Purpose

1. Snow College shall develop and periodically review, test, and update a formal, documented incident response plan that addresses purpose, scope, roles, responsibilities, management commitment, coordination among Snow College entities, escalation procedures, as well as develop and periodically review and update a formal, documented procedure to facilitate the implementation of the incident response plan.
2. Information Technology Resources are at risk from potential threats from threat actors. A formal policy for the reporting of and response to IT incidents is necessary to help protect Snow College digital assets.
3. Address Snow College processes Incident Response for security incidents and minimize the damage that occurs from these incidents.
4. Secure the Private Sensitive Information of faculty, staff, students, and 3rd party affiliates.
5. Prevent the loss of information that is critical to the operation and reputation of Snow College.
6. Ensure the protection of IT Resources from unauthorized access, damage, or misuse.
7. Satisfy requirements of state and federal law.

Definitions

1. IT incident – Any event involving Snow College IT resources. Including but not limited to:
1. Violates local, state, or U.S. federal law
2. Violates regulatory requirements which Snow College is obligated to honor
3. Violates a Snow College policy
4. Determined to be harmful to the security and privacy of Snow College data
5. IT resources associated with, students, faculty, staff and college affiliates
6. Constitutes harassment under applicable law or college policy
2. IT resource: All tangible and intangible computing and network assets. Including but not limited to:
1. Hardware and Software
2. Network and System Access
3. Electronic and Physical Data
3. Incident Response Team (IR) – Group of IT professionals in charge of preparing for and reacting to any type of security emergency. Including but not limited to:
1. Creates processes and procedures for Incident Response
2. Develops processes and procedures as a result of responding and(or) resolving security breaches
4. Coordinator of Incident Response (CIR) - Party responsible for managing College-wide IT incident response. Party responsible ____
5. Snow Security Contact (SSC) – Person or persons assigned to coordinate an IT incident response with involved parties and is responsible for interacting with the CIR.
6. Reporter - Person(s) who reported a possible IT incident.

Information Security Incident Management

Policy

1. Classification

In order to facilitate the accurate and productive response to IT incidents, all IT incidents must be classified and assessed by the CIR for severity at their onset. If the CIR is not available, the CIO has the authority to make the classification. As the IT incident progresses its classification may be reevaluated and changed as necessary to ensure proper handling. In some cases, IT incidents may fall under multiple classifications. When this happens, the classification with the highest severity should generally dictate the course of IT incident response. In some cases, IT incidents may fall under multiple classifications. When this happens, the classification with the highest severity should generally dictate the course of IT incident response. The CIR is responsible for providing and maintaining appropriate IT incident classification guidelines and resolution procedures.

2. To whom this policy applies:
1. President
2. Vice Presidents
3. Deans
4. Directors
5. Department Heads and Chairs
6. Principal Investigators
7. Business Office Staff
8. Faculty
9. Administrative and Professional Staff
10. Clerical and Service Staff
11. Employees
12. Undergraduate Students

Procedures

1. Receiving Reports

Reported events become IT incidents only after they have been received and evaluated by the CIR. All reported events should be sent first to the CIR for assessment and assignment. If this person cannot be reached, contact the IT Administrative Assistant. The CIR upon receiving a report is responsible for determining whether or not the event constitutes an IT incident. When the event has been determined to be a valid event, the IR team will begin its investigation.

2. The CIR reserves the right to use the following resources for IT incident detection and(or) response:
1. System, network, application, and hardware logs and monitoring
2. Active scanning of systems suspected of violating college policy and exhibiting symptoms of compromise.
3. Revoke network and system access without notice when actions are deemed malicous; in an effort to help stop further compromise
4. Other resources as determined appropriate by the CIR and as allowed by Snow College policy and applicable law.

To facilitate accurate reporting, handling, and record keeping, the CIR is responsible for providing a protocol by which the CIR, SSC, and reporters of potential IT incidents can communicate. The CIR should also maintain a record of communication and data collection for all events reported to the CIR. In addition, the CIR is responsible for providing a formal operations guide. This guide shall outline the specific processes and methods for handling IT incidents.

3. Reporting Incidents

When any event is observed which appears to satisfy the definition of an IT incident, it must be reported to the CIR. If it is unclear as to whether or not an event constitutes an IT incident, such an event should be sent to the CIR for evaluation. Events that may constitute an IT incident may be reported to the CI R through one of the two following methods: Enter the information HERE or by email infosecurity@snow.edu. The person who reports the event, including complaints relayed on behalf of customers, should document and report any information about the event. The CIR is responsible for publishing all IT incident reporting guidelines and additional contact information. Absent these guidelines, all events that may constitute IT incidents should be reported directly to the CIR

Situations which are suspected to be crimes should be reported immediately to the appropriate law enforcement agencies by the person who possesses first-hand knowledge of the facts or circumstances related to a suspected crime. Those events which are suspected to be both a crime and an IT incident should be reported first to the appropriate law enforcement agencies, and then a notification that a police report has been filed should be sent to the CIR. However, it should be noted that in such situations the CIR would not generally act on the report unless asked to do so by said law enforcement agencies.

Students, faculty, and staff should report crimes to the Snow College Police Department. Those persons external to Snow College should report crimes to their local law enforcement agency.

4. Response

After receiving a report, assessing its veracity, determining whether or not the event constitutes an IT incident, and classifying the IT incident, the CIR will determine if the IT incident warrants a formal response. IT incidents that do not warrant formal response will be remanded to the appropriate SSC for handling. All reported events or IT incident must be documented throughout the response process. If an event report does warrant formal IT incident response procedures by the CIR, it is the responsibility of the CIR to coordinate the appropriate resources for such response. If deemed appropriate by the CIR, a CIRT will be formed and led by the handler assigned to the IT incident. The CIR is responsible for documenting appropriate procedures for responding to event reports and IT incidents, and coordinating CIRTs.

5. Business Continuity

In the course of responding to an IT incident it may be necessary, subject to applicable laws and College policies, to require the suspension of involved or targeted services or systems in order to:

1. Protect students, faculty, staff, and college assets from the threats posed by the involved services and systems.
2. Protect the service(s) or system(s) in question.
3. To preserve evidence and facilitate the incident response process.
4. The decision to suspend operations will be made by the CIR, as designated by the CIO.
5. The CIR shall determine when(if) a service suspension may be lifted.

Any equipment not owned by the College which is using College IT resources, and is found to be the target, source, or party to an IT incident may be subject to immediate suspension of services without notice until the issue has been resolved, or the subject system is no longer a threat.

6. Scope

This policy covers students, faculty, staff, and any 3rd party using Snow College IT resources. Any individual or entity using Snow College IT resources consents to all of the provisions of the preceding policy and agrees to comply with all of the terms and conditions set forth herein, all other applicable College policies, regulations, procedures and rules, and with applicable local, state and federal law and regulations. Violations of this policy or any other College policy or regulation may result in the revocation or limitation of IT resource privileges as well as other disciplinary actions and may be referred to appropriate external authorities.

Other

1. Related Documents

Laws that influence and affect this policy include but are not limited to:

1. DMCA: http://www.copyright.gov/legislation/dmca.pdf
2. ECPA: http://www.copyright.gov/legislation/dmca.pdf
3. FERPA: http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
4. HIPAA: http://www.hhs.gov/ocr/hipaa/
5. USA Patriot Act: https://www.fincen.gov/statutes_regs/patriot/
2. Contact

For questions about this policy, contact the Information Security Office: infosecurity@snow.edu

3. Compliance

Failure to honor the requirements set forth in this policy may result in disciplinary or administrative action; including temporary or permanent loss of IT resource privileges and services.