Incident Response Plan

Sidebar

Information Security Incident and Breach Response Plan 

This Plan describes the procedures to be followed when an Information Security Incident or data breach is suspected or discovered to have occurred involving computing devices or sensitive data owned by the university including data used by its faculty, students, employees, consultants, vendors or others on behalf of the university. It also describes the procedures to be followed when university sensitive information residing on any computing or information storage device is, or may have been, inappropriately accessed or disclosed whether or not such device is owned by the university. 

This document supports ISO Policy PS006 and is applicable to all university students, faculty, staff, and to all others granted use or custodianship of University information assets. 

1. Purpose

The purpose of information security incident and breach response is to: 

  1. mitigate the effects caused by such an incident,
  2. protect information assets of the university from future unauthorized access, use or damage and
  3. ensure that the university fulfills all of its obligations under university policy, and federal and state laws and regulations with respect to such an incident or data breach. 

Every user of university information resources has responsibility for the protection of information assets; certain offices and individuals have very specific responsibilities. The university recognizes the need to follow established procedures to address situations that could indicate the security of information assets may have been compromised. In order to ensure that information security incidents are handled properly, effectively and in a manner that minimizes the adverse impact to the university, a standard university-wide approach has been adopted. Users should immediately notify management, the Information Security Office, or ITS if they become aware of or suspect an information security or data incident. 

II. Definitions/Roles and Responsibilities

  1. Electronic Information Security Incident — any real or suspected adverse event in relation to the security of electronic sensitive information, computer systems or computer networks. Examples of incidents include:
    • Attempts (either failed or successful) to gain unauthorized access to a system or its data.
    • Theft or other loss of a laptop, desktop, smartphone or other device that contains sensitive information, whether or not such device is owned by the university.
    • Unwanted disruption or denial of service.
    • The unauthorized or inappropriate use of a system or device for the viewing, transmitting, processing or storing of data.
    • Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.
  2. Information Security Incident – A real or suspected event which may compromise the confidentiality, integrity or availability of university assets. The incident may involve electronic information and computing devices or non‐electronic information and may be accidental or intentional.
  3. Information Security Incident Response Team (ISIRT) – Members of the response team who receive, triage, resolve, classify and track Information Security Incidents and Breach Response for the university. The ISIRT assists in the coordination of efforts of external resources such as law enforcement agencies and other institutions.
  4. Non‐electronic Information Security Incident – Real or suspected theft, loss or other inappropriate access of physical content, such as printed documents and files.
  5. Regulated Information – Information that is subject to federal, state, local or industry rules and guidance.  Examples include but are not limited to: HIPAA, FERPA, PCI, KY PI, Export Controls, etc.
  6. Sensitive Information – Information of confidential or proprietary nature that would not be published for unrestricted public access or whereby its disclosure is prohibited by laws, regulations, contractual agreements or university policy.  Sensitive information includes electronic and non-electronic data. 

III. Notification

A member of the university community who becomes aware of an Information Security Incident should immediately stop or contain the suspected breach by: 

  1. Disconnecting, but not turning off, the compromised system and equipment from university’s network.
  2. Removing or securing any non-electronic sensitive information.
  3. Avoid making any updates or other modifications to software, data or equipment involved or suspected of involvement with an Information Security Incident until after the Information Security Office has completed its investigation and authorizes such activity.
  4. Contact the university’s Information Security Office at isopol@louisville.edu, University IT Security at secureIT@louisville.edu or the helpdesk at 502-852-7997

IV. Investigation

When an Information Security Incident is reported, the university’s Information Security Compliance Officer (ISCO) will do the following: 

  1. Investigate the Information Security Incident.  In order to minimize the impact of the Information Security Incident on the university or to complete a proper investigation, the ISCO or ITS may recommend restricting information system access or operations to protect against unauthorized information disclosures.
  2. If the ISCO concludes that there is a possibility of unauthorized access to regulated information, or other Sensitive Information, the ISCO will convene the Information Security Incident Response Team (ISIRT).
  3. If the ISCO concludes that applicable federal or state laws or regulations may have been violated, the ISCO will notify the appropriate university officials and follow up with any additional steps per the specific regulations.
  4. All incident documentation and communications should be limited to only those individuals with a defined need to know. 

V. Incident Response 

Based on information provided and the initial investigation the ISCO will convene an Information Security Incident Response Team (ISIRT) to further assess findings and to develop an appropriate Information Security Incident/Breach Response Plan (Plan). Depending on the circumstances of each situation, the ISIRT Team may include representatives of some or all of the following offices:   

  • Privacy Office
  • Office of the General Counsel
  • Controller’s Office
  • Export Controls Office
  • Internal Audit and Institutional Compliance Department
  • Office of Communications and Marketing
  • Administrative Systems, FERPA
  • IT Services
  • Departments or schools directly affected by the Information Security Incident (including both the appropriate business and technical personnel)
  • Other constituencies, as appropriate 

In carrying out this responsibility, the ISIRT will determine a plan of action and ensure that important operational decisions are elevated to the appropriate levels. 

VI. Report Preparation

The Information Security Incident Response Team (ISIRT) will be responsible for developing an executive summary report on the incident and the ensuing investigation  and, if appropriate, recommendations for improvement of related information security practices and controls. The Report will be distributed to the appropriate university officials. 

VII. Additional Information

Contact Us

Information Security Compliance Office

Website about

Phone

502-852-6692

Location

University of Louisville
Louisville, Kentucky 40292

Hours

Monday-Friday
8 a.m. to 4:30 p.m.
Closed Holidays

Email