[Ver. 5.4.1 ]
Many thanks to EDUCAUSE and M. Peter Adler, Mark S. Bruhn, Brian L. Hawkins, Rodney Petersen, and Diana Oblinger for sharing so much useful advice on information security with the IT in higher education community. Many of their published ideas are included in this information security plan with the permission of EDUCAUSE. Interested parties may contact EDUCAUSE for the original sources of the materials.
- Executive Summary
- Planning Considerations
- Vectors for Change
- Explanation of Terms
- Overview of Incident Handling Procedures
- Summary of Response Procedures for Incidents Involving Law Enforcement
- Summary of Incident Response for Legal Issues
- Reference Section
This is an umbrella document intended to bring together a diversity of information about data security processes and policies in an effort to enhance the overall security of the information that touches all aspects of the college’s workings, and ensure compliance with all applicable laws and regulations. This plan and its related documents along with the governance structure of the college provide the oversight and guidance for privacy and data security and for compliance with federal and state privacy laws.
Information security improvement is an ongoing process, and accordingly, this document is dynamic. This document is not, in itself, a policy or procedure, but intended rather to provide the framework by which policies, procedures, and best practices can be effectively defined, utilized, and updated toward the general purpose of enhancing the overall information security of the institution.
This plan is intended to be scalable and flow as technologies and policies change and is meant to address all data regardless of form or media. Its use is not necessary for every privacy and data security incident, as many incidents are small and routine, requiring only a single responder.
Information security is the subject of a myriad of state and federal laws. These laws and regulations represent an emerging legal standard that imposes obligations on MCC to protect the data we collect, store, process, use, and disclose. These laws increasingly affect how MCC handles personal information, including sensitive health and financial data. Many of the new laws require disclosures to victims when there is unauthorized access to systems containing sensitive information. Failure to protect this type of information will inevitably result in public embarrassment and the financial costs associated with managing the response to incidents and may also result in investigations, fines, and other penalties.
Information security discipline is not only necessary to protect the college but it is also important to homeland security. Higher education institutions, like MCC, must ensure their portion of the national cyber-infrastructure is protected from logical and physical attacks. There is a history of attacks on the national infrastructure, including commercial networks and root name servers, from within several compromised U.S. campus networks. MCC, therefore, approaches our own information security challenges with the understanding that we, like all higher education institutions, must minimize the opportunity for terrorists and criminals to abuse campus networks.
Our information security plan is designed to integrate the need for Information security with the need to support the mission of the college and to accommodate the fundamental purposes for which our academic enterprise exists. Manchester Community College advances academic, economic, civic, personal and cultural growth by providing comprehensive, innovative and affordable learning opportunities to diverse populations. We are a learning-centered community committed to access, excellence and relevance. As information and technological distribution channels continue to proliferate, so do associated risks. This proliferation of risk combined with increasing regulation and penalties associated with security breaches creates a tendency to view security as the end-goal instead of as one activity that supports the essential business of education. While we strive to maintain an information security agenda that maximizes confidentiality, integrity, and availability of information and technology resource, the methods and protocols must be enablers of our institutional processes. In order to maintain a proper balance between maximum security and institutional operations this plan is designed to be flexible enough to readily accommodate changes in both technology security means and methods and the academic demands of the institution.
MCC must continually scan for and inventory the location and transmission of sensitive and restricted data. This scan and inventory process is on-going and multi-layered and requires both initial and ongoing training of faculty and staff to use software based tools to identify risks in both stored data and business practices. Changes in business practices, infrastructure changes and configuration changes to systems throughout the college are made as required to support information security improvements.
To perform an environmental scan of our data we use various tools and applications which are prioritized by analysis of the results of careful observations about our institution’s technology and data environments and categorized into three main areas: technology environment, leadership environment, and our academic culture.
Our campus technological environment is complicated because of the diversity of hardware and software utilized throughout the campus which includes both college-owned standardized systems and student-owned computers and mobile devices. Dealing with student-owned devices is problematic because the students are highly transitory, come to campus with no real appreciation of security issues and some use some vendor products that contain numerous and unnecessary security problems. Some of our professional IT staff are good technicians but with less than optimal security-specific training. In addition, the increased demands for distributed computing, for distance learning, and advanced networking capabilities create security challenges.
The leadership environment at MCC is proactive, forward thinking and fully committed to continually improving information security at the college. The ownership of information and technology security as an institution-wide concern is well supported by institutional leadership and has resulted in reducing the commonly held assumption that security is “someone else’s” problem. MCC has developed a sense of centralized security leadership with the authority to mandate change and enforce policy across college constituencies but with sensitivity to the educational mission. There are clearly defined goals based on assessment of risks and an expanding tool set is being deployed to mitigate risks and monitor compliance. Our internal policy is general enough to allow for evolutionary change and our processes and procedures are tested for practicality and enforceability.
Academic culture is at the heart of what we do at Manchester Community College, yet some constituents of the college community continue to believe that security and academic freedom are antithetical. To address this concern, MCC is providing our faculty, students and staff with more and detailed information and training that illuminates how information security risks can harm the institution and compromise their personal information. MCC is a community of tolerance and a certain level of autonomy and privacy is highly valued. There is some resistance to new demands on faculty time or to security-induced constraints on institutional resources. This plan calls for certain proactive security measures that are incrementally deployed to minimize the impact on faculty, deans, and others in the academic arena that may view such changes as bureaucratic or officious.
The objectives of this policy are:
- Provide for uninterrupted services to the College Community;
- Safeguard the integrity and availability of the campus network through appropriate controls;
- Protect the IT assets of the College including data, software and hardware;
- Minimize the probability that campus IT resources are used to attack other organizations, bringing liability and disrepute to the College;
- Protect MCC against the loss or misuse of any information;
- Define responsibility and accountability to maintain protection of MCC information;
- Preserve and support audit and legal compliance.
Our Information Security Plan is both supported by our IT strategic planning and is also integrated into an institution-wide strategic planning effort. It is apparent that there is not one cookie-cutter approach for crafting a successful IT security strategy for an institution of higher education. MCC will continue to evaluate its own unique culture, interests, resources, and the political climate to improve and enhance our information security environment. An evolving security model is critical to remain effective in threat avoidance and in minimizing risks. Although no security plan is foolproof, MCC is dedicating significant resources to a proactive approach instead of discovering our shortcomings and vulnerabilities by a major security incident. The reality is that budget limitations restrict our institution’s ability to provide comprehensive training and provide other desirable enhanced security measures however continuous efforts to improve business practices and procedures coupled with ongoing environmental scans are improving our security profile. A key action item for MCC specifically associated with information security is to advocate for expanded funding dedicated to various measures designed to improve security, including more training and hardening of IT resources. Security has a prominent place at MCC and is widely publicized on our campus. Information security issues are recognized, discussed, and ultimately addressed at the highest levels within the MCC community.
Significant progress has been made in improving the security of MCC’s information and its technology. Key personnel attend security conferences to extend knowledge and explore strategies. Campus security training days are being planned and there is increased interaction between MCC’s leadership, IT staff and constituents as business practices continue to be modified for improved security. At MCC, leadership encourages the discussion of security issues and is cultivating a higher level of awareness about how important this is to the institution. We continue to revisit deployments of technologies previously discounted as being incompatible with diverse networks. For MCC, the key factor for success of the security effort will be the ongoing development and refinement of effective strategies and plans coupled with sufficient resources to implement solutions.
Security breaches at state institutions are nightmares both fiscally and from a marketing perspective. Headlines from such personal and confidential information leaks can result in legislators seeking additional oversight and other inefficient or unnecessary complexities. Beyond the image problems, there are also critical concerns about liability and business continuity.
MCC relies on information for academic and outreach programs and for support services. Information security ensures the availability, integrity, and confidentiality of information, services, networks, and computer systems. These systems and networks must be available on a timely basis. Their information must be protected from unauthorized use or disclosure as well as from unapproved, unanticipated, or unintentional modification.
Security incidents include inappropriate access, alteration of data, virus infiltrations, and denial-of-service attacks. Though external entities are an area of concern the greatest risks may well be internal. Incidents precipitated by disgruntled or dishonest employees or hackers might well be found on campus. Other incidents may result from unsecured systems or from passwords posted on desks or monitors. Information security would be readily accomplished if we could solve all problems through technology but security is as much an issue of people and business process as it is of networks and computers.
Making security an institutional priority at MCC still faces some cultural barriers. There is a consensus agreement that security is important to our institution but the required specific procedures to mitigate risk elicit differences of opinion. Some faculty may view certain restrictions on access as an impediment to intellectual freedom. Monitoring and recording user access may be considered a threat to privacy.
At MCC improvements to information security are being implemented through changes in business practices, governance, training and specific applications to secure technology platforms. There are several fundamental vectors identified for promoting a positive cultural change to improve information security at Manchester Community College:
- Gain greater control over the applications on our network to limit avenues of data leakage
- Identify MCC’s institutional assets that need to be protected and differentiate information needing high levels of security from those requiring lower levels.
- Identify and assess need of users initiating application transactions
- Assess all physical assets, laptops, desktops, physical and virtual servers, network vulnerabilities and all data stored on campus.
- Insure that data centers and closets have appropriate physical security measures in place.
- Improve the safeguarding of older information formats including hard copies of files. Insure that sensitive data in these formats is in cabinets that are appropriately secured.
- Insure that information security roles and responsibilities are clearly defined and that requisite authority accompanies those roles.
- Insure that adequate resources available to support established policies and controls.
- Identify all potential security vulnerabilities, ranging from malware attacks, wireless networks, and student-owned equipment risks to security policy discrepancies and unclear oversight.
- Provide regular reports on information security to institutional leaders and continue to cultivate the idea that the executive team considers information security as part of its responsibility as well as that of IT.
- Continue to publicize to the college community that information security is mission-critical to MCC and that security is the responsibility of all information technology users.
Event: An event is an observable change to the normal behavior of a system, network, environment, process, workflow or person (components). There are three basic types of events:
- Normal: a normal event does not affect critical components or require change controls prior to the implementation of a resolution. Normal events do not require the participation of senior personnel or management notification of the event.
- Escalation: an escalated event affects critical production systems or requires that implementation of a resolution and that must follow a change control process. Escalated events require the participation of senior personnel (Assistant Director of IT or Director of IT) and stakeholder notification of the event.
- Emergency: an emergency is an event which may
- impact the health or safety of human beings
- compromise primary controls of critical systems
- materially affect component performance or because of impact to component systems prevent activities which protect or may affect the health or safety of individuals
- be deemed an emergency as a matter of policy or by declaration by the available senior college personnel acting as incident coordinator
Incident: An incident is an event attributable to a human root cause. This distinction is particularly important when the event is the product of malicious intent to do harm or violate security policies. Examples: denial of service attacks, malicious code, unauthorized access or inappropriate usage.
Breach: An incident where there is demonstrated unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information, or meets any other State or Federal criteria which requires notification of State or Federal authorities and affected individuals. This includes the unintentional release of DCL3 data through:
- the misconfiguration of systems
- the theft of hardware or documents
- an inappropriate transmission of secure data through unsecure channels
SECURITY ROLES & RESPONSIBILITIES
The College believes that information security is the responsibility of the entire College community including all students, faculty, staff, and contractors, etc. Every person handling information or using College information systems is expected to observe the information security policies and procedures.
The CSCU Board of Trustees passed a resolution calling for the establishment of an information security program that will ensure the security and integrity of all CSCU’s tangible and intangible information resources. Additionally, the resolution calls for the development of clear and consistent standards, procedures and guidelines to assist the entire system in the implementation and execution of the information security program. This MCC plan will be amended as required to meet such new and changing operational parameters as they are developed and published. Implementation of the Information Security Policy is managed through the Director of Information Technology, College Data Stewards, Data Managers and other designated personnel in IT (Network Manager and Systems Manager.)
MCC Information Security Team (MCC InfoSec Team):The event management of day-to-day information security and environmental analysis at Manchester Community College resides predominantly with the MCC Information Security Team (MCC InfoSec Team) and with monitoring, access control and human resource management by the division data stewards. The MCC InfoSec Team is comprised of IT department personnel with appropriate skills and resources to address security requirements. The department uses a specific glossary of terms to characterize any instance that varies from the normal parameters for security. The MCC InfoSec Teamhas the authority to confiscate or disconnect equipment and to monitor suspicious activity, and the requirements for reporting certain types of incidents. The MCC InfoSec Team are the first responders and follow BOR policies and procedures for incident reporting. Specific procedures related to events elevated to the system level can be found on the CSCU Security website.
The incident handling process consists of six steps:
- Initial Response – Identify whether or not an incident has occurred or is occurring. This process begins after someone notices some anomaly in the system or network.
- Intrusion Analysis – Determine the extent of the incident and document and report it as required by system policy. At this point the processing of the system may be delegated to the system office per BOR policy. If not required then steps below are followed directly.
- System Repair – Make sure that the problem is eliminated and the system is pristine.
- Security Improvement – Identify and eliminate the means by which the system was compromised.
- Network Reconnect – Restore the system to an operational status.
- Security Policy Update – Based upon any lessons learned from analysis of the incident update the security policy if needed.
Incident Response Communications
Incident Response Procedures for Compromised IT Resources
Examples: attack/exploit, backdoor or Trojan, denial of service, malware, unauthorized access
MCC follows the BOR system office Information Security Incident Response Procedures as revised on 02/17/2015.
I. Data Coordinator (DC)
Each institution will appoint a primary and secondary Data Coordinator. The Data Coordinator will coordinate all communications and activities between the Program Office of Security & Policy and the institution’s IT team. MCC’s current primary DC is Edgar Chavarriaga and the backup DC is Barry Grant.
The IT leaders at colleges and universities must notify the Security & Policy Program Office immediately upon discovery of security incidents on their campus that impact mission critical services or involve the potential for unauthorized disclosure or acquisition of DCL3/Class A data. The S&PPO is in the process of developing a notification system and standard templates. Until the system is available, CSUS and Charter Oak should email email@example.com with the required information. The CCC should follow the document notification process and continue to send e-mails to firstname.lastname@example.org and complete the malware tracking spreadsheet.
The Security & Policy Program Office will direct notification to senior administration, Office of the Attorney General, and other parties as appropriate. Each institution should also establish appropriate internal communication procedures regarding all incidents. The following incidents must be reported immediately upon discovery:
A. Incidents that seriously affect data center operation resulting in partial or complete shutdown of the data center:
a. Physical Security – unauthorized access, loss of equipment
b. Environmental – power failure, overheating, water damage
c. Cyber Security – virus, intrusions
B. Incidents that affect network closets:
a. Physical Security – unauthorized access, loss of equipment
b. Environmental – power failure, overheating, water damage
C. Any security incidents that involve administrative departments with access to personal, financial, or FERPA data:
a. Human Resources
e. Financial Aid
i. Health Center
j. Other departments that may meet the criteria
D. Notices from FBI, Homeland Security, or other law enforcement agencies about suspicious cyber activities.
E. Any other incidents that may involve personal, financial, or FERPA data.
The incidents include:
- Malware infections with the potential to compromise DCL3/Class A data
- Loss of paper documents containing DCL3/Class A data
- Loss of mobile devices (laptop, smartphone, USB drive, and tablet)
- Employee misconduct issue that may put DCL3/Class A data at risk
The following information should be included in the notification:
- Institution Name
- Incident security coordinator
- Date & time of the incident/compromise, if known
- Date & time of the discovery
- Type of incident (Physical security, environmental, malware/virus, loss of mobile devices, paper)
- Location of the incident, if applicable
- Name, Department, Job Title and contact information of the end user(s)
- A detailed description of the compromised host/device including maker, model, and OS.
- A brief description of the incident
Note: The S&PPO is in the process of developing a notification system and standard templates.
Until the notification system is available, MCC will follow the document notification process and continue to send e-mails to email@example.com and complete the malware tracking spreadsheet.
A. For physical security or environmental incidents that involve data center or network closets, please notify Facilities and Police as well.
B. For incidents involve loss of mobile devices or paper documents:
- Notify Police as well.
- For mobile devices:
- Perform a remote wipe of the device if possible
- Lock user account until further notice
C. For incidents involving malware, please follow the steps below to protect the evidence:
a. When to shut the service or system off
- Data is actively being compromised
- System performance is at an unacceptable level
- Files are actively being deleted or compromised
b. When not to shut the service or system down:
- The need to gather further evidence
- Data may be lost when the service or system is shut off
- Shutting the system down may tip our hand to the intruder
- The need to add additional monitoring capabilities
- Protecting evidence
- The system needs to be secured until initial forensics are completed and the system can be quarantined
Note: Malware detection by ePO or fake alert doesn’t require the system to remain running.
c. Evidence Protection – The system needs to be secured until initial forensics is completed and the system can be quarantined.
d. Maintaining/collecting Monitoring Data – It is important not to lose any monitoring data that occurred during the incident. The following steps need to be taken to maintain log data:
- If logs are not stored to a log server, backup logs for the duration of the event
- Stop backup rotations for the system or systems in questions and archive tapes
- If logging is not enabled, and can be, enable it for the affected systems
- If logging is not enabled at the appropriate levels set it to the appropriate level for the event
IV. Incident Tracking
Upon receiving the notice, the Security & Policy Program Office will assign an incident ID and assign a point person to coordinate the incident response with institution’s security coordinator. Regular status update will be entered by the S&PPO point person or security coordinator in the incident tracking system as updates are available. All related documentations will be stored in the incident tracking system for future reference.
Note: The S&PPO is in the process of developing an incident tracking system. Until the system is available, CSUS and Charter Oak will track incidents in the CCC incident tracking spreadsheets and send e-mail notifications on major updates. The CCC should continue to use malware tracking spreadsheets for their college.
Investigation includes analysis, identification, prioritization, and evidence collection and retention.
A. Incidents involve malware or virus:
a. MCC will engage the Office of Security & Policy immediately for all virus infection incidents on system that have the potential to compromise DCL3/Class A data
Note: The CCC should follow the current notification process for all systems with potential access to DCL3 data. Charter Oak should send an e-mail to firstname.lastname@example.org for any system that has potentially compromised DCL3/Class A data.
b. Prior to engaging the Security & Policy Program Office for investigation, University IT team should perform preliminary investigation and evaluate the potential security breach and determine the following
- Verify that the malware or virus has the potential to exploit DCL3/Class A data
- Scan the local and network mapped drive. Verify that the user(s) have access to DCL3/Class A data.
If both criteria are met, university must contact the S&PPO at email@example.com immediately.
In the event of a security investigation, the Security & Policy Program Office acts on behalf of Board of Regents and should be given complete and timely access to university network, systems, data, and personnel. All requests made by the Security & Policy Program Office should be treated as highest priority and be accommodated accordingly. There may be times that the S&PPO needs to use 3rd- party forensic service to perform advanced investigation. Any expenses incurred will be charged back to the institution. If forensic analysis is conducted and a determination is made that DCL3/Class A data is potentially compromised, the S&PPO will release an investigation report with recommendations.
B. The Campus Police will lead the investigation of all other incidents. The S&PPO will provide support upon request.
Compromises must be resolved as soon as possible, and within two weeks of the notification. Compromised hosts need to be maintained for forensic examination. Upon completion of forensic examination the host must be reformatted, rebuilt and have vulnerabilities resolved before reconnecting them to the network. Incidents must be resolved to the satisfaction of the Security & Policy Program Office. In some cases, the S&PPO may request privileged access to ensure the host is safe to resume network connectivity, or may require that it be evaluated for vulnerabilities before being placed back in service. The S&PPO must be informed of incident resolution details. The security coordinator must enter details about the incident resolution in the incident tracking system. The institution security coordinator must distribute to impacted users and their supervisors a summary of the compromise including:
- Impact on the user’s work
- Remediation or preventative measures the users should take
In particular, if passwords have been compromised, they must be reset and changed by the users, once the system has been secured.
The Security & Policy Program Office reviews the tracking system and closes tickets when appropriate. In the event of a serious security breach, the Security & Policy Program Office will produce an executive summary report. The report will be shared with internal auditors, institution IT team, and senior management at both BOR and institution.
VIII. Personal Identifiable Information
The “personal identifiable information” means an individual’s first name or first initial and last name in combination with any one, or more, of the following DCL3/Class A data:
- Social Security Number,
- Driver’s license number,
- Financial account, credit card, or debit card number in combination with any security code, access code or password,
- Passport number,
- State identification card number,
- Alien registration identification number,
- Health insurance identification number.
Incident Response Procedures for Copyright Infringement
Examples: unlicensed movies, music, or software.
Discovery – Any formal Digital Millennium Copyright Act (DMCA) complaints received directly from a representative of the copyright holder should be referred to MCC’s director of information technology. Non-DMCA complaints (complaints not intended to conform to the requirements of the DMCA) should be referred to the MCC Helpdesk for initial review. If not easily resolved, forward non-DMCA complaints to MCC’s Director of Information Technology. Identification of the copyrighted work claimed to have been infringed.
- Identification of the material that is claimed to be infringing and that is to be taken down or disabled, and information “reasonably sufficient” to enable the service provider to locate the materials.
- Information “reasonably sufficient” to enable the service provider to contact the complainant.
- A physical or electronic signature of a person authorized to act on behalf of the owner (i.e., the copyright owner or its licensee) of the right that is alleged to be infringed.
- A statement that the complainant has “a good faith belief” that use of the material in the manner complained of is not authorized by the copyright owner, the owner’s agent, or the law.
- A statement that the information in the notification is accurate and that, under penalty of perjury, the complainant is authorized to act on behalf of the copyright owner.
Documentation – MCC InfoSec Team documents alleged copyright infringement complaints in the ticket tracking system.
Notification – If the notice substantially complies with the above, MCC’s Helpdesk will forward the complaint to the director of information technology. Only if the notice does not adequately comply with the above or if the complainant does not respond to request for more information can the MCC Helpdesk disregard the notice.
Acknowledgment – DMCA notifications must be acknowledged immediately.
Containment – The procedures listed below must be followed upon receipt of a notice of copyright violation.
- Public access to the material targeted by the complaint is disabled as quickly as reasonably possible. If after one business day this action has not been taken, the MCC Helpdesk will request that MCC Network Services block access to the material.
- The MCC Helpdesk will ensure that the person believed to be responsible for the alleged infringing distribution of copyrighted material is notified of the complaint, and of the action taken to remove access to the material. The person must be given an opportunity to contest the removal of the material if they believe the complainant has misidentified it or if the material is lawful. If they choose to contest the removal, follow the procedure Counter-Notification procedures below.
- If the material in question is not legally possessed by the person believed responsible for making it publicly accessible, the MCC Helpdesk will ensure that the material is removed from the system on which it was found.
- The MCC Helpdesk will ensure that the director of information technology and division director of the responsible party is notified when the material is no longer publicly accessible, and that the person responsible for distributing the material is contesting its removal.
- If the person responsible for distributing the material is a student, forward the matter to the Dean of Students. If the person is an employee, notify the appropriate Dean or Division Director.
Investigation – If the person responsible for the alleged infringing distribution of copyrighted material believes the material was misidentified or the distribution was lawful, they should send a counter-notification to the MCC director of information technology. The counter-notification must contain the following:
- A physical or electronic signature of the person responsible for the alleged infringing distribution.
- Identification of the material (or the location of the material) to which public access has been disabled. The identification should match the original identification provided by the complainant.
- A statement under penalty of perjury that the alleged infringer has a good faith belief that the material was removed or disabled as a result of mistake or misidentification of the material.
- The alleged infringer’s name, address and telephone number, and a statement that the alleged infringer consents to the jurisdiction of the federal district court for the judicial district in which the alleged infringer is located and that the alleged infringer will accept service of process from the complainant.
Resolution – The MCC Helpdesk should work with the alleged infringer to obtain any missing components of the counter-notification. When the counter-notification is complete, the MCC Helpdesk will forward it to the complainant, along with a notification that the removed material may be restored in ten business days unless legal action is commenced against the alleged infringer. If the complainant fails to notify the MCC Helpdesk that it has initiated legal proceedings within ten business days after receiving a counter-notification, the MCC Helpdesk will notify the director of information technology that the material may be returned to public distribution.
Closure – MCC Helpdesk personnel reviews DMCA incidents in the tracking system and closes tickets as appropriate.
Incident Response Procedures for Violations of the BOR Acceptable Use of Computing Resources policy (AUP)
Examples: excessive or disruptive use, complaint, spam, inappropriate content, suspicious activity.
Discovery – IT workers that identify violations of the Acceptable Use of Computing Resources policy should take action as reasonably necessary to protect MCC and IT resources, and notify the violator of the action.
Documentation – MCC InfoSec Team documents AUP violations in a tracking system.
Notification – Contacts for AUP violations detected by MCC InfoSec Team are identified using the MCC Network Services subnet and domain contact resources. The MCC InfoSec Team notifications may be augmented as needed to include staff with appropriate knowledge and skills. Appropriate contacts are notified and recorded in the tracking system. The BOR system office will be contacted as per BOR policy. Law enforcement should be notified immediately of incidents involving threat to persons or property. IT workers do not make disciplinary decisions unless they supervise the violator. If the incident involves a student, notify Dean of Student Services. If the incident involves an employee, notify the appropriate Dean, Director or Department Head. In all events, follow MCC disciplinary procedures defined by MCC Human Resources.
Acknowledgment – MCC InfoSec Team notifications should be acknowledged immediately.
Containment – AUP violations must be contained immediately. Unless further investigation requires unrestricted access, all other violators must be contained as soon as possible, but no later than the same business day in which the notification is received. Service might be interrupted to violators that are not contained on the same business day. Containment can be achieved by immediately disconnecting the user from the network, revoking user access, or other means as appropriate. Unit IT workers may coordinate with MCC InfoSec Team to restrict access to violators that can’t be immediately disconnected or must remain connected in a restricted environment for the purpose of investigation or providing service. MCC InfoSec Team has the authority to coordinate appropriate resources to block violators that present a danger to the rest of the network.
Investigation – If the incident involves law enforcement, secure evidence without reviewing additional content. Network hardware, software or data may be considered evidence. Care must be taken to preserve evidence. A public records request, subpoena, warrant or other official request must be issued before data is released to law enforcement. The General Counsel of the BOR should be contacted to review public records requests, subpoenas, and warrants before responding. Evidence from incidents that involve an immediate threat to persons or property may be provided to law enforcement in advance of a public records request, subpoena or warrant, but counsel should be contacted if time allows. MCC InfoSec Team should be informed of incident investigation details as appropriate. Using the investigation details provided by IT workers, MCC InfoSec Team classifies incident severity.
Resolution – MCC InfoSec Team must be informed of incident resolution details. The incident classification must be entered in the ticket before the status is changed to Resolved. Using the resolution details provided by IT workers, MCC InfoSec Team classifies incident severity.
Closure – MCC InfoSec Team reviews the tracking system and closes tickets as appropriate.
Incident Response Procedures for Suspicious Activity
Examples: sweeps, scans, unusual connections, excessive bandwidth consumption
Discovery – MCC InfoSec Team receives and processes discovery notifications from other sources. MCC InfoSec Team manages systems to discover suspicious activity on the MCC network. Units are responsible to deploy systems to detect suspicious activity within their unit as needed. MCC InfoSec Team must notify the BOR System Office of suspicious activity discovered that has the potential to impact institutions. Network manager contact information is maintained by MCC Helpdesk.
Documentation – MCC InfoSec Team documents suspicious activity in a tracking system.
Notification – When suspicious activity is discovered appropriate contacts are notified. Contacts for suspicious activity detected are identified using the MCC Network and domain contact resources. MCC InfoSec Team notifications may be augmented as needed to include staff with appropriate knowledge and skills. Appropriate contacts are notified and recorded in the tracking system. MCC InfoSec Team will direct notification to university administration, law enforcement and other parties as appropriate. The MCC Police should be notified immediately of incidents involving threat to persons or property.
The general counsel should be consulted regarding other incidents before contacting law enforcement. IT workers do not make disciplinary decisions unless they supervise the violator. If the incident involves a student, notify the office of the Dean of Student Affairs. If the incident involves an employee, notify the appropriate Dean, Director or Department Head. In all events, follow procedures defined by MCC Human Resources.
Acknowledgment – MCC InfoSec Team notifications should be acknowledged immediately.
Containment – Suspicious activity should be contained as appropriate until the investigation is complete or the incident is resolved. Containment can be achieved by immediately disconnecting the resource from the network, revoking user access, or other means as appropriate. Other MCC IT workers may coordinate with the MCC InfoSec Team to restrict access to compromised hosts that can’t be immediately disconnected or must remain connected in a restricted environment for the purpose investigation or providing service. MCC InfoSec Team may coordinate with BOR Network Services to block compromised services and/or hosts that present a definitive danger to the rest of the network. Notification will follow the procedures as required.
Investigation – Investigation includes analysis and identification.
1. Analysis. Suspicious activity must be assessed.
2. Identification. Identify source as appropriate, including user, host or other resource.
MCC InfoSec Team must enter details about the investigation and update the tracking system incrementally.
Resolution – Suspicious activity must be resolved as soon as possible, preferably the day of the notification. Refer to the incident response procedures for Compromised IT Resources. MCC InfoSec Team must be informed of resolution details.
Closure – MCC InfoSec Team reviews the tracking system and closes tickets as appropriate.
Critical IT Resources Standard
A critical IT resource is vital to the function of MCC or its divisions. It might store sensitive data, confidential data, or data protected by law. Critical IT resources may need special consideration with respect to risk assessment, service interruption, and notification. Systems classified as critical IT resources must meet the minimum standards of a production server as defined in the MCC Critical Host and Network Security Standard. Critical IT resources must have a continuance of operations plan that details risk assessment, service interruption, and notification procedures. To be registered as critical IT resources must have IT personnel resources available 24 hours per day, 7 days per week. Critical IT resources will be registered with the MCC INFOSEC TEAM
Service Interruption Notification Procedures
Division Directors will be notified prior to or concurrent with a service interruption applied as the result of a security incident. Notification attempts will be made directly by phone or email, in that order. An effort will be made to avoid disruption of service in cases not involving outgoing attacks.
Examples: obscenity, stalking, threat to persons or property, child pornography, unauthorized access.
- Evidence retention. Secure evidence without reviewing additional content. Network hardware, software or data may be considered evidence. Care must be taken to preserve evidence.
- Evidence release. A public records request, subpoena, warrant or other official request must be issued before data is released to law enforcement. Contact General Counsel for review of public records requests, subpoenas, and warrants before responding. Evidence from incidents that involve an immediate threat to persons or property may be provided to law enforcement in advance of a public records request, subpoena or warrant, but General Counsel should be contacted if time allows.
- Notifications. If any incident involves unauthorized disclosure or acquisition of private data, HR must be notified. The privacy officer will direct notification to university administration, law enforcement and other parties as appropriate. The Director of Information Technology must be notified of any incident that impacts mission critical service to the institutional level. Law enforcement should be notified of incidents involving an immediate threat to persons or property. General Counsel should be consulted via appropriate administration regarding other incidents before contacting law enforcement. The Director of Information Technology must consult with the Dean of Administration and/or President to determine if law enforcement should be notified. If the incident involves a student, the Dean of Student Affairs must be notified. If the incident involves an employee, notify the appropriate Dean, Director or Department Head. IT workers do not make disciplinary decisions unless they supervise the violator. The Director of Information Technology and the Dean of Administration must be notified of any incident likely to draw public interest.
Examples: defamation, civil fraud, harassment, disclosure of intellectual property.
- Evidence retention. Secure evidence without reviewing additional content.
- Notifications. If any incident involves unauthorized disclosure or acquisition of private data notification must be made to university administration, law enforcement and other parties as appropriate. The Director of Information Technology must be notified of any incident that impacts mission critical service to the institutional level. The Director of Information Technology will consult with the Dean of Administration and/or President to determine subsequent notifications and action. If the incident involves a student, the Dean of Student Affairs must be notified. If the incident involves an employee, notify the appropriate Dean, Director or Department Head. IT workers do not make disciplinary decisions unless they supervise the violator. The Director of Information Technology and the Dean of Administration must be notified of any incident likely to draw public interest.
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) contain both security and privacy provisions. HIPAA applies to covered entities that use certain electronic transactionsâ€”entities such as most health care providers, health plans, and health care clearinghouses. In the higher education arena, HIPAA most often applies to clinics used by both students and staff and to academic medical centers. The security regulations of HIPAA require covered entities to protect specific types of individually identifiable health information kept in electronic form, referred to as Electronic Protected Health Information (EPHI). To comply with the HIPAA security regulations, covered entities are to protect systems that store, process, and transmit EPHI. Entities must conduct periodic risk analyses to determine and implement reasonable and appropriate administrative, physical, and technical safeguards. The security regulations also require the implementation of risk-management processes, including policies and procedures and other documentation and training. Although HIPAA does not allow individuals to sue covered entities that do not comply with the law, it does provide criminal and civil penalties for noncompliance.
The federal Family Educational Rights and Privacy Act of 1974 (FERPA) provides a postsecondary student the right to inspect his or her education records and establishes conditions concerning the disclosure of those records to third parties. Although the act does not specifically require that information security be implemented, the protection of electronic student records will require information security covering the student records subject to this federal law.
Under the Gramm-Leach-Bliley Act (GLBA), the Federal Trade Commission (FTC) has jurisdiction over the activities of higher education institutions. The FTC regulations contain both privacy and security requirements. Colleges and universities that comply with FERPA will be deemed by the FTC to be in compliance with its privacy provisions. However, educational institutions remain subject to the GLBA security provisions as found in the FTC safeguard regulations (“FTC Safeguards”), which became effective on May 23, 2003. Under the FTC Safeguards, higher education institutions are to implement security measures to protect “customer information” that is personally identifyingâ€”information such as names, addresses, account and credit information, and Social Security numbers. This most often applies to higher education in the area of student loans but may also apply when credit cards or other loans are issued directly to students. The FTC Safeguards are aimed at ensuring the security and confidentiality of customer information. Higher education institutions are required to protect against any anticipated threats or hazards to the security or integrity of such records and to protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to the person noted in the record. To comply, colleges and universities must develop comprehensive information security programs, assess the need for employee training, and include obligations in their agreements with third parties that have access to the financial records covered by the rules. Although the FTC has not begun enforcement actions against higher education institutions, it demonstrated a willingness to pursue noncompliance when it charged three mortgage companies for not following the FTC Safeguards.2 Among other things, the consent order in each of these cases requires the company to retain an independent professional to certify, within 180 days, that its information security program meets the standards listed in the order and also to make this certification every other year for ten years.
The payment card industry recently created a private contractual compliance requirement: the Payment Card Industry Data Security Standard (PCIDSS). The PCIDSS requires that all merchants, including colleges and universities, that use credit cards comply with a number of technical, physical, and administrative requirements. Failure to comply with the PCIDSS could result in large penalties and suspension of the right to use credit cards for payment purposes.
Any person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information, shall disclose any breach of security following the discovery of the breach to any resident of this state whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person through such breach of security. Such disclosure shall be made without unreasonable delay, subject to the completion of an investigation by such person to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system. Such notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed.