BP 8112 Incident Response

Statement of Purpose

PCC’s Information Security Policies support the following goals:
1. Promote a “security is everyone’s responsibility” philosophy to assist PCC in meeting its business and legal commitments.
2. Ensure that PCC complies with all applicable laws and regulations.
3. Ensure the integrity, reliability, availability, and superior performance of IT resources.
4. Ensure that users are protected from data breach and cybercrime.
5. Ensure that use of IT resources is consistent with the principles and values that govern the use of other college facilities and services.
6. Prevent unauthorized disclosure of controlled sensitive data.
7. Prevent disruption of the learning experience.
8. Ensure the college is protected from financial, legal, regulatory, and reputational harm.
9. Ensure that IT systems are used for their intended purposes.
10. Establish processes for addressing policy violations and sanctions for violators.

In the event of a security incident, it is critical to respond and resolve the issue as quickly and effectively as possible. This policy ensures that PCC maintains documented procedures, roles, and responsibilities – so that no time is lost debating what to do and by whom and standardized activities are performed and documented.

Scope Statement

This policy applies to any information security related incident, breach, or compromise affecting critical data for which PCC is custodian or causing disruption to PCC’s normal operation.
All PCC employees have the responsibility to assist in incident response procedures within their particular areas of responsibility. Examples of security incidents that an employee might recognize in their day-to-day activities include, but are not limited to:
1. Theft, damage, or unauthorized access (e.g., unauthorized logins, papers missing from their desk, broken locks, missing log files, an alert from a Public Safety employee, video evidence of a break-in, or unscheduled/unauthorized physical entry);
2. Fraud (e.g., inaccurate information with databases, logs, files, or paper records);
3. Abnormal system behavior (e.g., unscheduled system reboot, unexpected messages, or abnormal errors in system log files or on terminals);
4. Security event notifications (e.g., file integrity alerts, intrusion detection alarms, physical security alarms).

Policy Summary

All security incident detections and responses, especially those related to critical systems, will adhere to documented and implemented incident response processes and procedures in order to mitigate risk, reduce costs, and minimize system downtime.

This policy shall be subject to and superseded by applicable regulations and laws.

Policy

1. The CISO shall document and implement incident response plans and procedures that address security incident detection and response.
This shall include standards and procedures for:
a) Incident identification
b) Incident severity & classification
c) Incident declaration & reporting

2. All PCC employees shall be responsible for detecting security incidents, notifying appropriate personnel, and facilitating the incident response plan and procedures.

3. The CISO, or available member of the Information Security team, shall be notified immediately of any suspected or confirmed security incidents involving PCC computing assets, particularly those impacting critical systems.

4. Incident reports shall be forwarded to a Red Flag Team where applicable under Red Flag rules.

5. To assure the integrity of the incident investigation and recovery process, the CISO shall oversee any investigative or corrective action.

Exemptions

None

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Security Officer (CISO)

Policy Violation

1. Violation of this policy may result in disciplinary action in accordance with PCC Human Resources and/or Student Conduct guidelines.
2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
4. PCC reserves the right to deactivate any User’s access rights (whether or not the User is suspected of any violation of this policy) when necessary to preserve the integrity of IT Resources.

Complaint Procedures

Report non-security-related violations (such as receipt of inappropriate content, other Human Resource policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, HR, or EthicPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing Standards, Policies & Guidelines

  • US Dept of Education: Guidance Letter – Protecting Student Information
  • US Dept of Education: Family Educational Rights and Privacy Act (FERPA)
  • US Dept of Homeland Security: Federal Information Security Management Act (FISMA)
  • Gramm-Leach-Bliley Act (GLBA)
  • FTC Red Flags Rule
  • Health Insurance Portability and Accountability Act (HIPAA)
  • International Organization for Standardization (ISO)
  • National Institute Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley (SOX) for Colleges and Universities

Definitions

Chief Information Security Officer (CISO)
Senior manager responsible for information security compliance at PCC.

Controlled Sensitive Data (CSD)
A general categorization that is used in PCC’s Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.

CSD includes: PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which PCC is liable if publicly disclosed.

Cybercrime
Criminal activity or a crime that involves the Internet, a computer system, or computer technology.

Data Breach
Generally, an incident in which sensitive, protected, or confidential data has potentially been viewed, stolen, or used by an individual unauthorized to do so.

Note: Although “breach” is a commonly used term in the information security community, legally, the term “breach” tends to only be used when a security event reaches the threshold of regulatory reporting. PCC legal council recommends using the terms “incident” or “compromise” until it can be determined whether an event satisfies the legal definition of a breach.

Hardware
The collection of physical components that constitute a computer system (a desktop computer, a server in a datacenter, a network switch, a printer, etc.)

IT Resource
(At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.

Red Flag Team
A PCC committee focused on the prevention of Identity Theft in accordance with the GLBA Red Flags Rule.

GLBA requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or “red flags” — of identity theft in their day-to-day operations. By identifying red flags in advance, businesses will be better equipped to spot suspicious patterns that may arise — and take steps to prevent a red flag from escalating into a costly episode of identity theft. The Program must be documented and updated periodically. Updates must reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. The Program must also have the approval of the Board of Directors or a designated Senior Management employee. The Board of Directors shall also have supervision of the implementation of the Program as well as training of the staff and oversight of service providers.

Software
A set of instructions that tells a computer what to do.

Computer software is generally constructed as programs (applications) written in a specific language designed to run on computer hardware. Most common softwares are applications for business and personal use. More specialized computer software runs the operating systems of computers, operates machinery, creates artificial intelligence in robots, controls scientific instruments, etc.

System
(In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.

User
Any person who makes any use of any PCC IT resource from any location (whether authorized or not).

Responsible Executive

Chief Information Officer

Responsible Officer

Chief Information Security Officer (CISO)

Responsible Office

IT Information Security

Last Revision Date

10-04-2019