PURPOSE:
The purpose of this policy is to provide guidance for reporting suspected thefts involving data, data breaches or exposures (including unauthorized access, use, or disclosure) to appropriate individuals; and to outline the response to a confirmed theft, data breach or exposure based on the type of data involved.
SCOPE:
This policy applies to information safeguarded both by ICOM and/or by third-party vendors and contractors working with ICOM. This policy also covers all computer systems, network devices, third- party applications, and any additional systems and outputs containing or transmitting ICOM Protected data or ICOM Sensitive data.
Based on the results of the College's investigation, internal and/or external parties may be notified, as necessary and appropriate
POLICY:
Suspected or confirmed information security breaches must be reported immediately to the Chief
Information Officer and/or Information Security Authority. A breach is defined as unauthorized access of college information. The ICOM Information Technology Department will investigate all reports of security breaches of Internal, Confidential, or Restricted information, as defined in the ICOM Data Security Policy. Upon notification of a suspected information security breach the Information Technology department will:
- Report the breach to the appropriate officials.
- Block, mitigate, or de-escalate the breach, if possible.
- Implement processes and procedures to prevent similar breaches from occurring in the future.
INTERNAL NOTIFICATION
The ICOM Information Technology department will report all suspected cases of significant information breaches to administration, and will work with them to establish an appropriate response strategy. If the ICOM Information Technology department's investigation determines that criminal activity has taken place, the Information Technology Director or Information
Security Authority will report the breach to public safety. The College community at large will be notified of the results of the initial investigation.
EXTERNAL NOTIFICATION
The Director of Information Technology, in consultation with administration, will determine if external notification will be required in the event of an information breach. External notification is required if any of the following conditions are met:
-
Has access been gained to unencrypted Level III information?
-
Has a physical device that contains unencrypted Level III information been lost or stolen?
-
Is there evidence that unencrypted Level III information has been copied or removed?
-
Is there evidence that the intrusion was intended to acquire unencrypted Level III information?
-
Do local, state, or federal laws or college policy require notification in this instance?
Parties to be notified may include:
-
Anyone affected by the breach, or whose data may have been compromised.
-
Government officials as required by law.
-
RESPONSIBLE OFFICIALS:
Chief Information Officer/Information Security Authority, Faculty, Staff, Students, and Contractors.
POLICY OWNER:
Chief Information Officer/Information Security Authority
APPROVAL:
Effective: 8/23/21
Last Reviewed: 1/25/24
Review Requirement: Annual