Docstoc

PROCEDURES

Document Sample
PROCEDURES Powered By Docstoc
					                                           Cal Poly Pomona
                            Information Security Incident Response Procedure

                                                                            R
PROCEDURE NAME: Cal Poly Pomona Information Security Incident Response Procedure
                                                                            A
POLICY REFERENCE: Information Security (under development)

VERSION: 1.0
                                                                            F
EFFECTIVE DATE: April, 04, 2008
                                                                            T
PURPOSE AND SCOPE: This procedure outlines the protocol for responding to a security breach involving
personal information processed and/or maintained by the university and its auxiliary organizations. New legal
requirements of the California Information Practices Act, California Civil Code 1798.29 and 1798.82 requires state
agencies with computerized data containing personal information to disclose any breach of security of a system
containing such data to any California resident whose unencrypted personal information was, or is reasonably
believed to have been acquired by an unauthorized person. This procedure is intended to assist campus departments
in implementing the new university requirement.

Personal information will be considered to be acquired, or reasonably believed to be acquired by an unauthorized
person in any of the following situations:

      1.Loss of documents – lost or stolen documents containing personal information
      2.Loss of computing system – Loss of any server, desktop, laptop, or personal digital assistant (PDA)
        containing unencrypted personal information
    3. Loss of digital media – Loss of thumb drives, optical media, floppies, SD card containing unencrypted
        personal information
    4. Hacking incident – A successful intrusion via the network of computer system containing personal
        information
    5. Unauthorized data access - The accessing, viewing, downloading or otherwise obtaining unencrypted
        personal information maintained by California State Polytechnic University, Pomona by individuals who
        are not authorized to access that data. This includes situations where individuals have received data that
        they are not authorized to access: emails sent to the wrong recipient, paper documents sent to wrong
        recipient, and incorrect computer access settings
DEFINITIONS:
Unencrypted – Unencrypted data is referred to as plain or clear text.

Encrypted- Encrypted data has been altered to be unintelligible to unauthorized parties

Personal information– Personal information means an individual's first name or initial and last name in combination
with any one or more of the following data elements, when either the name or the data elements are not encrypted:

      1.   Social security number (SSN), or last 4 digits of SSN with date of birth (DOB);
      2.   Driver's license number or California Identification Card number;
      3.   Account number (which could include a student identification number), credit or debit card number, in
           combination with any required security code, access code, or password that would permit access to an
           individual's financial account.

Breach of security –A breach of security is the unauthorized acquisition of paper or computerized data that
compromises the security, confidentiality, or integrity of personal information maintained by California State
Polytechnic University, Pomona. This does not include good faith acquisition of personal information by an
employee or agent of California State Polytechnic University, Pomona, if the personal information is not used or
subject to further unauthorized disclosure.

Campus Security Incident Review Team (CSIRT) - The CSIRT coordinates the review of any security breach that
potentially involves the unauthorized access of personal information.


                                                          1
                                            Cal Poly Pomona
                             Information Security Incident Response Procedure

                                                                                              R
OBJECTIVES: The objectives of the security incident procedure are to
    Ensure that events and incidents are systematically categorized, correlated, prioritized,Aassigned, and
     analyzed
    Ensure that responses to security events are coordinated and dealt with in a consistent Ffashion
    Ensure that individuals whose information is acquired are notified in a timely manner
                                                                                              T
    Ensure that in each security event, mitigation strategies and enhancements to campus security are examined

RESPONSIBILITIES: The following individuals and organizational units have the following responsibilities:

A. Campus Units (Division, College, Center, or Department)
The campus units must:
    1.   Inform users granted access to personal information of their responsibilities to secure such data from
         unauthorized release
    2.   Establish monitoring procedures to identify unauthorized access or anomalous activity
    3.   Report suspected unauthorized acquisition of personal information to the Information Security Officer

B. Data Users
The data users must:
    1.     Abide by established procedures on access to and use of personal information
    2.     Protect the resources under their control, such as passwords, computers, and data they download
    3.     Report to the Information Security Department any unauthorized acquisition or anomalous activity which
           may have resulted in the release of personal information to unauthorized individuals

C. Incident Manager (Information Security Officer)
The Incident Manager for security breaches involving personal information will be the Information Security Officer.
The Incident Manager is responsible for working with the Incident Coordinator to ensure effective communication
to affected users and campus units, including the Help Desk. The Incident Manager is also responsible for ensuring
adequate and appropriate resources are assigned to the Incident Response Team. Specifically, the Incident Manager
is responsible for:
    1.    Invoking the need for the Incident Response Team.
    2.    Keeping the Incident Response Team informed of incident status.
    3.    Ensuring appropriate resources are assigned.
    4.    Ensuring that the work of the Incident Response Team is coordinated
    5.    Ensuring that the campus security incident response process is followed
    6.    Ensuring that system wide and campus notification procedures are followed
    7.    Keeping the Campus Security Incident Review Team informed of incident status.
    8.    Submitting findings in a written report to the Campus Security Incident Review Team
    9.    Ensuring that the work of the Campus Security Incident Review Team is coordinated.
    10.   Submitting an incident closure report to the President’s cabinet as soon as the notification process is
          completed.

D. Incident Coordinator
The Incident Coordinator for security breaches will be the drawn from the staff of the Information Security
Department. The Incident Coordinator is the key contact point for the affected campus units. The Incident
Coordinator is responsible for working with the Incident Manager to pull together an Incident Response Team. The
Incident Coordinator coordinates the Incident Response Team in its effort to identify and resolve the security breach.
Specifically, the Incident Coordinator is responsible for:
              a.   Working with Incident Manager to identify resources needed to resolve the problem.
              b.   Recommending specific assessment, investigation, and mitigation steps to the Incident Manager.
              c.   Making recommendations to the Incident Manager such as a need for escalation and
                   communications.



                                                            2
                                           Cal Poly Pomona
                            Information Security Incident Response Procedure


             d.                                                                              R
                  Supporting the Incident Manager in the execution of his/her role and responsibilities.

                                                                                             A
E. Incident Response Team (IRT)
                                                                                             F
The Incident Response Team is the group of individuals who are working to identify and resolve the information
                                                                                             T
security breach. The Incident Response Team can be composed of people from various departments (inside and
outside of I&IT). The Incident Response Team is responsible for:
             a)   Collaboratively working together as a team to identify the source and scope of the information
                  security breach using the technical expertise of all individuals.
                      i)The team discusses ideas and suggestions for the possible source(s) of the security
                        breach.
                   ii) The team agrees on an action plan for researching the security breach.
                   iii) Individuals must participate fully as members of the team by communicating and
                        coordinating their work with other members of the team
                   iv) Note: For the duration of the incident, members of the Incident Response Team are
                        directed by and responsible to the Incident Manager, who in the case of an information
                        security breach is the Information Security Officer.
             b) Once the security breach is identified, the group agrees on an action plan and executes it.

F. Campus Security Incident Review Team (CSIRT)
The Campus Security Incident Review Team is responsible for coordinating a review of information security
breaches that involve the unauthorized access of personal information. The Campus Security Incident Review
Team will be composed of individuals drawn from the following areas:
         Audit
         Risk Management
         University Police
         University Counsel
         Public Relations Director
         Chief Information Officer
         Information Security Officer

The Campus Security Incident Review Team is responsible for:
    a) Collaboratively working together as a team to determine if a security breach resulted in the release of
       personal information to unauthorized individuals.
        i) The team discusses the findings by the Information Security Officer,
        ii) The team recommends actions by the President, based on discussions and findings of fact reported by
            the Information Security Officer, including notification of individuals whose personal information is
            reasonably believed to have been acquired by unauthorized individuals

    b) Monitoring the progress of the campus units in respect to notification and remedial action authorized by the
       President, and formally closing the review of an incident after all remedial actions have been taken.




                                                          3
                                         Cal Poly Pomona
                          Information Security Incident Response Procedure


PROCEDURES:                                                                                    R
                                                                                               A
                                                                                               F
                                                                                               T



A. Suspected Breach Process

     1.   Any suspected breach of a system containing personal information must be reported to the Information
          Security Department. The Information Security Officer, in partnership with the incident response team
          and the campus units responsible for managing the systems that contain personal information, will
          confirm the security breach.

B. Incident Response Process

     1) The incident response process is initiated when there is a reasonable basis to conclude that the
        unauthorized access of personal information has occurred.

     2) If a breach is suspected within a computing system that contains or has network access to unencrypted
        personal information, the campus unit must respond immediately:
           a) Remove the computing system from the campus network (disconnect network cable),
           b) Contact the Information Security Officer to conduct a preliminary analysis of the breach (identify
                incident cause, personal information at risk of acquisition, collect evidence of data acquisition and
                identify the required remedial action)

     3) The Information Security Officer will determine if an Incident Response Team is needed to identify and
        resolve the security breach.

     4) The Vice President of I&IT and the Vice President (or Dean or Director) of the affected campus unit will
        be informed by the Information Security Officer that an incident investigation is needed to resolve a
        security breach.

     5) If the Information Security Officer invokes the Incident Response Team:
                (a) The Incident Response Team will review evidence of a breach with the affected campus unit
                (b) The Incident Response Team will research the security breach and agree on an action plan.

     6) The Information Security Officer will review all findings of the Incident Response Team. If required, the
        Information Security Officer will arrange for additional assistance to be provided to the campus unit to
        preserve incident evidence and/or examine the subject computer(s).

     7) The Information Security Officer will document its findings in a written report to the Campus Security
        Incident Review Team (CSIRT), along with recommendations to management of the campus unit for
        addressing the causes of the security breach.




                                                         4
                                           Cal Poly Pomona
                            Information Security Incident Response Procedure


C. Incident Review Process                                                                      R
      1.                                                                                        A
           The Information Security Officer will notify the CSIRT if there is a reasonable belief, based on findings
           of fact, that unencrypted personal information has been acquired by an unauthorized source. The CSIRT
                                                                                                F
           will be informed of the nature of the security breach, the number of individuals affected, and the remedial
           steps that have been taken to address the cause of the security breach.
                                                                                                T
      2.   The CSIRT will consider, based on findings of fact by the Information Security Officer and the Incident
           Response Team, whether criteria requiring notification under California Civil Code 1798.29, 1798.82,
           and 1798.84 have been met and, if they are met, consider what means of notification, e.g., email, postal
           mail or website notice, should be employed. During the analysis of whether the incident supports
           notification recommendation, the CSIRT will consider, among other facts,

             a) the duration of information exposure,
             b) availability of log records that provide evidence of information download or copy activity,
             c) indication that the information was actually used by an unauthorized person,
             d) indication that the information is in the physical possession of an unauthorized person,
             e) the amount of information at risk,
             f) the extent to which the knowledge about the identified computer compromise indicated the attack
                was part of broad internet exploit and whether the attack intended to seek and collect personal
                information,
             g) and other criteria defined by the California State University System or regulatory agencies.

           During the incident review, representatives of the CSIRT may meet with the campus unit, or designee, as
           necessary, to review the incident details and notification criteria.

      3.   The CSIRT will forward a recommendation to the President and the President’s Cabinet concerning
           notification of individuals whose personal information may have been acquired by an unauthorized party.

      4.   If the President determines that notification is required, the campus unit must notify the individuals of the
           possible information release without unnecessary delay. The Information Security Officer will
           immediately report the breach to the Senior Director of Information Security in the Chancellor’s Officer.


D. Notification Process

      1.   The final report from the CSIRT and the authorization from the President will initiate the notification
           procedure.

      2.   The CSIRT will determine the notification plan, including the means and text of notification. Affected
           individuals shall be notified in the most expedient time possible, and without unreasonable delay,
           consistent with the legitimate needs of law enforcement, or any measures necessary to determine the
           scope of the breach and restore the reasonable integrity of the data system. The information considered
           when determining the notification date shall be documented.

      3.   The department or office responsible for controlling access to and security of the breached system will
           compile the list of the names of persons whose personal information was, or is reasonably believed to
           have been, acquired by an unauthorized person. In consultation with the Information Security Officer, a
           list of individuals to notify shall be compiled based on the following criteria:

             a)   California residents whose notice-triggering information was or is reasonably believed to have
                  been acquired by an unauthorized person.




                                                           5
                                           Cal Poly Pomona
                            Information Security Incident Response Procedure

                                                                                         R
             b) All individuals who are likely to have been affected, when identification of specific individuals
                whose personal information was acquired or is reasonably believed to have been acquired by an
                unauthorized person cannot be made.                                      A
             c) If notices are sent to more than 10,000 individuals, the following consumer credit reporting
                agencies shall be notified:                                              F
                      i.
                     ii.
                                                                                         T
                           Experian: E-mail to BusinessRecordsVictimAssistance@experian.com.
                           Equifax: E-mail to lanette.fullwood@equifax.com
                    iii.   TransUnion: E-mail to fvad@transunion.com, with "Database Compromise" as subject.

           The process for determining inclusion in the notification group shall be documented.

      4.   Upon approval of the notification plan by the General Counsel, CSIRT will work with the Public
           Relations Office to deliver the notification. The CSIRT will work with the campus units as required for
           additional advice or assistance to affected individuals.

             a) Content of Notice
                The notice will provide minimal information explaining the incident, with where applicable a
                reference to a web page that provides additional details, a contact for incident inquiries, and
                references to individuals regarding identify theft and fraud. The content of the notice and the
                content of the web page will be reviewed and approved by the Information Security Officer. The
                notification document shall be issued and paid for by the department(s) responsible for controlling
                access to and security of the system.
             b) Method of Notification
                The University's incident notice shall be delivered by e-mail or letter, printed with official
                California State Polytechnic University, Pomona logo, addressed to the individual at the last
                recorded address registered with the University. E-mail is the official communication method of
                Cal Poly Pomona. In cases where an active e-mail address is not on file for an individual, a letter
                will be mailed to the individual at the last recorded address. In cases where the e-mail is returned
                as non-deliverable, a letter will be sent. Any letters returned with address forwarding information
                will be re-sent by the responsible department.
             c) If more than 500,000 individuals were affected or if the cost of giving individual notices to
                affected individuals is greater than $250,000, the following substitute notification procedures shall
                be followed:

                      i.   A "Notice of Breach" shall be conspicuously posted on the campus web site.
                     ii.   Major statewide media including television, radio, and print shall be notified.

E. Incident Inquiry Process
Subsequent to an incident, the University can expect several inquires from notified users, their parents/spouses, and
security vendors. The Information Security Officer will provide an Incident Communication Guideline to be used by
the individual(s) designated by the Vice President of the affected division to respond to any phone calls/emails/
letters/walk-in traffic with inquiries regarding the incident. In general the Incident Communication Guideline will
direct employees:

    1.     Not to offer unsolicited information or comments to the media
    2.     To advise the inquirer that the incident is under investigation (if this is the case)
    3.     To direct the inquirer to a web site for incident information
    4.     To direct inquirers from law enforcement to the University Police Department
    5.     To direct inquirers from the media to the Public Relations Officer

F. Reporting Process
The Information Security Officer will submit a closure report to the President’s Cabinet as soon as the notification
process is completed, or if any problem is encountered during that process. This report will detail the nature and


                                                            6
                                          Cal Poly Pomona
                           Information Security Incident Response Procedure

                                                                                             R
cause of the incident, what notification was done and to whom, and what steps have been taken to prevent a
recurrence of such an incident.
                                                                                             A
                                                                                             F
                                                                                             T




                                                         7

				
DOCUMENT INFO