Missouri State University

Information Security Incident Management

Definitions

Information Security Incident: An unauthorized acquisition of sensitive information, either by intrusion or user error, typically maintained in a paper or an electronic format.

Policy Statement

The Information Security unit of Missouri State University will remain prepared to handle information security incidents until resolution.

Suspected or confirmed information security incidents must be reported to University Information Security Officer (ISO), or, in the ISO's absence, the Electronic Information Regulatory Compliance Specialist.

The ISO will investigate the report, and if a breach of Level 2 – Level 5* information has occurred, will inform the Chief Information Officer (CIO). The CIO will inform the University administration, and/or law enforcement, as appropriate. The ISO will take measures to contain the incident and begin the investigation and documentation process.

If an intrusion occurs but no Level 2 – Level 5 information is breached, the ISO will handle the incident by containing the intrusion and notifying the system owner and custodian for remedial action, as well as starting the investigation and documentation process.

In the event that a public notification of the security incident is warranted (e.g. a violation of governmental regulation, local decision to notify, etc.), the CIO will consult with the appropriate University Chancellor, Vice President(s), Provost, General Counsel, and/or University Communications to develop the response.

The lessons learned from the incident response will be used to enhance processes, methods, and capabilities for future use.

Violations, or failures to report violations, may be subject to disciplinary action.

*Please refer to the data definition section of the Data Classification Policy for classification levels and definitions.

Reason or Purpose for Policy

This policy describes the course of action to be taken by University representatives when an information security incident occurs.

Any unauthorized acquisition of sensitive information will have a detrimental effect on the University. This includes damaged reputation, loss of confidence in the University's ability to handle information, financial loss from hesitant donors, work hours wasted in the containment and notification phases of a breach, and the cost of any necessary credit-monitoring services for affected individuals. The University has an obligation, and desire, to protect the sensitive information of its community.

The HITECH Act of the ARRA of 2009 and R.S.Mo. Chapter 407 (2009) have incident response requirements and will be followed when the incident meets their criteria.

Entities Affected by this Policy

All entities contained in or under the direction of the Missouri State University system.

Line of Authority

  1. Responsible Administrator and Office: Chief Information Officer (CIO)
  2. Contact Person in that Office: Information Security Officer (ISO)