Information Security Incident Response Policy
|Information Technology Services|
|Chief Information Security Officer|
|Information Security and Technology|
|First draft 7/2021|
|Breach, Cyber Security, Incident Response|
This policy details how SUNY Empire will follow the SUNY Cyber Security Incident Notification Contacts and Procedures.
The University is committed to securing and protecting the information within its possession. As an institution of higher education operating in New York State (NYS) and within the State University of New York (SUNY) system, the University must comply with federal, state and SUNY confidentiality and information safeguarding laws and policies, as well as meet data protection requirements imposed by its accrediting agency, the Middle States Commission on Higher Education (“MSCHE”) and the EU General Data Protection Regulation (GDPR). The Incident Response Policy establishes procedures and assigns responsibilities for reporting, and responding to suspected and known information security incidents that result in unauthorized access or alteration of University business records, or attempts to deny or impede legitimate access to those records.
An information security incident- is considered to be any adverse event that threatens the confidentiality, integrity or availability of University or affiliate information resources. These events include, but are not limited to, the following activities:
- Suspected criminal use of systems or services, including:
- Identity theft
- Disclosure, destruction, or alteration of University or affiliate - managed systems or data
- Loss or theft of devices that contain or enable access to University records
- Compromise of a web page
- Compromised credentials
- Attempts (either failed or successful) to gain unauthorized access to a system or its data
- Unwanted disruption or denial of service (DoS)
- Unauthorized use of a system for the transmission, processing or storage of data
- Changes to system hardware, firmware or software characteristics without the University’s or affiliate’s knowledge, instruction or consent
- Execution of malicious code, often referred to as malware, such as viruses, Trojans, worms or botnets
- Unauthorized changes to system configurations
- Attempts (either failed or successful) to cause failures in critical infrastructure services, loss of critical supervisory control and data acquisition (SCADA) systems
- A potential or suspected ‘Personal data breach’ as defined by GDPR which includes “of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”
- A cyber security incident involving PII*, HIPAA*, or FERPA* data
- A cyber event that could significantly impact or put at risk campus operations
- An information loss that raises to the level outlined in the NYS Information Security Breach and Notification Act
* Personally Identifiable Information * Health Insurance Portability and Accountability Act of 1996 * Family Educational Rights and Privacy Act of 1974
General Data Protection Regulation (GDPR) - Effective May of 2018 this regulation applied to all enterprises doing business in the European Union (EU) countries and requires business and institutions to protect the personal data and privacy of all individuals conserved EU data subjects.
Personal Data in relationship to GDPR - any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Personally Identifiable Information - As defined in State Technology Law, shall mean personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:
(1) social security number;
(2) driver's license number or non-driver identification card number; or
3) account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual's financial account.
Private information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Any employee or university affiliate that observes or suspects a security incident must report the incident by submitting an incident ticketed to the Information Technology Service Desk using the ticketing system at https://www.sunyempire.edu/service-desk/ or by calling 1-888-HELP-009 (888-435-7009) as soon as possible. The Service Desk attendant receiving the report must contact the ISO as soon as possible via email and/or phone. The ISO will verify they have received the report. If the Service Desk does not receive receipt of the report from the ISO within 8 hours (or first thing the next business day if 8 hours is past hours of operation), the Service Desk attendant will contact the designee by the ISO and await receipt of the report.
The ISO or designee will determine if the incident is a high risk. If the incident is high risk, the ISO or designee will respond in accordance with the SUNY Cyber Security Incident Notification Contacts and Procedures, which includes notification to the proper NYS entity. The president, or officer in charge of the university, executive vice president of administration and chief information officer will also be notified.
The ISO or designee, in consultation with SUNY counsel, will determine if the incident is considered a personal data breach in relationship to GDPR. If the incident is considered a personal data breach in relationship to GDPR the ISO or designee will respond in accordance with GDPR Articles 33 and 34. The president of the university, executive vice president of administration, chief information officer and GDPR executive committee will also be notified.
If it is determined by NYS, SUNY, and/or the ISO, that communications about the incident are necessary the ISO will work with SUNY counsel, the SUNY Empire chief information officer, the SUNY Empire chief of staff and director of government relations, and the SUNY Empire director of communications to communicate with the people affected by the incident in accordance with NYS regulations and GDPR Article 34.
The ISO will investigate all information security incidents and implement corrective actions to reduce the risk of reoccurrence.
Every employee will receive cyber security training annually.
Applicable Legislation and Regulations
Any employee or university affiliate that observes or suspects a security incident must report the incident by submitting an incident ticketed to the Information Technology Service Desk using the ticketing system at https://www.sunyempire.edu/service-desk/ or by calling 1-888-HELP-009 (888-435-7009) as soon as possible.
SUNY Policy 6900 “Information Security Policy”
SUNY “Security Incident Response Process”
NYS Information Security Breach & Notification Law
NYS Cyber Security Policy P03-002: Information Security Policy
NYS Cyber Security Policy P03-001: Cyber Incident Reporting Policy
General Data Protection Regulation (GDPR) Article 33 and 34.