Information Security Incident Reporting & Response Policy
1. Overview
Information security incidents are occurring more frequently than ever. The University of Akron (UA) must take appropriate steps to respond in the event of an information security incident to minimize the impact and scope of the incident.
2. Purpose
This policy establishes the Information Security Incident Reporting & Response Policy for UA. The purpose of this policy is to define the requirements and responsibilities for reporting and responding to information security incidents in a manner that minimizes negative impacts to the confidentiality, integrity, and availability of UA institutional data, information systems, and/or information services.
3. Scope
This policy applies to any system, service, device, process, or media that is used to access, store, or transmit institutional data in electronic, audible, video, or physical formats. All UA constituents with access to institutional data or information systems/services must adhere to this policy.
4. Definitions
- Incident Response Team – The individuals responsible for investigating data breaches and other information security incidents. The incident response team is the UA Information Security Services department with the possible assistance of other agencies including but not limited to the UA Office of General Counsel, and local, state, and federal law enforcement agencies.
- Incident Handler – The Information Security Services staff member assigned by the Incident Response Team to lead the incident response effort.
- Information Security Incident – Any attempted or actual unauthorized access, use/misuse, disclosure, modification, or destruction of information or an information system including, but not limited to, interference with information technology operation and violation of University Rules, ITS policies and standards, and applicable laws and regulations.
- Examples of Information Security Incidents include, but are not limited to:
- Computer system breaches
- Theft or loss of systems, devices, media, or physical files
- Unauthorized access to, or use of, systems, software, or data
- Unauthorized changes to systems, software, or data
- Misuse of information systems
- Website defacement
- Denial of service attacks
- Impersonation of systems or people
- Interference with the intended use of IT resources
- Compromised user accounts
- Examples of Information Security Incidents include, but are not limited to:
- Information System – An electronic information processing, storage, or transmission system, which include but are not limited to the computers, terminals, printers, peripherals, portable devices, networks, online and offline storage media and related equipment, software, and data files that are owned, managed, or maintained by UA. Information systems also include, but are not limited to, institutional and departmental information systems, faculty research systems, computers, and general access computer clusters.
- Institutional Data – Any information or data that is gathered, analyzed, or published by any department of the University of Akron in support of its mission(s).
- Protected Institutional Data – Any information classified as more restricted than Public Use by the Data Owner, or appointed Data Steward(s), according to ITS Data Classification Standards
5. Policy
- All UA constituents must immediately report to the Chief Information Security Officer (CISO), any information security incident or event that could potentially impact the confidentiality, integrity, or availability of institutional data or any information system that stores, processes, or transmits institutional data.
- Information security incidents must be reported immediately upon their discovery and must be reported in accordance with Section 5. “Reporting” as of the Information Security Incident Response Procedure.
- Unsuccessful security incidents are foreseeable and expected and are not required to be reported but shall be reported if any uncertainty exists.
- The CISO must direct information security incident responses and investigations in coordination and collaboration with affected units in accordance with the Information Security Incident Response Procedure.
- The CISO will coordinate with other university departments, as appropriate, to address any required external reporting of information security incidents. All units and UA constituents will assist the CISO as necessary for the University to meet its reporting obligations.
6. Policy Compliance
- Roles and Responsibilities
- All UA constituents are responsible for complying with this policy and, where appropriate, supporting and participating in processes related to compliance with this policy.
- The Chief Information Security Officer is responsible for enforcing this policy.
- Non-Compliance
- Any UA constituent who knowingly violates this policy or any other university policy applicable to data security, and/or in any way intentionally breaches the confidentiality of Protected Institutional Data, may be subject to appropriate disciplinary action.
7. Related Document
University Rule 3359-11-08: Policies and Procedures for Student Records
University Rule 3359-11-10: Acceptable Use Policy
University Rule 3359-11-10.3: Information Security and System Integrity Policy
University Rule 3359-11-10.4: Customer Information Security Policy
University Rule 3359-11-10.6: Social Security Number Use Policy
University Rule 3359-11-10.8: Identity Theft Detection, Prevention, and Mitigation Policy
University Rule 3359-11-19: Policies and Procedures for Release, Privacy, and Security of Selected Health Information
ITS: Data Access Policy
ITS: Data Classification Standard
ITS: Secure Access and Data Storage Standards
ITS: Workday Delegations & Approvals Policy
8. Policy Administration
Approval Authority: Chief Information Officer
Policy Manager: Chief Information Security Officer
Effective Date: 06/01/2023
Prior Effective Dates: NA
Review Date: NA