Data Security Breach or Loss of Confidential or Private Information – Incident Reporting Procedure
Information Security Response Team
For any event involving a possible data security breach or loss of student, faculty or staff confidential or private information, immediately notify the Information Security Response Team (ISRT) for evaluation. This group consists of:
- Associate Director of Network and Infrastructure (3644)
- General Counsel (3283)
- Director of Human Resources (3398)
- Registrar (3248)
- Executive Director of Communications (3112)
- Director of IT Operations (3152)
Responsible User
- Notify a member of the response team of the perceived incident involving information security and potential loss or breach of SSU institutional data, communicating the general nature of the event, date and time of the occurrence, information perceived to be lost or stolen and the storage device associated with the loss. Leave contact information (if off-campus during the occurrence).
- Identify any missing hardware or software associated with the data loss.
- Immediately complete and submit the form titled Confidential Information-Data Loss or Breach of Security Incident Notification Report
- The Information Security Response Team will enact the Emergency Response Plan.
Information Security Response Team Member
- The Chief Information Officer will submit a communication to the Information Security Response Team distribution list to ensure each member is aware of the event disclosure. Each member should immediately contact ITS to communicate his/her availability to organize and meet in person at the scheduled day/time. If the Chief Information Officer is not available the Associate Director of ITS will serve as the backup member on the Information Security Response Team, to review and evaluate the communicated event to the ISRT.
- Meet with other Information Security Response Team members to determine if notification to impacted individuals is necessary. Decision criteria include:
- A confirmation that an incident occurred, involving confidential or private data loss.
- An interpretation by General Counsel in terms of applicable laws.
- An analysis of data in scope of event and qualification of whether data is useable if accessed, i.e. unencrypted or non-redacted.
- A reasonable belief that data in question was or can be acquired by unauthorized individuals for misuse.
- Communicate to other emergency response constituents, i.e. Cabinet, Security, Facilities regarding developments, issues, actions taken and path forward, in accordance with the broader Emergency Response plan.
- Enforce necessary campus policies and procedures to limit exposure of loss.
- Contact Beasley Breach Response to engage support within service level agreement.