IS-1012 Information Security Incident Response (Policy)

Communications

Release Date: 7/16/09

Administrative Directive

Summary               

This administrative directive describes the procedures to be followed when a computer information security incident is discovered involving CNM resources (communication and computer devices) and systems (enterprise applications, services, and equipment) and/or its employees and students.  An information security incident is considered to be a real or suspected adverse event in relation to the security of CNM data/information, computer resources and systems/networks.  Some examples are:

  • theft of data
  • attempts to gain unauthorized access to a system or its data
  • an unwanted disruption or denial of service
  • changes to system hardware, firmware, or software characteristics without the system administrator's knowledge
  • the unauthorized use of a system for the processing or storage of data
  • probes or scans for vulnerabilities via the network to a range of computer systems
  • theft of resources and systems

Applicability

This administrative directive is applicable to all CNM employees, students and others granted access to CNM information and/or use of computer resources and systems/networks that become aware of an information security incident.  Every user of any of CNM's information resources and systems has responsibility toward the protection of the College's data/information assets; certain offices and individuals have very specific responsibilities.

1. Notification/Reporting of an Incident

Any member of the College community who becomes aware of an information security incident involving CNM data and/or information resources and systems must immediately submit an ITS Service Desk (Help Desk) work ticket (servicedesk@cnm.edu) or 224-4357) and/or notify the ITS Information Security Officer  (infosecurity@cnm.edu).

The College's ITS Information Security Officer and/or Executive Director of Information Technology Services may convene a preliminary fact-finding session comprised of cognizant business and technical personnel and notify the Vice President of Planning & Budget that an incident has occurred.

2. Information Security Incident Response Team  (ISIRT)

When warranted by information obtained during preliminary fact-finding, the College's Information Security Officer will promptly appoint and convene a meeting of the Information Security Incident Response Team (ISIRT) and provide leadership to the team(s) from the beginning to the closure of all significant incident activities.  Depending on the circumstances of each situation, the team may include some or all of the following offices:

  • Office of Information Technology Services
  • Human Resources Department
  • Dean of Students Office
  • Security Department
  • President's Office
  • Chief Communications Officer & Executive Assistant to the President
  • Marketing and Communications Office
  • CNM Legal Counsel
  • Dean or Vice President's office affected by the information security incident
  • Executive Director for Planning, Budget and Institutional Research
  • Registrar's Office
  • Departments or schools directly affected by the information security incident
    (Includes both the appropriate business and technical personnel)
  • Comptroller's Office
  • …              (Note that this is not designed to be an all-inclusive list.)

3. Escalation of Decision-Making

The ISIRT will plan and coordinate the activities of all the offices involved, keeping other concerned offices advised as appropriate.  In carrying out this responsibility, the ISIRT will ensure that important operational decisions are elevated to the appropriate levels to protect the fundamental interests of the College and others impacted by the incident.  Such decisions include, but are not limited to:

  • restricting information system access or operations to protect against unauthorized information disclosures.
  • reporting and/or publicizing unauthorized information disclosures, as required by law.
  • involving CNM Legal Counsel and/or  law enforcement agencies in cases where applicable (i.e., where statutes appear to have been violated).

The Information Security Officer will be responsible for the documentation of the appropriate deliberations and decisions of the ISIRT as well as a summary of actions taken pursuant to ISIRT deliberations.

4. Findings Report Preparation

The Information Security Officer will be responsible for writing a final report to the VP of Planning & Budget which summarizes findings regarding any major information security incident and, if appropriate, makes recommendations for improvement of related information security practices and controls.

 



Forms:

Not Applicable

Support Materials:

Not Applicable

Reference Materials:

Not Applicable