policy security incidents modified Thu Mar 26 2020 17:01:01 GMT-0400 (Eastern Daylight Time)
University of Louisville
July 23, 2007
This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates
The policy of the University of Louisville is to minimize both the frequency and the severity of information security incidents within the University environment. All users are responsible for and must maintain their university computing/mobile devices and data in as safe a manner as is reasonably possible. In the event of an incident, the standards outlined in this document as well as the related procedures must be followed.
REASON FOR POLICY
Compromises in information security can include both electronic and hard copy information. Electronic compromises can potentially occur at every level of computing from an individual's small mobile device to the largest and best-protected systems on campus. Incidents can be accidental incursions or deliberate attempts to break into systems and can range from benign to malicious in purpose or consequence. Regardless, each incident requires careful response at a level commensurate with its potential impact to the security of individuals, sensitive information and the campus as a whole.
The accelerated pace of technological change and concurrent reliance on electronic information systems has greatly increased both the potential exposure of sensitive information to the world at large via electronic means and the motivation of some to exploit computing devices, computing infrastructure and software either for gain or to cause organizational difficulties. Governmental authorities, regulatory bodies and standards organizations have recognized this new reality and responded with laws, regulations and other measures to motivate organizations to take the steps necessary to minimize or prevent information security incidents before they occur.
This environment means that all persons within the University have an active role in preventing security incidents or in minimizing them if they occur.
For the purposes of this policy an "Information Security Incident" is any accidental or malicious act with the potential to:
- result in misappropriation or inappropriate modification or disclosure of sensitive information;
- affect the functionality or continuity of information technology including the infrastructure of the University;
- provide for unauthorized access to university resources or information; or
- allow university information technology resources to be used to launch attacks against either other internal resources or the resources and information of other individuals or organizations.
The Information Security Office (ISO) is responsible for managing the University's Information Security Incident Response Program. The ISO has established procedures and identified the Information Security Incident Response Team (ISIRT) as the authority in developing plans and managing the university's information security incidents. Working in conjunction with IT and other internal and external parties, the ISIRT will follow protocol in determining what actions should be taken, how incidents should be handled and in documenting, securing and retaining evidence and information. Incidents may be escalated to university counsel, human resources or other university officers as well as law enforcement or outside authorities. Non-IT specific information incidents relating to sensitive or regulated data (e.g. inappropriate access or modification, abuse or suspected abuse of access, lost or stolen hardcopy, transmission without encryption or transmission to an unauthorized user, etc.) should immediately be reported to the University's Information Security Office at firstname.lastname@example.org.
The University of Louisville Computer Incident Response Team (ULCIRT) has been identified as the authority in developing response plans to security incidents specific to technology resources. ULCIRT will work with ISIRT and incidents that are determined to be IT specific or need IT assistance will be redirected to ULCIRT for further investigation.
Users who have knowledge of or suspect an information security incident should immediately contact the Information Security Office at email@example.com, the IT helpdesk at 502-852-7997 or the IT Enterprise Security team at SecureIT@louisville.edu. Users wishing to remain anonymous may contact the Compliance Hotline at 1-877-852-1167.
Dealing with Viruses, Worms and other common "Malicious" Software
- IT support professionals are not required to report IT security incidents involving viruses, worms, and other common malicious software to ULCIRT if self-contained and completely removed by anti-virus, anti-spyware or other software. If, in the judgment of the Tier 1 or other authorized technical support personnel, the malicious software could pose a risk to university data/networks or was not successfully removed the incident must be reported. Please follow the standards in the next section, Reporting and Responding to IT Security Incidents.
Because malicious software can reduce the functionality or otherwise affect the campus computing and communication environment, individuals and information technology support professionals are expected to:
- prevent computer equipment under their control from being infected with malicious software by the use of preventive software and monitoring (see ISO-014 Protection from Malicious Software policy and standards), and
- take immediate action to prevent the spread of acquired infections from any computers under their control.
- Assistance is available from your Tier 1, the IT HelpDesk and from the IT Enterprise Security Team.
Users - Includes students, faculty, staff, administrators and other employees of the University of Louisville and its affiliated entities and any other individual having a computer account, email address or utilizing the computer, network or other information technology services of the University of Louisville.
Sensitive Information - Information of a confidential or proprietary nature and other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or University policy. This includes (but is not limited to) full name or first initial and last name and employee ID (in combination), identifiable medical and health records, grades and other enrollment information, credit card, bank account and other personal financial information, social security numbers, grant reviews, dates of birth (when combined with name, address and/or phone numbers), user IDs when combined with a password, etc. Sensitive information does not include personal information of a particular individual which that individual elects to reveal (such as via opt-in or opt-out mechanisms) (see Information Management and Classification Standard)
Reporting and Responding to IT Security Incidents
Immediately report lost or stolen computer devices (including mobile devices) to IT support and the ULPD. The ISO will follow up to determine if there are information security issues related to sensitive or regulated data.
- Attempt to stop any further damage from an IT security incident by disconnecting the computer from the campus network (do not turn the computer off).
- Report IT security incidents to ULCIRT at SecureIT@louisville.edu. ULCIRT will help you assess the problem and determine how to proceed.
- If the incident has potentially serious consequences and requires immediate attention, individuals should report the incident to the IT Help Desk at 502-852-7997 and request 'priority one' status.
- Following the report, individuals should comply with directions provided by IT support staff or ULCIRT to repair the system, restore service, and preserve evidence of the incident.
- No retaliatory action should be taken against a system or person believed to have been involved in the IT security incident. All response actions should be guided by the IT security policy and all other applicable university policies.
- All incidents should be kept confidential unless otherwise instructed by IT or the ISO. Incidents involving criminal investigation must be kept strictly confidential. University counsel or other officials should be informed of employee subpoenas or requests for documents before any action is taken
IT Support Professionals (Tier 1)
Department, college, or unit information technology support professionals have additional responsibilities for IT security incident handling and reporting for both the systems they manage personally for their units and the systems of users within their units. In the case of an IT security incident, Tier 1 support staff should:
- Respond quickly to reports from individuals.
- Take immediate action to stop the incident from continuing or recurring including deactivating or disconnecting the device if required. Lost or stolen devices should be deactivated/disabled immediately and remotely wiped when feasible.
- Report IT security incidents to ULCIRT at SecureIT@louisville.edu. They will help you assess the problem and determine how to proceed.
- If the incident has potentially serious consequences and requires immediate attention, individuals should report the incident to the IT Help Desk at 502-852-7997 and request priority one status.
- Notify the appropriate college, department or unit administrator that an incident has occurred and that ULCIRT has been contacted.
- Refrain from discussing the incident with others until a response plan has been formulated and restrict information to only those with a need to know.
- Follow ULCIRT guidance to repair the system, restore service, and preserve evidence of the incident.
Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
Vice President for Risk, Audit, and Compliance
RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION
Information Security Office
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
1.0 / July 23, 2007 / Original Publication
1.1 / June 21, 2011 / Acronym Update
1.2 / January 29, 2013 / Content Update
1.3 / September 24, 2014 / Content Update
2.0 / March 8, 2016 / Review content and update to template format
2.0/ July 31, 2018/ Grammar and punctuation updates
Reviewed Date(s): March 8, 2016; June 12, 2017; July 31, 2018
The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.