Immaculata University IT Security Incident Response Plan

IMMACULATA UNIVERSITY IT SECURITY INCIDENT RESPONSE PLANEffective Date:AuthorityThis Program was approved by the President of Immaculata University(hereinafter “IU”).Program Statement This IU IT Security Incident Response Plan (the “Plan”) definesstandard methods for identifying, documenting and responding to DataSecurity Incidents.Program PurposeThe purpose of this Plan is to prevent damage and/or loss toInstitutional Data, including Private Information, to prevent damage toIU Information Technology and to place IU in compliance with its legalobligations.Section headings are:1. DEFINITIONS2. IDENTIFICATION OF INCIDENT3. ESTABLISHMENT OF INCIDENT RESPONSE TEAM4. CONTAINING DAMAGE AND PRESERVING EVIDENCE5. INCIDENT RESPONSE REPORT6. ADDITIONAL OBLIGATIONS OF INCIDENT RESPONSE TEAM7. INCIDENT PREVENTION8. MODIFICATIONS AND ADJUSTMENTS9. SPECIAL SITUATIONS/EXCEPTIONSI. DEFINITIONS“Data Security Incident” occurs when there is a serious threat of or unauthorizedaccess or acquisition to IU Information Technology or a User’s computerized data thatcompromises the security, confidentiality, or integrity of the information, includingInstitutional Data and Private Information. A Data Security Incident also occurs wherethere has been unauthorized access or acquisition of encrypted data and the confidentialprocess or key to the encryption is also compromised. Data Security Incidents canrange from the unauthorized use of another User’s account or system privileges to theexecution of malicious code, viruses, worms, trojan horses, cracking utilities, or attacksby crackers or hackers. Data Security Incidents may also involve the physical theft of IUInformation Technology or a User’s technology, such as a computer or other electronicmedia, or may occur as the result of a weakness in information systems or components(e.g., hardware design or system security procedures). A non-exhaustive list ofsymptoms of incidents that qualify as Data Security Incidents include: a system alarm orsimilar indication from an intrusion detection tool; suspicious entries in a system orDM3\956481.7-1-

“User” includes any individuals, entities such as third party hosting contractors, staff,faculty, or employed students, given electronic access to IU’s Institutional Data and/orusing IU Information Technology.II.IDENTIFICATION OF INCIDENTAny User or individual or organization not affiliated with IU may refer a Data SecurityIncident to the Program Officer. The Program Officer and his or her personnel canidentify a Data Security Incident through proactive monitoring of IU’s network andinformation system activities.III.ESTABLISHMENT OF INCIDENT RESPONSE TEAMThe Program Officer shall assemble, manage, maintain, train and lead the IncidentResponse Team.IV.CONTAINING DAMAGE AND PRESERVING EVIDENCEFollowing a Data Security Breach the Incident Response Team will:• Review the circumstances and the actions taken;• Assign roles;• Create a plan of action to contain damage and gather evidence; and• Ensure that wherever possible, a forensic copy of the affectedcomputer hard drive or server database is created.The Incident Response Team will work with the appropriate staff and OTS to takewhatever actions are necessary to ensure that no additional Institutional Data is lost ortaken and/or that no additional Information Technology is exploited.V. INCIDENT RESPONSE REPORTThe Incident Response Team will ensure that Data Security Incidents are appropriatelylogged and archived. To that end, following any Data Security Incident, the IncidentResponse team must produce an Incident Response Report (a “Report”) as outlined inthis Section V of the Plan. Any Data Security Incidents involving Electronic ProtectedHealth Information (“ePHI”) pursuant to the Health Insurance Portability andAccountability Act (“HIPAA”) will be so identified in the Report.The Incident Response Team will be responsible for communicating the Incident toappropriate IU personnel and maintaining contact, for the purpose of update andinstruction, for the duration of the Incident.DM3\956481.7-3-

Each Report should include at a minimum the following:• A description of the Data Security Incident;• Type of Institutional Data or other information exposed and/orpotentially at risk of exposure from the Data Security Incident;• Type of IU Information Technology damaged or potentially at riskof damage or loss due to the Data Security Incident;• Steps taken for containment of the Data Security Incident;• Steps taken for remediation of the Data Security Incident;• Logging of all internal and external communications issued,including all emails and phone calls regarding the Data SecurityIncident;• Interactions with law enforcement and disciplinary authoritiesregarding the Data Security Incident; and• Legal obligations and actions taken to satisfy those legalobligations regarding the Data Security Incident.VI.ADDITIONAL OBLIGATIONS OF INCIDENT RESPONSE TEAMSimultaneous with the creation of the Report and containment of the Data SecurityIncident, the Incident Response team must:• Determine how the Data Security Incident occurred and takeimmediate remedial action to prevent it from occurring again;• If the breach involves a User, contact the appropriate disciplinaryoffice, including the local police if appropriate;• Collaborate with IU’s outside counsel to determine and thenperform IU’s obligations to affected persons and parties;• Collaborate with the President to manage public relationscommunications effectively regarding the Data Security Incident;and• Rebuild all comprised IU Information Technology and closelymonitor the rebuilt systems.VII.INCIDENT PREVENTIONDM3\956481.7-4-

Wherever possible and in conjunction with the application of other IU policies relating toinformation security, IU will undertake to prevent Data Security Incidents by monitoringand scanning its own network for anomalies, and developing clear protection proceduresfor the configuration of its Information Technology and other related resources.VIII. MODIFICATIONS AND ADJUSTMENTSThis Plan and its procedures will be reviewed periodically to adjust processes, identifynew risks and remediations.IX.SPECIAL SITUATIONS/EXCEPTIONSAny personally-owned devices, such as PDAs, phones, wireless devices or otherelectronic transmitters which have been used to store Institutional Data and aredetermined to have contributed to a Data Security Incident, may be subject to seizureand retention by IU authorities until the Data Security Incident has been remediated,unless the custody of these devices is required as evidence for a court case. By usingthese devices within the IU network for business purposes, individuals are subject to IUpolicies restricting their use such as the IU Acceptable Use Policy.DM3\956481.7-5-