Handbook of Operating Procedures > Series 700 Information Resources > 7.5.3 Information Security Incident Response

7.5.3 Information Security Incident Response

A. Purpose

To ensure the secure operation of information resources, to protect the data security and privacy of patients, students, faculty, and staff, and to respond appropriately to information security incidents and set forth requirements for the efficient response to information security incidents in order to maintain the security and privacy of information resources, data, and other assets, as well as satisfy requirements of state and federal law.

B. Persons Affected

To all individuals who access, use or control a The University of Texas at Tyler (the "University") information resource, including by not limited to staff, faculty, students, those working on behalf of the University, guests and visitors.

C. Definitions

1. Breach - A breach of security occurs when there is a reasonable belief that an unauthorized person has acquired unencrypted personal identity information (as defined below) or other restricted data. Good faith acquisition of personal information by a University employee or agent for University purposes does not constitute a security breach, provided that the personal information is not used or subject to further unauthorized disclosure. 
2. Computer Incident Response Team (CIRT) - CIRT is a group of skilled individuals designated to respond to any IT Incident which requires coordination across multiple departments, or which cannot, in the reasonable judgment of the Incident Coordinator (IC), be adequately addressed by a single department, or when it is otherwise determined to be appropriate to employ such a team by the IC. The IC is responsible for defining the specific procedures for and operations of CIRTs. 
3. Incident - The act of violating an explicit or implied security policy, including but not limited to: 
   1. attempts (either failed or successful) to gain unauthorized access to a system or its data 
   2. unwanted disruption or denial of service 
   3. the unauthorized use of a system for the processing or storage of data; and 
   4. changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent. (US CERT) 
4. Incident Coordinator (IC) - The party responsible for managing institution-wide IT Incident response. The Information Security Officer currently fulfills the role of IC. 
5. Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual forms. 
6. Information Resources (IR): Any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistants (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus.  Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. 
7. Information Resources Manager (IRM): The party responsible to the State of Texas for management of the University's information resources. The designation of a University IRM is intended to establish clear accountability for setting policy for information resources management activities, provide for greater coordination of the University's information activities, and ensure greater visibility of such activities within and between state agencies. The IRM has been given the authority and the accountability by the State of Texas to implement Security Policies, Procedures, Practice Standards and Guidelines to protect the Information Resources of the University. If the University does not designate an IRM, the title defaults to the University's Chief Information Officer, who is responsible for adhering to the duties and requirements of an IRM. 
8. Information Security Officer (ISO): Responsible to executive management for administering the information security functions within the University. The ISO is the University's internal and external point of contact for all information security matters.  
9. Information System: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. (Defined in NIST SP 800-53, Recommended Security Controls for Federal Information Systems, Appendix B) 
10. Information Technology Resources: Includes but is not limited to personal computers and related peripheral equipment and software, network and web servers, telephones, facsimile machines, photocopiers, Internet connectivity and access to internet services, e-mail and, for the purposes of this policy, office supplies. 
11. Protected Health Information (PHI): "Individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. "Individually identifiable health information" is information, including demographic data, that relates to: 
    1. the individual's past, present or future physical or mental health or condition, 
    2. the provision of health care to the individual, or 
    3. the past, present, or future payment for the provision of health care to the individual that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). 
    4. The HIPAA Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. (Defined in the HIPAA Privacy Rule) 
12. Personally Identifiable Information (PII): Information which can be used to distinguish or trace an individual's identity, such as his/her name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc. 
13. Restricted data or information: Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. The term should not be confused with that used by the UC-managed national laboratories where federal programs may employ a different classification scheme. 

D. Policy

Statement of Management Commitment

The University is committed to protecting all confidential data it is responsible for. In the event that a critical security incident occurs, the University's ISO is committed to the quick, efficient resolution to the incident and the timely reporting of the incident to state and federal agencies, as well as the notification of individuals who information may have been compromised.

This policy addresses events affecting any University information resource which may negatively impact the confidentiality, integrity, and/or availability of the resource. This policy is designed to assist in handling security incidents and is not intended to address scenarios for which other processes are in place such as:

• Violations of the Digital Millennium Copyright Act (DMCA) 
• Excessive bandwidth usage. 
• Incidents involving only non-institutional resources, such as personally-owned data or computers. 

Reporting Requirements

All employees are required to report promptly unauthorized or inappropriate disclosure of Sensitive Digital Data, including social security numbers and any other incidents, to their supervisors, the ISO, and/or Compliance.

Legislation

This policy responds to all applicable federal and state statutes pertaining to security breaches of protected electronic data. These statutes include, but are not limited to:

• Texas Business and Commerce Code § 521.03
• Federal Family Educational Rights and Privacy Act of 1974 (FERPA), dated July 17, 1976 (20 U.S.C. Section 1232g)
• Department of Health and Human Services, Office of the Secretary, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule (The HIPAA Security Rule)
• Organizational Structure, Roles, and Responsibilities

The organizational structure of the Information Technology and Information Security departments as they relate to Incident Response are described below. Knowing who key personnel are, and their roles and responsibilities during a breach or incident, is very important in the efficient assessment and resolution of security incidents.

Information Security Officer (ISO): The ISO will report directly to the Executive Vice President/Chief of Staff and UT System Chief ISO. The ISO will usually be the IC, or assign the role to someone else when needed. The ISO will also be responsible for:

• Determining the severity and priority status of security incidents. 
• Determining the need for, and if necessary, coordinating with legal counsel, human resources, public relations and law enforcement. 
• Coordinating with the CIO for resource management during an incident. 
• Working with Legal Affairs in defining and issuing "gag" orders for University employees during an incident response. 
• Chairing the closure phase of the incident response. 

Security Analysts: Security analysts will be assigned to work with the system administrators, department staff, and other personnel involved in an incident. The security analysts will report directly to the ISO. They will be responsible for contacting who reported the incident and completing the initial paperwork and forms, as well as documenting all actions taken throughout the incident response. They will also update the Incident Response Plan and Procedures documentation as needed after the closure of an incident.

Chief Information Officer (CIO): The CIO reports to the Executive Vice President/Chief of Staff and will coordinate with the ISO on the incident response. The CIO is responsible for ensuring IT personnel and contracted IT service providers are allocated to the incident are actively engaged on an incident.

IT Service Desk: The IT Service Desk is responsible for escalating and notifying any reported security incidents.

System Administrators: System administrators and Database Administrators are responsible for monitoring information systems and can be key in detecting any security incidents. After a security incident has been reported, the system administrators will utilize available resources to resolve vulnerabilities in IT system resources, or take corrective actions with system configurations or access.

Office of Legal Affairs: Is responsible for determining when and how to inform the media or the public in the event that the incident requires notification of entities outside the University.
Police Department: Police Department personnel should be aware that any and all information, either oral, written, or in electronic form, can have far-reaching implications if released prematurely, released to the wrong individuals, or, in fact, if released.

Human Resources: When an employee is the apparent target of/or is suspected of causing an incident, the human resources department will be contacted to address what and how information is released.

Public Information Officer: This office also provides media, marketing and communication counsel and support to the University and to key administrative offices, including the Office of the President.

Computer Incident Response Team (CIRT)

This policy also allows for the creation of a CIRT by the ISO and CIO. Members will vary depending on the skill sets required to assess and resolve the incident. The team will remain active until the incident is declared closed. The team will be responsible for assessment and triage, containment, evidence collection, and reporting during the response phase. The team will also be needed for system recovery if necessary, which can include restoring systems or data from backups or reimaging systems and reloading data. The CIRT assembly process is covered in the University's Information Security Incident Response Plan.

Prioritization of Incidents

The importance of an incident might depend on many factors, and the priority can also change if new information is discovered or reported. Establishing and maintaining a priority list of all incidents is not possible, so it is usually a dynamic activity.

E. References

UT System UTS-165

Texas Administrative Code 202Texas Business and Commerce Code § 521.03

Federal Family Educational Rights and Privacy Act of 1974 (FERPA), dated July 17, 1976 (20 U.S.C. Section 1232g)

Department of Health and Human Services, Office of the Secretary, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule (The HIPAA Security Rule)

NIST Special Publication 800-61 Revision 2

F. Review Responsibilities and Dates

The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.