Introduction
Incident Notification (Internal)
In the event that a CIS employee becomes aware of a security violation (confirmed or suspected), that staff member will immediately notify the CIS management team in-person or via direct telephone conversation (not voicemail), beginning with the CIO and continuing through the CIS reporting hierarchy until a CIS team manager is contacted in-person. The employee will also send an urgent-flagged message to the CIS full staff email
Incident Response
Alerting/Discovery
In the event that the incident response occurs during normal CIS operating hours, the full SysAdmin team – or subset of that team (see “Coordination and Planning” below) – will be assembled at the discretion of the CIO or senior CIS staff member coordinating incident response.
Data Breach Notification
Due to the high level of financial, legal and institutional impact, incidents involving suspected or actual data breaches require immediate notification of the CIS senior leadership and also the VP of Business and Planning
Incident Reporting: Internal Violations
Initial Response – Preservation/Suspension of Confidentiality
- In the event that confidential or protected university resources or assets are being eminently threatened, CIS will take immediate and appropriate action to contain the threat prior to notification of the individuals/departments noted in 5.B. Such actions constitute a “suspension of confidentiality” on the part of an individual’s access credentials, and may involve immediate denial of university privileges (credentials) and resource access.
- In the event that no immediate threat to availability, integrity of confidentiality exists CIS will execute the procedures for reporting
Incident Reporting: External Violations
Initial Response
- In the event that confidential or protected university resources or assets are being eminently threatened, or where there is evidence that a high-risk exposure to system or resource compromise exists, CIS will take immediate and appropriate action to contain or mitigate the threat.
Incident Control and Reporting Procedures (Internal)
- In instances where the incident involves no known compromise to confidential university information, where the threat is minimal and easily contained, response authority shall rest with the CIO and CIS SysAdmin team. At the discretion of the CIO, incident details may be provided to the VP-OBP or president’s cabinet.
- In instances where the external violation goes beyond simple nuisance violations, when there is evidence or suspicion of legal or monetary compromises to university resources, the VP-OBP will be notified and authority and coordination of incident response shall move to university counsel or cabinet, or other designee as directed by the CIO or VP-OBP.
Definition of Terms
- Internal Security Violations
those in which the offender is a known employee, student, or agent of the university, and as such, subject to the provisions set forth in the Acceptable Use Policy (AUP). - External Security Violations
those coming from outside the campus network, and/or from sources that are unidentifiable or unaffiliated with Seattle Pacific University.