Procedure - Information Security Incident Response Policy Procedures

PURPOSE

Pacific University has adopted this Information Security Incident Response Policy and Procedure to ensure the confidentiality, integrity, and availability of all Protected Data we create, receive, maintain, or transmit as required by federal or state regulatory requirements, including but not limited to FERPA, GLBA, HIPAA, PCI, and other regional or local applicable laws and regulations.

University colleges, schools, and departments should follow these procedures to comply with the Information Security Incident Response Policy, Policy Number POL – UIS4507.

PROCEDURE

Reporting an Incident

Any member of the Pacific community (staff, students, faculty, etc.) including business associates must immediately notify the Pacific University Technology Helpdesk and request the creation of a high priority service ticket for an information security incident. The Technology Helpdesk will create a ticket and notify the Privacy Officer and the Chief Information Security Officer. The member of the Technology Helpdesk will follow security procedures outline in this policy and the UIS knowledge base article to ensure timely response to the situation.

Incident Handling

The university relies on the Incident Response Team to oversee incident handling. The team includes the Privacy Officer, Chief Information Security Officer, and the Director of Legal Affairs. The Associate VP for of Marketing and Communications and directors of other departments may be included as necessary.

The Privacy Officer will serve as primary contact for PHI incidents. A privacy issue may require a security audit as part of the privacy investigation.

Pacific is a geographically distributed, multidisciplinary organization, such that centralized incident handling can be challenging. To simplify and streamline security incident reporting, management and response, Pacific relies on a standardized Incident Detection and Analysis form.

By using standardized forms, fundamental details about the incident will be captured. These include reporting party’s name, contact information, and date and time of incident reporting. Additionally, the forms are designed to capture details through all phases of incident management: Detection and Analysis, Containment and Eradication, and Restoration of Service and reporting.

Incident Detection and Analysis:

All Pacific users will use phone or email to report details related to a security incident. Contacting the Helpdesk with a high priority ticket is the preferred method. A team member will complete Incident Detection and Analysis form.

Once the information above has been recorded, the incident ticket will progress from the discovery and analysis phase to the containment and eradication phase.

Incident Containment and Eradication:

Once an end-user submits a security incident ticket, the incident will be routed to the appropriate UIS team member for follow-up. The Chief Information Security Officer should be promptly informed of the situation. The Chief Information Security Officer will notify the Incident Response Team of a potential risk and continue to keep them informed throughout the analysis process. Details will be captured on the Incident Detection and Analysis form.

Incident Recovery and Root Cause Analysis:

Once the incident is contained and eradicated, the assigned individual or team will move into recovery and root cause analysis. The goal of recovery and root cause analysis is to restore the system(s) to normal operation and determine what caused the incident so that corrective measures can be implemented to prevent future incidents. During this phase, the individual managing the incident will work with the Privacy Officer to confirm any impact to customer data. If there is data containing PHI or PII the Privacy Officer must be involved if not already aware.                                                                                        

Special Considerations –

Protected Data: If it is determined the incident may have impacted Protected Data, the assigned team responsible for analysis will contact the HIPAA Privacy Officer and Chief Information Security Officer.

  1. The Privacy Officer determines if the data falls within HIPAA definition and requirements.
  2. The Incident Response Team will assume the lead on any data breaches involving Protected Data including final determination and appropriate response.
  3. If applicable, The Privacy Officer working with Legal Affairs department will review contractual obligations with third parties (such as Business Associate Agreements in the case of PHI) and any other contractual documentation between Pacific and the third party and determine Pacific’s obligations.

Closure:

All incidents must be routed to Incident Response Team for closure.