The following details CIS' response and reporting procedures involving security incidents affecting the availability of University computer and information system resources, or the confidentiality or integrity of the information stored or transported across these resources. As a guideline, this document represents a best practices strategy for incident response and reporting. Ultimate authority for the actions and methods conducted in the event of a security violation rests with the university CIO or official designee.
Effective Date: January 19, 2007 Last Updated: March 2, 2023
Incident Notification (Internal)
In the event that a CIS employee becomes aware of a security violation (confirmed or suspected), that staff member will immediately notify the CIS via the CIS Teams Outages Channel and create a JIRA "ITSEC" ticket providing as many details as possible regarding the reported concern.
In the event that the incident response occurs during normal CIS operating hours, the full SysAdmin team – or subset of that team (see “Coordination and Planning” below) – will be assembled at the discretion of the CIO or senior CIS staff member coordinating incident response.
Data Breach Notification
Due to the high level of financial, legal and institutional impact, incidents involving suspected or actual data breaches require immediate notification of the CIS senior leadership and also the VP of Business and Planning
Incident Reporting: Internal Violations
Initial Response – Preservation/Suspension of Confidentiality
In the event that confidential or protected university resources or assets are being eminently threatened, CIS will take immediate and appropriate action to contain the threat prior to notification of the individuals/departments noted in 5.B. Such actions constitute a “suspension of confidentiality” on the part of an individual’s access credentials, and may involve immediate denial of university privileges (credentials) and resource access.
In the event that no immediate threat to availability, integrity of confidentiality exists CIS will execute the procedures for reporting
Incident Reporting: External Violations
In the event that confidential or protected university resources or assets are being eminently threatened, or where there is evidence that a high-risk exposure to system or resource compromise exists, CIS will take immediate and appropriate action to contain or mitigate the threat.
Incident Control and Reporting Procedures (Internal)
In instances where the incident involves no known compromise to confidential university information, where the threat is minimal and easily contained, response authority shall rest with the CIO and CIS SysAdmin team. At the discretion of the CIO, incident details may be provided to the VP-OBP or president’s cabinet.
In instances where the external violation goes beyond simple nuisance violations, when there is evidence or suspicion of legal or monetary compromises to university resources, the VP-OBP will be notified and authority and coordination of incident response shall move to university counsel or cabinet, or other designee as directed by the CIO or VP-OBP.
Definition of Terms
Internal Security Violations those in which the offender is a known employee, student, or agent of the university, and as such, subject to the provisions set forth in the Acceptable Use Policy (AUP).
External Security Violations those coming from outside the campus network, and/or from sources that are unidentifiable or unaffiliated with Seattle Pacific University.