Standard for Incident and Breach Response¶
In the event of an Information Security Incident or Personal Data Breach, it is critical that the appropriate actions are taken to minimize risk, meet legal and compliance obligations, and protect the privacy rights of individuals.
This standard defines the Information Security Incident and Data Breach Response Plan for The New School. It identifies and describes goals, expectations, roles, and responsibilities with respect to Information Security Incident reporting and record-keeping, investigation and risk assessment, containment and recovery, external notification, and post-incident review.
This standard applies to all university Institutional Information and IT Resources, irrespective of whether they are maintained by The New School or a third party on the university’s behalf or whether they are accessed from on-campus or off-campus locations, and to any individual who accesses or in any way makes use of them, regardless of affiliation. This includes, but is not limited to, Workforce Members, students, and alumni.
Special terms used in this document will be Capitalized and underlined, signifying that they have special meaning. A comprehensive glossary of terms, with examples, can be found at https://ispo.newschool.edu/glossary/.
All Information Security Incidents, actual and suspected, should be handled by performing the actions described below.
Reporting an incident and record-keeping¶
Any user of Institutional Information or IT Resources (including Workforce Members, students, and alumni) who discovers or learns of an actual or suspected Information Security Incident must immediately report the incident to IT Central at firstname.lastname@example.org and 646-909-4357 as the primary point of contact.
Reports of Personal Data Breaches must additionally be sent, without delay, to the Information Security and Privacy Office at email@example.com. Some data protection laws require reports to be made to supervisory authorities within very short time periods, and the ISPO will do this if it is necessary. The ISPO will also determine whether individual Data Subjects should be informed of the breach.
All Information Security Incident reports should include:
- Name of the person reporting the incident
- Department, title, and contact information of the person reporting the incident
- Date and time (to the extent known) of the incident
- Description of the incident, including IT Resources affected
- Whether the incident involves Personal Data (yes/no/unknown)
- Description of any initial actions taken in response to the incident
If the Information Security Incident involves Personal Data, the report should also include:
- Categories of Personal Data involved (e.g., specific data elements)
- Categories of Data Subjects involved (e.g., students, faculty, staff, alumni)
- Number of Data Subjects involved (if known)
If a computer system breach has occurred, the Senior Director of Enterprise Infrastructure, the Enterprise Infrastructure team, and the ISPO will be informed by IT Central.
The ISPO will maintain logs of all Information Security Incidents and Personal Data Breaches, which will include information about all stages of the investigation and outcome.
Investigation and risk assessment¶
The Senior Director of Enterprise Infrastructure or a designated individual will establish an appropriate incident management team made up of staff responsible for the area relating to the type of Information Security Incident to investigate it. If the incident relates to Personal Data, the ISPO will also be involved. Wherever possible, the investigation will be started within 24 hours of the incident being discovered.
The investigation will establish the nature of the incident, the type of data involved, and will consider the extent of a system compromise or the sensitivity of the data. A risk assessment will be performed to identify the potential consequences of the incident, for instance whether access to Institutional Information or IT Resources could be disrupted or made unavailable.
If the Information Security Incident is determined to constitute a Personal Data Breach, the risk assessment will consider whether there is a risk to individuals. This risk assessment will consider the nature, sensitivity, and volume of Personal Data involved and the number of Data Subjects; the ease of identification of individuals from the data; the category of Data Subject, for instance whether they are a child or a vulnerable person; and the possible consequences of the incident, the severity of the impact they could have, and their likelihood of occurring. These factors will help to determine whether there is a risk and what its magnitude might be. The risk assessment will determine whether the incident should be reported to relevant data protection and/or regulatory authorities and whether Data Subjects should be informed.
Evidence to support an investigation will be collected as soon as possible and safeguarded to ensure the integrity of the evidence is preserved for forensics and legal admissibility if applicable.
Containment and recovery¶
The incident management team will determine the appropriate course of action and the required resources needed to limit the impact of the incident. This might require isolating a compromised section of the network, alerting relevant staff, or shutting down critical equipment.
Appropriate steps will be taken to recover system or data losses and resume normal business operations. This might entail attempting to recover any lost equipment, using backup mechanisms to restore compromised or stolen data and changing compromised passwords.
The Associate Vice President, Foundation Technology (AVP-FT) and the Chief Information Officer (CIO) (for Information Security Incidents) will be notified by the Senior Director of Enterprise Infrastructure, and the Office of the General Counsel (for Personal Data Breaches) will be notified by the ISPO, following a serious data breach involving large amounts of data, or a significant number of people whose personal data have been breached.
This group of individuals will collectively decide whether to notify
- Other members of the university leadership (and which ones)
- The university’s cyber-security insurance carrier
- Data protection and/or regulatory authorities
- Law enforcement
If a Personal Data Breach has occurred, the ISPO and the Office of the General Counsel will inform the relevant data protection authorities if necessary, based on the risk assessment that was performed. If there is a risk to people’s rights and freedoms (under the GDPR) then these authorities will be informed without undue delay and where feasible not later than 72 hours after the university became aware of the breach.
The university will, where possible and appropriate, notify individuals whose Personal Data have been subject to a breach and a high risk to those individuals has been identified, without undue delay. High risk situations are likely to include the potential of people suffering significant detrimental effect, such as discrimination, damage to reputation, financial loss, identity theft, fraud, or any other significant economic or social disadvantage. This will help them to take steps to protect themselves. The notice will include a description of the breach and the steps taken to mitigate the risks.
Once the incident has been contained, a review of the event will be undertaken by the relevant team or an individual and reported to the AVP-FT, the CIO, and if the incident was a Personal Data Breach, the Office of the General Counsel. The report will detail the cause of the incident and contributory factors, the chronology of events, response actions, recommendations, and lessons learned to identify areas that require improvements to reduce the likelihood or impact of future incidents.
Recommended changes to systems, policies, and procedures will be documented and implemented as soon as possible thereafter.
This standard is reviewed on a periodic basis and updated as necessary by the Information Security and Privacy Office to ensure it remains accurate, relevant, and fit for purpose.
|Jun 2020||D. Curry||
Parts of this standard are adapted from the University of Greenwich’s policy on managing information security incidents, the contents of which are used with permission.