- College-owned or operated computing resources (hardware/software) and data (all formats) are provided for use by faculty, students and staff of Chattanooga State. This document constitutes the policy for the management of a security incident response for all computer resources and public records. This policy is intended to be an addition to existing college policies and regulations and does not alter or modify any existing college policy or regulation.
- The following policy is established to report losses of state or institutional IT property and/or other resources including hard copy of sensitive and public record data, whether by malfeasance or misfeasance.
- The policy establishes guidelines for security incident response and reporting concerning all college-owned or operated computer hardware and software, computer network access and usage, Internet and email usage, security and privacy of data, including all formats of data storage including hard copy, files, records, hard drives, thumb drives, etc. This document is to inform all users of the policies set forth by the College, in compliance with the Tennessee Board of Regents, and the State of Tennessee. Part of this purpose is also to provide preventative action recommendations to prevent future incidents from taking place.
- The scope of this policy includes all ChSCC staff (including contractors and student workers), faculty, students, authorized users, contractors and visitors that have access to College facilities, computing resources or College data. The scope also includes all data created and maintained by the College, (i.e. student, research, financial, payroll/personnel, etc.), regardless of the medium on which it resides (e.g., paper, fiche, in electronic form on tape, cartridge, disk, CD-ROM, or hard drive, etc.) and regardless of form (e.g., text, graphics, video, voice, etc.) Included in the scope are all computer systems owned, leased or maintained by the College. This includes: microcomputers/PCs, servers, various peripheral equipment including, but not limited to, printers and copiers; and all Web pages and applications contained on College equipment or disseminated via College resources.
- Users and/or administrators at all levels of staff and faculty should be aware of the risks and exposures inherent in their areas of responsibility and should establish and maintain proper internal controls to provide for the security and accountability of all IT assets and other computer resources entrusted to them, as required by ChSCC Information Technology's 1) Responsible Use, 2) Password, and 3) Data Security policies, and other policies as necessary. Use of ChSCC sensitive data, even when carried out on a privately owned computer that is not managed or maintained by ChSCC, is governed by this policy.
- IT systems and resources - are the computers and computer times, data processing or storage functions, computer systems and services, servers, networks, printers and other input/output and connecting devices, and related computer records, programs, software, and documentation and data files that are owned, managed or maintained by any College-base entities, including laboratories, and libraries .
- User - a "User" is any person, including but not limited to students, faculty, and staff, whether authorized or not, who makes any use of any IT system or accesses and uses public records from any location.
- System Owner - that individual that is responsible for the data contained within a particular system. The system owner grants individual access to the systems and/or data that they are responsible for, based on the principle of "least privilege."
- IT Security Officer - that individual that is considered the IT security point of contact (POC) for the College. In accordance with State of Tennessee Information Security Program, the agency POC will have the responsibility and authority for working within the College to provide administrative oversight of security for information resources under the College's control. This individual will be responsible for ensuring security policies are in effect and being adhered to and he/she will be the POC for all initial notifications of suspected security incidents and will work within Chattanooga State guidelines and policies for reporting incidents to those required. This individual is responsible for completing all required incident reports.
- Public Record - means all documents, papers, letters, maps, books, photographs, microfilms, electronic data processing files and output, films, sound records, or other material, regardless of physical form or characteristics made or received pursuant to law or ordinance or in connection with the transaction of official business by any governmental agency.
Initial Incident Investigation Response:
- When an incident of fraud, waste, abuse and/or loss of information technology resources that includes is suspected, the Chattanooga State IT Security Officer (Director, Systems Development and Operations) should be notified as soon as possible. If the possible loss of sensitive data is suspected, notification must happen as soon as possible on the same business day of detection. The IT Security Officer is responsible for taking the following actions:
- Immediately contact the Assistant VP of Computer Services, Vice President of Technology, VP of Business and Finance, and area of incident VP to notify them of possible incident.
- Make a preliminary investigation to identify known facts. The reporting individual and their supervisor will be part of this preliminary investigation.
- Activate the College's Technical Investigation Team to determine possible impacts due to the type of incident. Members of this team will include those individuals with technical skills that can properly evaluate the situation.
Incident Response Actions:
- As soon as possible after initial investigation is completed, the IT Security Officer activates the Chattanooga State Security Incident Team. This team is comprised of: Chattanooga State Assistant VP of Computer Services, Director of Internal Audit, Institutional Effectiveness, Associate VP of Institutional Effectivenesst, a representative for Business and Finance, and other team members as needed.
- The Security Incident Team will make initial determination, based on TBR Guideline B-080 on whether an official incident response report to TBR is required and if FERPA and/or other sensitive data loss require customer/student notification under Tennessee Code, Title 47 Chapter 18, and Part 21.
Required Actions:Based on this determination the Security Incident Team will recommend to the VP Council either that:
- an incident response to TBR is not required. A report containing preliminary investigation and recommendation of team is provided to the College President and Vice Presidents, and others as determined; - or -
- an incident response to TBR is needed, and if customer/student notification, due to loss of FERPA and/or other sensitive data, is required. If the recommendation is agreed with, the College President and other individuals are notified immediately as required by TBR Guideline B-080.
Impact to Others:
- Customers/students impacted by loss of data are notified as required by Tennessee Code, Title 47 Chapter 18, Part 21. The Vice President of Student Affairs will be responsible for ensuring that written notices are prepared and mailed as required.
- The IT Security Officer with guidance and assistance from the Security Incident Team prepares all required forms and reports and ensures required notifications are completed as directed by the VP Council.
ChSCC Point of Contact:
- Point of Contact: The IT Security Officer will act as POC for the college as far as incident response process requires and will be responsible for ensuring communication is provided at all times with all required College individuals. All responses to the media and outside agencies not involved in the required reporting will be handled by the Associate VP for Institutional Effectiveness, Research and Public Relations.
- Once the incident has been handled as required, the Security Incident Team prepares a "Lessons Learned" document for VP Council review and takes actions as directed to prevent future re-occurrences
1. State of Tennessee Department of Finance and Administration Office/Office for Information Resources Aug 2007/2008
2. Tennessee Board of Regents (TBR) Information Technology Policy B-080
President's Cabinet, 02/12/2012
Dr. James L. Catanzaro, President, 05/7/2012
Implemented by: Computer Services, 9/30/08
Reviewed and Revised by: Computer Services, 3/27/09 rev 1 Reviewed and Revised by: Computer Services, 12/1/2011 rev 2