Reporting Electronic Security Incidents
University Policy Number 1305
Responsible Office: Vice President of Information Technology/CIO
Related Law & Policy:
- Policy 1301: Responsible Use of Computing
- Policy 1114: Data Stewardship
- Policy 1404: Reporting of Crimes, Accidents, Fires and Other Emergencies
This policy applies to all academic and operational departments and offices at all university locations, owned and leased. The policies and procedures provided herein apply to all university faculty, staff, students, visitors and contractors.
II. POLICY STATEMENT
Users of information technology devices connected to the Mason network shall report all electronic security incidents promptly to the appropriate person or office.
The network constitutes a substantial university resource, and the University’s missions rely significantly on a secure electronic communications network. Prompt and consistent reporting of electronic security incidents protects and preserves these resources and aids the University’s compliance with applicable state and federal laws.
The University will comply with the Code of Virginia § 18.2-186.6 (Breach of Personal Information Notification) which mandates certain reporting requirements and the circumstances which dictate when and how notification will be issued.
Computer Security Incident Response Team (CSIRT): Specially trained technical individuals designated responsible for first response to suspected electronic security incidents. As part of their first response, they take all possible measures to preserve the evidence.
Data Breach Notification: The University’s notification requirements for identifying the triggering factors and necessary responses to unauthorized release of unencrypted highly sensitive data.
Data Custodian: An individual who has been authorized to be in physical or logical possession of data and is responsible for (1) protecting said data from unauthorized access, alteration, destruction, or usage, and (2) providing and administering general controls, such as back-up and recovery systems.
Electronic Security Incident: Electronic activities, such as “hacking” or a compromised or abused computer, that result in damage to or misuse of the Mason network or a device connected to it. Routine detection and remediation of a “virus,” “worm,” or similar issue that has little impact on the day-to-day business of the University is not considered an Incident under this policy.
Encrypted: (1) The transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key, or (2) the securing of the information by another method that renders the data elements unreadable or unusable.
Information Technology Device: Any device involved with the processing, storage, or forwarding of information making use of the Mason information technology infrastructure or attached to the Mason network. These devices include, but are not limited to: laptop computers, desktop computers, personal digital assistants, and network devices such as routers and switches, and printers.
IP Address: The Internet Protocol Address is a unique number associated with a device used for the routing of traffic across the Internet or another network.
ITS Support Center: The ITS Support Center provides technical support for computing, network, and phone issues for the University community. It also serves as the first point of contact for reporting problems with computers, computer accounts, phones, and networks on campus.
Personal Information: The first name (or first initial) and last name in combination with and linked to any one or more of the following data elements, when the data elements are neither encrypted nor redacted:
- Social Security Number
- Driver’s license number or state identification card number issued in lieu of a driver’s license number
- Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial accounts
- Other personal identifying information
Redact: The alteration or truncation of data such that no more than the following are accessible as part of the information:
- Any five digits of a Social Security number, or
- The last four digits of a driver’s license number, state identification card number, or account number
Security Liaisons (SLs): Point of contact within each university unit for the unit’s staff to report security incidents, suspected and real.
User: An individual who uses an information technology device.
User: Reports actual or suspected electronic security incidents to ITS Support Center at 703-993-8870. Ceases use of the computer immediately, understanding that continued use may inadvertently damage potential evidence in the event that the electronic security incident becomes part of a criminal case.
ITS Support Center: Collects appropriate information for suspected electronic security incidents. Notifies the CSIRT of reported electronic security incidents.
ITS Network Engineers and Server Administrators: Collects appropriate information regarding devices compromised by electronic security incidents. Completes the following tasks:
- Disables the port of the affected information technology device, if appropriate.
- Notifies the CSIRT of electronic security incidents in order for the CSIRT to initialize First Response and Evidence Preservation (open, manage, and close problem reports for electronic security incidents).
- Contacts users of and/or systems administrators for compromised devices.
- Communicates to users, Network Engineers, Server Administrators, and/or SLs (1) any actions that need to be taken and the reasons for them, (2) the steps required to reestablish services, and (3) any relevant technical information about the incident.
- Notifies the Chief Information Officer within 24 hours of an investigation.
Chief Information Officer (CIO): Reports events deemed to meet the definition of significant incident to Virginia Information Technology Agency (VITA) per the Code of Virginia § 2.2-603, and notifies appropriate law enforcement agencies when a crime is suspected.
V. DATA BREACH NOTIFICATION RESPONSIBILITIES
A. All departments, units and offices must include provisions in any third party contracts requiring that the third party and third party subcontractors provide immediate notification to the University CIO of suspected breaches and report findings.
B. The University will send appropriate notice to affected individuals upon the unauthorized release of unencrypted and/or un-redacted personal information by any mechanism, including, but not limited to:
- Theft or loss of digital media
- Theft or loss of physical hardcopy
- Security compromise of any system
The University will disclose the breach of system security if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key.
If a data custodian is the entity involved in the data breach they must alert the data owner so that the data owner can notify the affected individuals.
The University will provide this notice without undue delay as soon as verification of the unauthorized release is confirmed. However, notification may be delayed in cases where law enforcement is notified, and the law enforcement agency determines and advises the individual or entity that the notice would impede a criminal or civil investigation, homeland security or national security. Notice shall be made without unreasonable delay after the law enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security.
C. In the case of a computer found to be infected with malware capable of exposing data to unauthorized access and which is reasonably believed to have led to the unauthorized access and acquisition of personal information, individuals that may have had their information exposed must be alerted in accordance with data breach rules.
D. Notification consists of:
- A general description of what occurred and the timeframe
- The type of personal information that was involved
- The actions that have been taken to protect the individual’s personal information from further unauthorized access
- A telephone number that the person may call for further information and assistance, if one exists
- The actions the University recommends that the individual take, to include monitoring their credit reports and reviewing their account statements
E. Notification will be provided by one or more of the following methodologies, listed in order of preference:
- Written notice to the last known postal address in the records of the individual or entity
- Telephone notice
- Electronic notice
- Substitute notice by email, conspicuous posting of the notice on the website of the University and notice to major statewide media if one of the following conditions is met:
- The University demonstrates that the cost of providing notice will exceed $50,000
- The affected class of Virginia residents to be notified exceeds 100,000 residents
- The University does not have sufficient contact information or legal consent to provide notice
F. If a notice is provided to more than 1,000 persons at one time pursuant to section E. of Code of Virginia, §18.2-186.6, the University will notify, without unreasonable delay, the Office of the Attorney General and all consumer reporting agencies that compile and maintain files on consumers nationally, as defined in 15 U.S.C.§1681(a)(p), of the timing, distribution, and content of the notice.
Failure to honor the requirements set forth in this policy may result in disciplinary or administrative action.
VII. EFFECTIVE DATE AND APPROVAL
The policies herein are effective September 1, 2006 and were revised as of March 1, 2010. This policy and its procedures shall be reviewed at least annually to adjust processes, identify new risks, and remediation.
Maurice W. Scherrens
Senior Vice President
Peter N. Stearns
Date approved: February 25, 2010
Revision of March 1, 2010 approved: February 25, 2010
Revised: January 29, 2013