Jan 23, 2019  
Policies 
    
Policies

Technology Division


08:15:00 Security Incidence Response

  1. Introduction: This policy constitutes the guidelines necessary to manage a security incident response required for possible computer resource, institutional data loss and/or for the litigation hold process. This policy is intended to be an addition to existing college policies and regulations and does not alter or modify any existing college policy or regulation. This policy is to be used in conjunction with ChSCC 05:12:01 Sensitive Equipment Policy and TBR B-080 Reporting and Resolution of Institutional Losses.
    1. The term "resource" College-owned or operated computing resources including, computer hardware and software, computer network access and usage, internet and email usage, security and privacy of all data created and maintained by the College, (i.e. student, research, financial, payroll/personnel, etc.)
    2. All data created by the College, except where superseded by grant or other contracts, or by Copyright Law, will be protected regardless of medium on which it resides, (including paper, in electronic form on disk, hard drive or flash drive, etc.) and regardless of form (e.g., text, graphics, video, voice, etc.)
  1. This policy includes all ChSCC staff (including contractors and student workers), faculty, students, authorized users and visitors that have access to College facilities, computing resources or College data. Review ChSCC Technology Division's Policies 08:13 Computer Passwords, 08:14 Technology Responsible Use, 08:16 Data Security policies, and other policies as necessary. Use of ChSCC sensitive data, even when carried out on a privately owned computer that is not managed or maintained by ChSCC, is also governed by this policy.
  2. When an incident of fraud, waste, abuse and/or loss of information technology resources is suspected, the ChSCC VP of Technology, or designee, should be notified as soon as possible. If the possible loss of sensitive data is suspected, notification must happen as soon as possible on the same business day of detection. The ChSCC Police will be notified and the Security Incident Response Plan will be started.
  3. Any sensitive equipment or other sensitive resource is part of the investigation will require the Technology designee and ChSCC Police to provide chain of access control of any recovered or suspect sensitive equipment. (Refer ChSCC 05:12:01 and TBR Guideline B-080.) The following actions will be taken immediately:

1.  Technology Division Technical Support and ChSCC Police will take possession of resource, hard drive, etc. that needs to be controlled pending further investigation. If this will also include a Litigation hold on user accounts, notify Executive Director, Information Management in Technology Division. (Refer to TBR Guideline G-075 Litigation Hold Notice.) The ChSCC Police and Technical Support will go together to take possession of the resource.

2. Technical Support and ChSCC Police will pick up the resource and deliver to Technical Support office. Chain of custody documentation will be signed and a copy provided to ChSCC Police and Technology Division VP.

3. Full back up is made of data on resource, if needed, and resource will be locked in office until it's determined who gets custody of the resource.

4.  Person who gets custody of the resource will contact Technical Support and will fill out all necessary forms required to release the resource. Form will then be kept on file.

5.  Internal Audit will be notified as appropriate in compliance with the ChSCC Fraud, Waste, and Abuse policy 11:12:06. 

  1. Depending upon scope of incident, a Security Incident Team should be implemented to review incident, ensure policies are followed and own the situation until it is resolved. Suggestions for membership on this team should be determined by the Executive Cabinet and include ChSCC Auditor to ensure proper management of the incident. This team should make a preliminary investigation to identify known facts. The reporting individual and their supervisor will also be part of this preliminary investigation.
    1. The Security Incident Team will make initial determination, based on TBR 4:01:05:50 Preventing and Reporting Fraud, Waste or Abuse and TBR Guideline B-080, on whether an official incident response report to TBR is required and if FERPA and/or other sensitive data loss require customer/student notification under Tennessee Code, Title 47 Chapter 18, and Part 21. Because such reports of issues are confidential, they should only be shared on a need-to-know basis. As soon as possible after initial investigation is completed, the IT designee or another individual on the Security Incident Team will follow TBR Guideline B-80 Reporting and Resolution of Institutional Losses.
    2. When needed, the Security Incident Team should activate a Technical Investigation Team to determine possible impacts due to the type of incident. VP of Technology will assist with determining who needs to be on this team. Members of this team will include those individuals with technical skills that can properly evaluate the situation.
    3. If customer/student notification, due to loss of FERPA and/or other sensitive data, is required and the Security Incident Team's recommendation is agreed with, the College President and other individuals are notified immediately as required by TBR 4:01:05:50 Preventing and Reporting Fraud, Waste or Abuse and TBR Guideline B-080. Currently any data breach issues will need to be reported to Chief Audit Executive and Investigative Auditor. Customers/students impacted by loss of data are notified as required by Tennessee Code, Title 47 Chapter 18, Part 21.
    4. Any official of any agency of the state having knowledge that a theft, forgery, credit card fraud, or any other act of unlawful or unauthorized taking, or abuse of, public money, property, or services, or other shortages of public funds has occurred shall report the information immediately to the office of the Comptroller of the Treasury (T.C.A. § 8-19-501(a)).
  1. All responses to the media and outside agencies not involved in the required reporting will be handled through the Office of the President. Once the incident has been handled as required, the Security Incident Team prepares a "Lessons Learned" document for Executive Council review and takes actions as directed to prevent future re-occurrences.

References:

  1. State of Tennessee Department of Finance and Administration Strategic Technology Solutions 2:01, 12/15/2016
  2. Tennessee Code Annotated Title 47, Chapter 18, Part 21
  3. Tennessee Board of Regents (TBR) Information Technology Policy B-080
  4. Tennessee Board of Regents (TBR) Litigation Hold Notice G-75, 11/6/2007
  5. ChSCC 05:21:01 Sensitive Equipment Policy, 1/28/2009
  6. ChSCC Technology Division Policy 08:13 Computer Passwords, 9/30/2018
  7. ChSCC Technology Division Policy 08:14 Technology Responsible Use 9/30/2018
  8. ChSCC Technology Division Policy 08:16 Data Security, 9/30/2018                                                                                                                                           

 

 

Submitted to Policy Review Committee on October 24, 2018

Submitted to Policy Review Board on November 30, 2018

Approved by Policy Review Board on December 6, 2018