Information system incident response

The purpose of this policy is to define standard methods for identifying, documenting, and responding to information system security incidents.

It is the policy of Lynn University to respond promptly to an information system security incident (“security incident”). A swift response to a security incident that threatens the confidentiality, integrity, and availability of a university information system and assets is critical. Without a rapid response, a system or assets could be compromised, and the university may be in violation of federal, state, or local statutes, client contracts, and/or in its own policies.

The security incident response process may start with an explicit report of a security breach, but it is more likely to start as the result of a routine investigation into some anomalous system or network behavior. For example, a server may be operating slowly, or a printing service may stop working. Because of the potential for unauthorized release or modification of institutional data, in addition to service disruption, it is important to assess the possibility that strange behavior may be the result of some security problem before taking steps to correct a “normal” problem.

When it is determined that an incident may be security related, the nature of the recovery effort must be modified accordingly. The Lynn University incident response team will be notified to ensure the following:

1. The appropriate information is collected and documented,
2. Ascertain the nature and scope of the security breach, and,
3. If appropriate, facilitate an investigation by law enforcement.

Depending on the nature and scope of a breach, it may also be necessary to make customer and/or public disclosure, which will require the involvement of the appropriate university officials.

Note: security incidents involving the payment card industry data environment are addressed via the university’s PCI incident response plan.

Information system(s) - a set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. The term system is used to represent any method that can process, store, or transmit institutional data.

Institutional data - any information collected, manipulated, stored, reported, or presented in any format, on any medium, at any location by any unit, program or office of the university in support of Lynn University’s mission. There are three types of institutional data: high risk; medium risk; and low risk. See the data classification and data governance policy for additional information.

Low risk data - institutional data and information systems are classified as "low risk" if they are not considered to be medium or high risk, and the data is intended for public disclosure, or the loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on the institution mission, safety, finances, or reputation.

Medium risk data - includes institutional data and information systems not considered to be high risk, and data that is not generally available to the public, or the loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on the institution mission, safety, finances, or reputation.

Security incident - an ‘incident’ is defined as a failure of a security control and may result in suspected or confirmed institutional data compromise. An institutional data compromise is any situation where there has been unauthorized access to a university information system or network where high or medium risk institutional data is collected, processed, stored or transmitted. A data compromise can also involve the suspected or confirmed loss or theft of any material or records that contain high or medium risk institutional data.

To learn more about this policy or the supporting procedures, please contact  Information Technology.