30.14 -网络事件报告和响应

Contents:

1. Purpose
2. Scope
3. Definitions
4. Policy
5. 不符合
6. Exceptions
7. 联系信息
8. References

A. Purpose

The university is obligated to protect the 保密, integrity, 信息的可获得性. Unauthorized access to certain types of information may obligate the university to individual, university, state, federal, and contractual investigative and reporting requirements and result in fines and reputational impact.

Timely response to reported and detected incidents is critical to prevent adverse effects to individuals, 满足外部报告要求, 并维护大学的使命和声誉.

This policy establishes individual responsibility in reporting incidents, 大学有责任做计划, respond, 和升级, 根据我们的法律和合同要求.

B. Scope

此政策适用于所有技术资源, 包括资讯系统, 机构数据, and networks and any person or device that gains access to these systems or data, 无论隶属什么组织, location, 资金来源, 或者合同状态.

C. Definitions

C-1. 电脑保安事故应变小组: A function of the Information Security Office responsible for receiving, reviewing, and coordinating the response to computer security incident reports and activity involving university technology resources.

C-2. 数据泄露: 根据爱达荷州法典第28-51-104条, “对系统安全的破坏”,，在本政策中称为“数据泄露”,” means “the illegal acquisition of unencrypted computerized data that materially compromises the security, 保密, or integrity of personal information for one (1) or more persons maintained by an agency, individual, 或者商业实体.”

C-3. 事件响应计划: Also known as the Technology Security Incident Response Plan, or “IR Plan,” is the required documentation in support of this policy which addresses specific procedures and details for handling incident response, 符合适用法律.

C-4. 安全事件: A security event is the discovery of any piece of information that could indicate the actual or potential threat to data or systems.

C-5. 安全事件: A security incident is a security event that indicates the present or imminent threat to the 保密, integrity, 或者大学技术资源的可用性, 或违反安全策略或标准.

C-6. 大学的数据: 任何格式的数据, collected, developed, maintained, 或由大学管理或代表大学管理, 或在学校活动范围内. (参见APM 30.11)

D. Policy

D-1. 报告事件. Any actual or suspected security incidents or events must be reported immediately to the Information Security Office through one of the following designated channels:.

D-2. 报告事件响应要求. All members of the university community establishing relationships with entities or handling data with unique incident response reporting requirements must report those requirements to the Information Security Office for inclusion in the Incident Response plan.

D-3. 注册系统和应用程序. All devices using university networks must be registered in the OIT Network Management System and contact information must be kept current. Cloud applications and vendors must be registered with the OIT Application Portfolio and updated when changes occur.

D-4. CSIRT会员. The CSIRT is composed of the Chief Information Security Officer (CISO) and their designated incident handler staff, 以及总法律顾问办公室的代表, 风险管理, 人力资源, 公共安全及保安, 及大学通讯. Other members and subject matter experts may be requested by the CISO or designated by the Vice President for Information Technology/CIO and approved as part of the Incident Response plan, 或者在需要的基础上.

D-5. 调查. 在资讯科技总监的指导下，资讯科技总监获授权:

a. Monitor all relevant technology resources and information to correlate and detect events and determine whether an incident has occurred.

b. Activate the incident response plan and direct the analysis, containment, recovery, 以及对事故的补救.

c. Expedite changes to information systems when necessary to respond to or prevent an incident. 这可能包括主动禁用帐户的措施, networks, devices, 集成, 或者其他资源.

d. 与总法律顾问合作, report incidents to required third parties when required by state, federal, 或者合同要求, 或者激活网络责任保险.

e. Track and document incidents using a standard taxonomy for security incidents.

f. 与执法部门协调, 政府机构, peer CSIRTs, and relevant Information Sharing and Analysis Centers (ISACs) in the identification and investigation of security incidents. The CSIRT is authorized to share external threat and incident information with these organizations that does not identify individuals, or as otherwise approved by General Counsel or related data owners.

D-6. Disclosure. Public disclosure of a data breach must be reviewed and approved by the VP for IT/CIO in consultation with General Counsel, 大学通信, 以及其他相关的大学利益相关者.

D-7. 计划需求. The OIT Information Security Office is responsible for coordinating the U of I Technology Security Incident Response Plan (IR plan), keeping the contact and subject matter expert list updated, 并且至少每年测试和执行该计划.

E. 不服从

不遵守此政策可能会导致后果, 视不遵守的性质而定, in the user’s account or access being suspended to U of I technology resources as stated in APM 30.12 (可接受的技术使用).

F. Exceptions

可以提交此政策的例外请求 通过OIT支持门户网站. The U of I Chief Information Security Officer will assess the risk and make a recommendation to the U of I Vice President for Information Technology and Chief Information Officer.

G. 联系信息

The OIT Information Security Office can assist with questions regarding this policy and related standards and the plan. 问题应通过 石油技术支持门户.

H. References

NIST SP800-61. 2

Hipaa 45 CFR§164.308(a)(6)

爱达荷州法典-§§28-51-104、105、106、107

爱达荷技术管理局 P4110

APM 30.数据分类和标准

APM 30.12 -可接受使用政策

用户界面私隐声明

版本历史

2023年1月修订. Rewritten to reflect cyber security practices required by HIPAA and NIST and to address the current state of cyber security threat faced by UI.

2007年1月通过.