Introduction
Purpose
This document outlines the plan for responding to information security incidents at the University of Connecticut, including defining the roles and responsibilities of participants, the overall characterization of incident response, relationships to other policies and procedures and guidelines for reporting requirements.
Due to the wide variety of incidents that could face the university and the rapid advancement of threats against the university, its data and systems, this document is designed to provide guidance in reacting to data security incidents, determination of their scope and risk, and ensuring an appropriate response to information security incidents, including communication of incidents to the appropriate stakeholders and reducing the incident from re-occurring.
This protocol is not to be considered as policy due to the varied nature of incidents that can occur within a university environment. This variation in incidents may cause deviations from this protocol that are meant to provide the universities ability to respond to incidents in an optimal manner.
Anyone suspecting an exposure of university data or systems should immediately contact:
Technology Support Center - (860) 486-4357 or techsupport@uconn.edu
Information Security Office – security@uconn.edu
Privacy Program– privacy@uconn.edu
Scope
This plan applies to all information systems, institutional data, and networks of The University of Connecticut and any person or device accessing these systems or data.
The Information Security Office (ISO) acts on behalf of the university community and will request cooperation and assistance in investigating incidents from community members as required. The ISO will also work closely with other University administrative groups such as General Counsel, Human Resources, Privacy, and UConn Public Safety in the investigation of incidents as necessary
Maintenance
The University’s Information Security Office (ISO) is responsible for the maintenance and revision of this document.
Definitions
Event
An event is an exception to the normal operation of IT infrastructure, systems or services. Events may be identified through the use of automated systems; reported violations to the ISO, Compliance/Privacy or other university department; or in the course of normal system reviews including system degradation/outage. It is important to note that not all events become incidents.
Incident
An incident is an event that, as assessed by ISO staff, violates the Acceptable Use Policy, Access Control Policy, Confidential Data Policy or other University policy, standard, or Code of Conduct or threatens the confidentiality, integrity, or availability of Information Systems or Institutional Data.
Regulated Data Classification
Regulated Data may have additional reporting and regulatory requirements when dealing with incidents. Examples of the various types of regulated data that may reasonably be found in the university environment are further detailed in Appendix C.
Roles and Responsibilities
Chief Information Security Officer (CISO)
Throughout the course of the protocol, the CISO is broadly responsible for:
- Coordinating efforts to manage an information security incident;
- Ensuring the prompt investigation of a security incident;
- Determining what University data may have been exposed;
- Securing any compromised systems to prevent further damage;
- Providing guidance to the institutional stakeholders
Privacy Officer
Throughout the course of the protocol, the Privacy Officer is broadly responsible for:
- Coordinating efforts to manage regulatory requirements and notifications;
- With assistance from General Counsel, reviewing applicable federal and state laws and developing appropriate course of action to comply with such laws in the event a data exposure occurred;
- Ensuring all aspects of a data exposure management plan are completed
Executive Response Team
The Executive Response Team (ERT) consists of University Officials with the authority to make key decisions in managing an incident related to data with regulatory requirements for reporting. The ERT shall be comprised of the following standing members (note: other members may be asked to collaborate where appropriate):
- CISO
- Privacy Officer
- General Counsel
- Representative from the Office of the President
- University Communications
- Compliance and Risk Management (Cyberliability Insurance)
- Dean, Director, or Department Head of the area where the exposure is determined to have occurred
Incident Response Coordinator
Throughout the course of the protocol, the Incident Response Coordinator is broadly responsible for:
- Directing efforts to gather appropriate information
- Providing expertise in the procedural aspects of gathering information and documentation of process
- Updating CISO and other leadership as necessary
Incident Response Handler
Throughout the course of the protocol, Incident Response Handlers are broadly responsible for:
- Gathering data from systems
- Providing specific expertise in technology and data
- Entering appropriate data for Incident Management including procedural information
Incident Response Methodology
This plan outlines the general tasks for Incident Response. Due to the ever-changing nature of incidents and attacks upon the university this incident response plan may be supplemented by specific internal guidelines, standards and procedures as they relate to the use of security tools, technology, and techniques used to investigate incidents.
Scope
The Information Security Office represents all University provided Information System(s) and Institutional Data including data residing in cloud-based services. The University of Connecticut operates in a partially de-centralized environment with some departments and schools maintaining their own IT staffs. To the extent possible during an investigation, the ISO will attempt to coordinate investigation efforts with other groups in ensuring the security of university systems and data in relation to the activities in support of the institution. Specific actions and resources utilized in the investigation of an incident will be in alignment with the type, scope and risk of the threat to institutional systems and data.
Evidence Preservation
The primary goals of incident response are to contain the scope of an incident and reduce the risk to institutional systems and data and to return affected systems and data back to an operational state as quickly as possible. The ability to quickly return systems to operation may at times be hampered by the collection of data necessary as evidence in the event of an exposure of data.
Operational-Level Agreements
In today’s technology centered world many individuals have expectations about the availability of systems and data for themselves and the constituents they serve. The interruption of services can cause a hardship and the ISO will cooperate with the affected groups to ensure downtime is minimized. However, university leadership supports the priority of investigation activities where there is significant risk, and this may result in temporary outages or interruptions.
Training
The continuous improvement of incident handling processes implies that those processes are periodically reviewed, exercised and evaluated for process improvement. UConn staff inside and outside of ITS will be periodically trained on procedures for reporting and handling incidents to ensure there is familiarity with the process and with the responsibilities of the Incident Response Team. These exercises may take the form of either external or internal training including tabletop exercises.
Incident Response Phases
The Incident Response process encompasses six phases including preparation, detection, containment, investigation, remediation and recovery. These phases are defined in NIST SP 800-61 (Computer Security Incident Handling Guide). In the execution of responding to an incident, the Incident Response Team will focus on the detection, containment, investigation, remediation and recovery of the specific incident.
Preparation
Preparation for incident response includes those activities that enable the organization to respond to an incident and include the creation and review of policies, standards and guidelines supporting incident response; security and technology related tools; effective communication plans and governance. Preparation also implies that the organizations across the university have implemented the controls necessary to enable the containment and investigation of an incident. As preparation happens outside the official incident process, process improvements from prior incidents should form the basis for continuous improvement at this stage.
Detection
Detection is the identification of an event or incident whether through automated means with security tools or notification by an inside or outside source about a suspected incident. This phase includes the declaration and initial classification of the event/incident.
Containment
Containment of an incident includes the identification of affected hosts or systems and their isolation or mitigation of the immediate threat. Communication with affected parties is established at this phase of incident response.
Investigation
Investigation is the phase where ISO/ITS personnel determine the priority, scope, risk and root cause of the incident.
Remediation
Remediation includes the repair of affected systems and services, addressing residual attack vectors against other systems, communication and instructions to affected parties and an analysis that confirms the threat has been contained.
If the CISO or Privacy Officer reasonably believe that an exposure of regulated data may have occurred, the CISO or Privacy Officer will contact the Office of the General Counsel to provide situational information in determining a proper response at this stage.
Apart from any formal reports, the after-action analysis will be completed at this stage.
Recovery
Recovery is the analysis of the incident for possible procedural and policy implications. Recovery also includes the incorporation of any “lessons-learned” from the handling of the incident into future exercises and/or training initiatives.
Appendix A – Executive Response Team
The Executive Response Team is responsible for actions such as communication, information sharing, and minimizing impact from an exposure of regulated data. As university responses to each incident may vary, this section provides an overview of those actions that the Executive Response Team may take in responding to an incident in which regulatory data has been exposed.
- Once it is determined that enough information about the situation and the extent of the exposure has been collected, the Privacy Officer and CISO will collaborate with the Office of the General Counsel to determine if the incident rises to the level of a security breach. In the event that this is determined, appropriate members of the ERT should work together to determine what, if any, level of notification is required, how individuals impacted by the exposure should be notified and what, if any, services should be offered to the individuals impacted by the data exposure to help protect themselves from potential or actual identity theft. As part of this analysis, the Privacy Officer will coordinate with the Office of the General Counsel to review applicable state (CT and any other applicable state) and federal privacy, data security and breach notification laws and a plan of action to comply with applicable requirements of such laws.
- If it is determined that notification and credit monitoring protection is appropriate and/or required, the Privacy Officer and Procurement may engage the University’s designated vendor to provide notification and credit monitoring services on the University’s behalf. When applicable, the University may engage with our cyber-liability insurance carrier for assistance. Unless an exception is determined to be appropriate by the ERT, the office or department responsible for the data that was lost or exposed shall be responsible for the costs associated with remediating the exposure, including but not limited to notification and credit monitoring services.
- Where required by state and or federal law, the Privacy Officer will coordinate with the Office of the General Counsel, the Office of the President and/or University Communications to ensure that appropriate state and/or federal government entities (e.g., state attorneys general, other state agencies, FTC, DHHS) are notified of the exposure, who has been impacted, and the University’s course of action related to managing the exposure of data.
- Where appropriate, the Executive Response Team will contact the Office of the Attorney General (through the AG’s Privacy and Data Security Department), the Governor’s Office and/or any other appropriate State Officials to inform them about the data exposure.
- Where necessary or appropriate, the ERT will expeditiously collaborate to develop press releases, letters to affected individuals (by email and/or U.S. post). Where appropriate, the CISO will coordinate with University Communication to create web page(s) with information regarding the exposure and how individuals can take steps to protect themselves.
- The ERT will also designate a single point of contact to address questions/concerns of individuals concerned about the exposure. The ERT may decide to set up a special toll-free phone number line for individuals to call with questions/concerns or to utilize services provide by our cyber-liability insurance carrier, when applicable. The Privacy Officer will ensure that appropriate offices (i.e., University Switchboard, University Communications, Office of the President, office who lost or who is responsible for the data that has been compromised) are made aware of the single point of contact to whom questions/concerns should be directed.
- In the course of managing and remediating the exposure, as expeditiously as possible:
- The Privacy Officer will work with Purchasing and the department responsible for the costs of remediating the exposure to process necessary paperwork to engage the University’s designated vendor to provide notification and/or credit monitoring services.
- The Privacy Officer will work with the vendor to process any appropriate paperwork (i.e., SOW, PO, etc.) to engage the vendor’s services.
- The Privacy Officer will work with appropriate University staff, the Office of the General Counsel and the vendor to draft notification letters, and where appropriate, FAQ’s regarding the incident.
- The Privacy Officer and/or CISO will work with appropriate University staff to collect the names and last known addresses of individual who will need to be notified.
- Notification letters will be sent to impacted individuals or organizations by First Class Mail, email and/or other methods required by law.
- Press releases will be finalized and issued by University Communications where appropriate. The main University website(s), faculty/staff webpage and/or student web page will include a link to the news release.
- A special website, containing information regarding the exposure, how to get more information, and how to protect one’s credit, may be posted as appropriate by University Communications and/or the UITS Information Security Office.
- A mechanism for logging calls and/or inquiries received, as well as responses and/or assistance given, shall be created and implemented.
- Once proper notifications have been sent and posted and the matter has been contained and handled, debriefing meeting(s) should be held with all of the individuals involved in the incident investigation, management and remediation. Additional follow-up activities should occur as appropriate.
Appendix B – Guidelines for Incident Response
Each incident presents a unique set of challenges and problems. This section provides some common guidelines for preferred actions in these types of events. For any issues outside of these guidelines, the Chief Information Security Officer or Office of General Counsel should be consulted.
Incidents within Chain of Command
In incidents where a member of the incident response team, their leadership or the leadership of the university is being investigated, appropriate resources will be selected to remove any conflicts of interest at the direction of or in conjunction with either General Counsel or the Board of Trustees.
Interactions with Law Enforcement
All communications with external law enforcement agencies are made after consulting with the Office of General Counsel.
Communications Plans
All public communications about an incident or incident response to external parties outside of the University of Connecticut are made in consultation with the Office of General Counsel and University Communications. Private communications with other affected or interested parties should contain the minimum information necessary as determined by the Incident Coordinator or Chief Information Security Officer.
Privacy
The University respects the privacy of all individuals, and wherever possible the incident response process should be executed without knowledge of any individual identities until necessary.
Documentation, Tracking and Reporting
All incident response activities will be documented to include artifacts obtained during any investigation. As any incident could require proper documentation for law enforcement action, all actions should be documented, and data handled in an appropriate manner to provide a consistent chain of custody for the validity of the data gathered.
Escalation
At any time during the incident response process, the Incident Response Commander or the Chief Information Security Officer may be called upon to escalate any issue regarding the process or incident.
The Chief Information Security Officer in consultation with the Office of General Counsel will determine if and when an incident should be escalated to external authorities.
Appendix C – Primary Types of Regulated Data
Personally Identifiable Information (PII)
PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:
- Social security number
- State-issued driver’s license number
- State-issued identification card number
- Financial account number in combination with a security code, access code or password that would permit access to the account
- Medical and/or health insurance information
Protected Health Information (PHI)
PHI is identified as “individually identifiable health information” transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium by a Covered Entity as defined in 45 CFR 160.103. PHI is considered individually identifiable if it contains one or more of the following identifiers:
- Name
- Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)
- All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89) Computer Security Incident Response Plan Page 5 of 11
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Universal Resource Locators (URLs)
- Internet protocol (IP) addresses
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic or code that could identify an individual
PHI does not include education records covered by the Family Educational Rights and Privacy Act (FERPA) or employment records held by the university in its role as employer. While protecting these records are important, they do not fall under the regulatory protection required for PHI.
Education Records
The Family Educational Rights and Privacy Act (FERPA) defines education records as those records that are: 1) directly related to the student; and maintained by an educational agency or institution or by a party acting from the agency or institution. Additional information on which University-held records are excluded from the definition of education records is available via the University’s FERPA Policy. Access, use and disclosure of personally identifiable information contained in education records generally requires the prior written consent of the student, with limited exceptions. Such exceptions are outlined by the University’s FERPA policy.
Student Treatment Records
University records which are created or maintained by a physician, psychiatrist, psychologist or other recognized professional or paraprofessional acting or assisting in that capacity, used only in providing treatment to the student, and not available to anyone other than persons providing such treatment, except that such records may be personally reviewed by a physician or other appropriate professional of the student’s choice. Student treatment records are protected under Connecticut State Law. Excluded from this definition are records created and maintained by the University’s HIPAA covered entities. For more information, visit hipaa.uconn.edu