Security Incident: Management and Reporting

Statement and Purpose


Table of Contents


Note

This policy is currently under significant revision; drafted updates are awaiting approval/adoption.


The following details CIS' response and reporting procedures involving security incidents affecting the availability of University computer and information system resources, or the confidentiality or integrity of the information stored or transported across these resources. As a guideline, this document represents a best practices strategy for incident response and reporting. Ultimate authority for the actions and methods conducted in the event of a security violation rests with the university CIO or official designee.

Entities Affected By This Policy

All University faculty and staff.




Policy Version: 1.1

Responsible Office: Computer and Information Systems
Responsible Executive:
  AVP for Information Technology

Effective Date: January 19, 2007 
Last Updated:  March 2, 2023


Incident Notification (Internal)

In the event that a CIS employee becomes aware of a security violation (confirmed or suspected), that staff member will immediately notify the CIS via the CIS Teams Outages Channel and create a JIRA "ITSEC" ticket providing as many details as possible regarding the reported concern.

Incident Response

Alerting/Discovery

In the event that the incident response occurs during normal CIS operating hours, the full CIS  team – or subset of that team - will be assembled at the discretion of the CIO or senior CIS staff member coordinating incident response.

Data Breach Notification

Due to the high level of financial, legal and institutional impact, incidents involving suspected or actual data breaches require immediate notification of the CIS senior leadership and also the VP of Business and Planning

Incident Reporting: Internal Violations

Initial Response – Preservation/Suspension of Confidentiality

  1. In the event that confidential or protected university resources or assets are being eminently threatened, CIS will take immediate and appropriate action to contain the threat prior to notification of the  individuals/departments noted in 5.B. Such actions constitute a “suspension of confidentiality” on the part of an individual’s access credentials, and may involve immediate denial of university privileges (credentials) and resource access.
  2. In the event that no immediate threat to availability, integrity of confidentiality exists CIS will execute the procedures for privileged escalation.

Incident Reporting: External Violations

Initial Response

  1. In the event that confidential or protected university resources or assets are being eminently threatened, or where there is evidence that a high-risk exposure to system or resource compromise exists, CIS will take immediate and appropriate action to contain or mitigate the threat.

Incident Control and Reporting Procedures (Internal)

  1. In instances where the incident involves no known compromise to confidential university information, where the threat is minimal and easily contained, response authority shall rest with the CIO and CIS team. At the discretion of the CIO, incident details may be provided to the VP-OBP or president’s cabinet.
  2. In instances where the external violation goes beyond simple nuisance violations, when there is evidence or suspicion of legal or monetary compromises to university resources, the VP-OBP will be notified and authority and coordination of incident response shall move to university counsel or cabinet, or other designee as directed by the CIO or VP-OBP.

Definition of Terms

  • Internal Security Violations
    those in which the offender is a known employee, student, or agent of the university, and as such, subject to the provisions set forth in the Acceptable Use Policy (AUP).
  • External Security Violations 
    those coming from outside the campus network, and/or from sources that are unidentifiable or unaffiliated with Seattle Pacific University.

Related Policies and Procedures