Data Security Procedures, Security Breach Response

Procedure Section: 
Information Technology Services
Effective: 
Monday, October 26, 2015
Last Revised: 
Tuesday, August 14, 2018
Procedure: 

SECURITY BREACH RESPONSE

Per the Data Security Procedures, Roles and Responsibilities, Users and Data Security Officers must report any known Security Breach or any incident that is likely to cause a Security Breach. These incidents include thefts of computer devises, viruses, worms, or computer “attacks” that may lead to unauthorized access to confidential information.

Immediately upon becoming aware of a likely Security Breach, the Chief Information Security Officer shall notify the Washington State Office of the Chief Information Officer (OCIO). ITS Security and the College’s Risk Manager shall conduct an investigation.

The OCIO shall determine what, if any, actions the College is required to take to comply with applicable law, including whether any notification is required under the law.

The Chief Information Security Officer shall work with the College's Risk Manager and other administrators as appropriate to ensure that any notifications and other legally required responses are made in a timely manner.

If the event involves a criminal matter, the SPSCC Security Department shall be notified and shall coordinate its response with the OCIO and the College's Risk Manager.

ITS Security and the College’s Risk Manager shall investigate and review the incident with the department(s) directly affected by the incident, and the appropriate Data Security Officer(s).

ENFORCEMENT SANCTIONS

The College reserves the right to monitor network traffic, perform random audits, and to take other steps to insure the integrity of its information and compliance with this policy.  Requests for audits of employee or student computers based on specific concerns may be initiated by any college employee to the Human Resources Department, who may initiate a review by IT Services.

Violations of this policy may lead to appropriate disciplinary action, which may include temporary or permanent restrictions on access to certain information or networks. Willful or repeated violations of this policy may result in dismissal from the College.

Definitions: 
Information ResourceAn Information Resource is a discrete body of information created, collected and stored in connection with the operation and management of the College and used by members of the College having authorized access as a primary source. Information Resources include electronic databases as well as physical files. Information derived from an Information Resource by authorized users is not an Information Resource, although such information shall be subject to this policy.
Personally Identifiable InformationPersonally identifiable information (PII), or Sensitive Personal Information (SPI)  is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
SponsorsSponsors are those members of the College community that have primary responsibility for maintaining any particular Information Resource. Vice Presidents and Deans may designate sponsors in connection with their administrative responsibilities (as in the case of the College Registrar with respect to student academic records), or by the actual sponsorship, collection, development, or storage of information (as in the case of individual faculty members with respect to their own research data, or student grades).
Data Security OfficersData Security Officers are those members of the College community, designated by their College Vice President or Dean, who provide administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific Information Resources in consultation with the relevant Sponsors.
UsersUsers include virtually all members of the SPSCC community to the extent they have authorized access to College Information Resources, and may include students, faculty, staff, contractors, consultants and temporary employees and volunteers.
Computer System Security RequirementsComputer System Security Requirements shall mean a written set of technical standards and related procedures and protocols designed to protect against risks to the security and integrity of data that is processed, stored, transmitted, or disposed of through the use of College information systems, and shall include computer system security requirements that meet or exceed the requirements of regulations in RCW 42.56.420 - Security. The Computer System Security Requirements establish minimum standards and may not reflect all the technical standards and protocols in effect at the College at any given time.
Specific Security Procedures Specific Security Procedures are procedures promulgated by a College Vice President or Dean to address particular security needs of specific Information Resources sponsored within their area of responsibility, not otherwise addressed by this policy, or any Data Security Directives.
Security BreachA Security Breach is any event that causes or is likely to cause Confidential Information to be accessed or used by an unauthorized person and shall include any incident in which the College is required to make a notification under applicable law, including RCW 42.56.420 - Security, RCW 42.56.230 - Personal Information and RCW 42.56.100 - Protection of public records — Public access.
Procedure Code: 
PRITSV4701