Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Information Security Policy - Office of Information Technology

advertisement 
SAMPLE – INCIDENT MANAGEMENT PROCEDURES
Purpose: To ensure that security incidents are reported and assessed and that their harmful effects are
mitigated to ensure the protection of the University’s businesses.
Definitions:
Security event - a possible unauthorized attempt to compromise the confidentiality, integrity or
availability of the University’s electronic information or information systems. It may be a local threat that
can or has evolved to present a larger risk to the University.
Security incident - an actual or possible breach of the University’s safeguards that protect its electronic
information, information technology infrastructure or services or information systems (or dependent
information systems), and presents a significant business risk to the University.
What to Report:
Any computer activity believed to be suspicious or considered an unauthorized attempt to access, use,
steal, or damage the University’s electronic information, information systems, or information technology
infrastructure (this includes missing computer equipment).
Theft of computer equipment must also be reported to Public Safety and the Risk and Claims
Management departments.
The Office of Enterprise Risk Management, Ethics, and Compliance must be informed of suspicious
activity related to electronic protected health information (ePHI).
Members of the University’s community should use their best judgment and err on the side of caution
when deciding whether to report activity they believe may be suspicious or that constitutes a threat to
the University or their respective organization.
When to Report:
Report the activity within 24 hours of detection to your manager or other managerial authority in your
organization.
Reporting Procedure for Users:
1. Complete User’s Sections A and B of the Incident Report Form. All fields denoted with * are
required.
2. Forward a copy as required to:
a. Manager/Supervisor
b. Local Compliance Officer
c. Public Safety (for theft of equipment)
d. Risk Management and Insurance (for theft of equipment)
e. Office of Enterprise Risk Management, Ethics and Compliance (for information including
ePHI)
3. Retain copies of all communications for future reference.
Reporting Procedure for Managers:
1. Complete the Manager’s Section of the Incident Report Form. Fields denoted with ** are required.
2. Forward a copy as required to their local compliance officer or the Office of Enterprise Risk
Management, Ethics, and Compliance to initiate an assessment of the activity and/or initiate an
investigation of the missing equipment.
a. Theft of computer equipment must also be reported to Public Safety and the Risk and Claims
Management departments.
b. The Office of Enterprise Risk Management, Ethics, and Compliance must be informed of
suspicious activity related to ePHI.
c. Managers must also contact their local Registrar office if education records are potentially
involved.
Document1
1 of 2
d. Managers must also report to their school’s Dean or unit’s Vice President suspicious activity
that potentially presents a risk to their organization and to the University.
3. Retain copies of all communications for future reference.
Communications and Assessment:
The Office of Enterprise Risk Management, Ethics, and Compliance are the lead assessor for all reports of
suspicious activities and/or missing computer equipment. They will coordinate and manage the
communications amongst all parties involved with response to the event including but not limited to
Public Safety, the Office of the Registrar, IST, Information Security Office, Security Incident Response
Team, Office of Legal Management, the Risk and Claims Management and Office of Emergency
Management.
The Information Security Office and the University’s IT services organizations will assess if the event
presents a larger technology risk to the University’s electronic information, information systems, or
information technology infrastructure across one or more campuses.
Contact Information:
Manager/Supervisor
Contact <Name> by calling <973-555-1234> or via email at <email@rutgers.edu>.
Public Safety
Contact the <Department Name> by calling <973-555-1234> or via email at <email@rutgers.edu>.
Risk Management and Insurance
Contact the <Department Name> by calling <973-555-1234> or via email at <email@rutgers.edu>.
Office of Enterprise Risk Management, Ethics, and Compliance
Contact the <OERMEC>by calling <973-555-1234> or via email at <email@rutgers.edu> or via website
at < INSERT LINK>.
Local Compliance Officer
Contact < Name > by calling <973-555-1234> or via email at <email@rutgers.edu>.
Registrar
Contact the <Office of the Registrar> by calling <973-555-1234> or via email at <email@rutgers.edu>.
Dean of School/Vice President of Unit
Contact the <Name> by calling <973-555-1234> or via email at <email@rutgers.edu>.
Attachment/References:
1. Blank Incident Report form can be found <J:\mydept_AnyApplication_incidentrpt>.
Document1
2 of 2
Related documents
Functional Time Series Driven by Dynamic Systems
Functional Time Series Driven by Dynamic Systems
rutgers art review - Medieval Institute
rutgers art review - Medieval Institute
illicit discharge report form - Licking Soil and Water Conservation
illicit discharge report form - Licking Soil and Water Conservation
Rutgers University ::
Rutgers University ::
Declaration of Minor form
Declaration of Minor form
Download
advertisement