Security Incidents:
- A suspected, attempted, successful, or imminent threat to the confidentiality, integrity, and/or availability of University Data;
- Interference or Unauthorized Access to a University Information System; or
- A violation, or imminent threat of violation, of University information technology rules, policies, standards, and/or procedures.
- Security Incidents will be classified as either a Major, Moderate, or Minor
based on the following factors:
- Current functional impact the Security Incident has on affected University Information Systems and future functional impact if it is not immediately contained;
- Effect of the Security Incident on the confidentiality, integrity, and availability of University Data and how this information exfiltration will impact the University’s overall mission; and,
- The effort necessary to recover from the Security Incident weighed against the value the recovery effort will create and any requirements related to Security Incident Response.
Major Security Incidents pose a substantial threat to University Information Systems
or University Data and meet the following criteria:
- Involves potential, accidental, or otherwise Unauthorized Access or disclosure of Sensitive Data as classified by the Sensitive Data Policy;
- Involves legal issues including criminal activity or may result in litigation;
- Has or may cause severe disruption to Mission Critical services; or,
- Is likely to cause harm to the University’s reputation.
- Security Incidents not classified as Major will be classified as Moderate or Minor based on the number and criticality of University Information Systems, records, persons, or accounts affected.
- The University will classify the following occurrences as Security Incidents:
COMPUTER SECURITY INCIDENT RESPONSE
- Security Incident Response at the University will be in accordance with established industry standards such as the National Institute of Standards and Technology (“NIST”) Special Publication 800-61, or a current equivalent.
- The University will measure the success of its Security Incident Response capabilities by developing appropriate metrics and testing Security Incident Response capabilities annually, at minimum.
- All Major Security Incidents will require investigation by a Computer Security Incident Response Team (“CSIRT”).
- The CSIRT will, at a minimum, include a Team Manager and an Incident Lead.
- The Team Manager is responsible for acting as a liaison with upper management and other teams and organizations, defusing crisis situations, and ensuring that the team has the necessary personnel, resources, and skills.
- The Incident Lead is responsible to serve as the primary point-of-contact for Security Incident Response and for oversight of the quality of the team’s technical work.
- Additional roles, including representation from legal, communications, and functional business units impacted, may also be added.
- The CSIRT will respond to Major Security Incidents according to the Computer
Security Incident Response Plan, which includes conducting the following
- Determining the extent, cause, and damage of the Security Incident;
- Directing the recovery, containment, and remediation of Incident, which may include authorizing and expediting changes to University Information Systems;
- Monitoring University Information Systems and retrieving communications or other relevant records related to specific users, including login session data and the content of individual communications;
- Notifying the appropriate individuals/groups to participate and identifying their roles. This includes coordinating communications with external parties when existing agreements place responsibility for Security Incident investigations on the external party;
- Providing status updates to specific individuals, groups, and/or the entire
University. In coordination with the ITS Communications group, the CSIRT
should plan and prepare several communication methods and select the
methods that are appropriate for the particular Security Incident;
- Coordinating and sharing information with law enforcement; and,
- Coordinating and sharing information with government agencies, peer CSIRTs, and relevant Information Sharing and Analysis Centers (“ISACs”) in the identification and investigation of Incidents ensuring that any data shared does not identify a member of the University community.
COMPUTER SECURITY INCIDENT REPORTING
- Failure to report an actual or suspected Security Incident is a violation of this Policy. Anyone who has knowledge or suspects that a Security Incident has occurred, must contact Information Technology Services by email at firstname.lastname@example.org or phone at 304-293-4457/304-293-4444 within 24 hours of occurrence.
- If the Security Incident is reasonably expected to cause significant harm to
University employees or students, the University will make best efforts to
notify those individuals whose Personally Identifiable Information (PII)
may have been put at risk. Factors to consider in making this determination
- Legal duty to notify;
- Length of compromise;
- Human involvement;
- Sensitivity of compromised data; and,
- Existence of evidence that data was compromised.
- “Computer Security Incident” means a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of Incidents include an attacker commanding a botnet to send high volumes of connection requests to a web server, causing it to crash; users tricked into opening a ‘quarterly report’ sent via email that is actually malware; an attacker obtaining sensitive data and threatening that the details be released publicly if the organization does not pay a designated sum of money; or, a user providing or exposing sensitive information to others through peer-to-peer file sharing services.
- “Information Sharing and Analysis Centers (ISACs)” means a nonprofit organization that provides a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information between the private and public sector.
- “Mission Critical” means a University Information System that houses information to which the loss, misuse, disclosure, or Unauthorized Access to or modification of, would have a debilitating impact on the mission of the University and typically result in a very negative customer experience.
- “Personally Identifiable Information (PII)” means data that specifically identifies an individual, including, but not limited to: Social Security number, driver’s license number, credit card numbers, bank account information, employee performance or salary information, student grades, disciplinary information, account passwords, or Protected Health Information (PHI) which is data that identifies health status, provision of health care, or payment for health care that is created or collected and can be linked to a specific individual.
- “Security Incident Response” means the mitigation of violations of security policies and recommended practices. Incident Response and Incident Handling are synonymous.
- “Unauthorized Access” means a person gains logical or physical access without permission to a University network, system, application, data, or other resource.
- “University Information System” means technology systems used for academic, administrative, outreach, and research operations at the University whether operated and managed by the University or a third-party vendor.
- “University Data” means data created, received, maintained, or transmitted by or on behalf of the University through the course of its academic, administrative, research, or outreach activities.
ENFORCEMENT AND INTERPRETATION
- Any employee who violates this Policy will be subject to appropriate disciplinary action.
- Any student who violates this Policy will be subject to appropriate disciplinary action in accordance with the Student Code of Conduct.
- Any individual affiliated with the University who violates this Policy will be subject to appropriate corrective action, including, but not limited to, termination of the individual’s relationship with the University.
- The University’s Chief Information Officer, supported by the Chief Information Security Officer, will coordinate with appropriate University entities on the implementation and enforcement of this Policy.
- Responsibility for interpretation of this Policy rests with the Chief Information Officer.
- All other University policies are also applicable to the electronic environment.
Relevant institutional policies include, but are not limited to:
- Acceptable Use of Data and Technology Resources
- Electronic Mail
- Data Center Access Policy
- Sensitive Data Policy
- National Institute of Standards and Technology (NIST) Computer Incident Handling Guide, Special Publication 800-61 Revision 2
- Faculty Handbook
- Code of Student Rights and Responsibilities (Code of Conduct)
- WVU Talent and Culture Policies
- All other University policies are also applicable to the electronic environment. Relevant institutional policies include, but are not limited to: