Information Security Incident Response Procedure

Purpose

This procedure is to assure that, in case of an information security incident that threatens the availability, confidentiality, and integrity of University information assets, information systems, and the networks that deliver the information, a response is conducted in a consistent manner, with appropriate leadership and technical resources, in order to promptly restore operations impacted by the incident. Such incidents may include the access to sensitive or confidential data, intellectual property, damage to public image, and/or damage to critical internal systems.

Scope

This procedure applies to all University information systems and services for which it is responsible. It applies to any computing device owned by the University that might experience a security incident. It also will apply to any computing device regardless of ownership, which is used to store restricted/confidential university data, or which, if lost, stolen or compromised, could lead to the unauthorized disclosure of confidential University data.

This procedure does not cover incidents involving any protected health information; these incidents must be reported to the University HIPAA officer. Nor does this procedure cover any human subject research information; incidents of this nature should be referred to the Office of the Vice President for Research. This procedure does include, however, incidents related financial information as articulated in the Gramm Leach Bliley Act (GLBA).

Information security incident definitions

• Level 1 Incident – Public Data: Data to which the general public may be granted access in accordance with Western Michigan University policy or standards.
• Responding personnel: Local system administration is responsible for containment; investigation; rebuilding, and hardening the system; properly documenting the incident; reporting findings to the Incident Officer, other System Administrators, and the Information Security Incident Response Team (ISIRT). They also must bring the incident to closure and follow up with those parties impacted by the event.
• Level 2 Incident – Internal Data: Internal data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be any civil statute, law or other regulation requiring this protection. Internal data is information that is restricted to personnel designated by the University who have a legitimate business purpose for accessing such data.
• Responding personnel: Local system administrator and ISIRT are accountable for the response based on the ISIRT plan.
• Level 3 Incident – Restricted/Confidential Data: Restricted/confidential data, if disclosed to unauthorized persons, would be a violation of federal or state laws, industry regulations, University policy, or University contracts. Any file or data that contains personally identifiable information of a trustee, officer, agent, faculty, staff, retiree, student, graduate, donor, or vendor may also qualify as restricted/confidential data.
• Responding personnel: Local system administrator and ISIRT are accountable for the response based on ISIRT plan.

Contacts

• To report an incident, during business hours, contact the Office of Information Technology Help Desk at (269) 387-4357, option 1, or by email to helpdesk@wmich.edu. After hours email oit-security@wmich.edu.
• Should you have any general questions concerning what constitutes a security incident, or what policies and procedures are in place to govern institutional data, please email oit-security@wmich.edu.
• For protected health information, contact the University HIPAA officer, Office of the Vice President for Legal Affairs and General Counsel, (269) 387-1900.
• For protected financial information, contact the University Gramm Leach Bliley Act Officer, Office of the Associate Provost for Enrollment Management, (269) 387-2954.
• For human subject research information, contact the Office of the Vice President for Research, (269) 387-8298.

References

Additional information is available through the following reference documents:

• Data classification policy
• Gramm Leach Bliley Act compliance
• Information security incident response team roles and responsibilities
• Health Insurance Portability and Accountability Act 

Document action

Reviewed by: Campus Information Security Committee, Jan. 2009
Revised by: Campus Information Security Committee, Jan. 2009
Revised by: Gramm Leach Bliley Act Compliance Committee, Oct. 2012