policies/ppmHomeSearch
policies/ppm

IT Security Incident Reporting and Response Policy

Chapter 3434

Issued April 15, 2009

Table of Contents

.010 Purpose

.020 Scope

.030 Effective Date

.040 Authority

.050 Policy

.060 Definitions

.070 Roles and Responsibilities

.080 Implementing Procedures

.090 Related Laws, Regulations, or Policies

.100 Questions/Waivers


.010 Purpose

This policy governs the actions required for reporting or responding to security incidents involving K-State information and/or information technology resources to ensure effective and consistent reporting and handling of such events.

.020 Scope

This policy applies to all members of the University community, including students, personnel, units, and affiliates using University information technology resources or data.

.030 Effective Date

This policy became effective on January 8, 2009

.040 Authority

For major incidents, which include a breach of personal identity information (PII), Kansas Regents IT Council (RITC) policy requires escalation to the top administration on campus and prompt notification of the Board of Regents office. Likewise, Kansas Senate bill 196 that went into effect in January 2007 requires a prompt investigation and notification of potential victims in response to a security incident involving a breach of PII.

.050 Policy

All members of the University community are responsible for reporting known or suspected information or information technology security incidents. All security incidents at K-State must be promptly reported to K-State’s Chief Information Security Officer (CISO) and other appropriate authority(ies) as outlined in Section .080 "Implementing Procedures".

Incident response will be handled appropriately based on the type and severity of the incident in accordance with the incident response summary table in Section .080.B.2 below and K-State’s IT Security Incident Management Procedures. Handling of security incidents involving confidential data will be overseen by an Executive Incident Management Team.

All individuals involved in investigating a security incident should maintain confidentiality, unless the Vice Provost for Information Technology Services authorizes information disclosure in advance.

.060 Definitions

  1. A security incident is any real or suspected event that may adversely affect the security of K-State information or the systems that process, store, or transmit that information. Examples include:

  2. Personal identity information(PII) is an individual’s name (first name and last name, or first initial and last name) in combination with one or more of the following: a) Social security number, b) driver’s license number or state identification card number, c) passport number, or c) financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer’s financial account.

.070 Roles and Responsibilities

  1. The incident manageris responsible for managing the response to a security incident as defined in the incident response summary table in Section .080.B.2 below.

  2. The Executive Incident Management Teamoversees the handling of security incidents involving confidential data (e.g., personal identity information). This team has authority to make decisions related to the incident and to notify appropriate parties. The team consists of:

.080 Implementing Procedures

  1. Reporting Security incidentsAny member of the K-State community who suspects the occurrence of a security incident must report incidents through the following channels:

  2. Responding to Security Incidents

Incident Severity Characteristics (one or more condition present determines the severity) Response Time Incident Manager Who to Notify Post-Incident Report Required*
High
  1. Significant adverse impact on a large number of systems and/or people
  2. Potential large financial risk or legal liability to the University
  3. Threatens confidential data
  4. Adversely impacts a critical enterprise system or service
  5. Significant and immediate threat to human safety
  6. High probability of propagating to a large number of other systems on or off campus and causing significant disruption
Immediate Chief Information Security Officer or an Executive Incident Management Team
  1. Chief Information Security Officer
  2. Vice Provost for IT Services
  3. Unit administrator (VP, Provost, Dean, etc.)
  4. Unit head
  5. SIRT respresentative
  6. Departmental security contact
  7. Technical support for affected device
  8. If breach of PII, see K-State IT Security Incident Management Procedures for additional notification requirements
Yes
Medium
  1. Adversely impacts a moderate number of systems and/or people
  2. Adversely impacts a non-critical enterprise system or service
  3. Adversely impacts a departmental scale system or service
  4. Disrupts a building or departmental network
  5. Moderate risk of propagating and causing further disruption
4 hours Appointed by unit head
  1. Chief Information Security Officer
  2. Unit head
  3. SIRT representative
  4. Departmental security contact
  5. Technical support for affected device
No, unless requested by Vice Provost for IT Services or other appropriate administrator
Low
  1. Adversely impacts a very small number of non-critical individual systems, services, or people
  2. Disrupts a very small number of network devices or segments
  3. Little risk of propagation and further disruption
Next
business day
Technical support for affected device
  1. Chief Information Security Officer
  2. SIRT representative
  3. Departmental security contact
No
N/A "Not Applicable" - used for suspicious activities which upon investigation are determined not to be an IT security incident.
   

* See K-State IT Security Incident Management Procedures for details about the Post-Incident Report

.090 Related Laws, Regulations, or Policies

  1. K-State IT Security Incident Management Procedures http://www.k-state.edu/infotech/security/procedures/incidentproc.html

  2. K-State IT security team – http://www.k-state.edu/infotech/security/itsec-team

  3. K-State Security Incident Response Team (SIRT) - www.k-state.edu/infotech/security/SIRT

  4. Kansas Regents IT Council (RITC) Security Incident Policy and Procedure – www.kansasregents.org/board/committees/Ritcdownloads/RITC Security Incident Policy.pdf, April 2005

  5. Enterprise IT Security Reporting Protocols, State of Kansas IT Security Council – www.da.ks.gov/itec/itsec/ITSec_Reporting_Oct07.pdf, October 2007

  6. Kansas IT Executive Council (ITEC) IT Enterprise Security Policy, ITEC policy 7320 – www.da.ks.gov/itec/Documents/itecitpolicy7230.htm

  7. Kansas Senate Bill 196 requiring notification of victims in a breach of personal identity information – www.kslegislature.org/bills/2006/196.pdf

.100 Questions/Waivers

The Vice Provost for Information Technology Services (ITS) is responsible for this policy. The Vice Provost for ITS or designee must approve any exception to this policy or related procedures.

Questions should be directed to the Chief Information Security Officer.

start of standard bottom bar
Home        Search        Directories        Calendar        Comments
Kansas State University
August 28, 2009