Server Breach Policy
This policy covers all computer systems, network devices, and any additional systems and outputs containing or transmitting EnterMedia Protected data or EnterMedia Sensitive data.
The purpose of this policy is to provide a process to report suspected thefts involving data, data breaches or exposures (including unauthorized access, use, or disclosure) to appropriate individuals; and to outline the response to a confirmed theft, data breach or exposure based on the type of data involved.
Reporting of suspected thefts, data breaches or exposures
Any individual who suspects that a theft, breach or exposure of EnterMedia Protected data or EnterMedia Sensitive data has occurred must immediately provide a description of what occurred via email to Security@entermediadb.org, or through the use of the anonymous contact web page at https://entermediadb.org. This email address, phone number, and web page are monitored by EnterMedia’s Information Security team. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the Information Security team will follow the appropriate procedure depending on the class of data involved.
If a local law enforcement agency is contacted, the name of the agency and the report number should be provided to EnterMedia via the methods of contact outlined above.
Confirmed theft, data breach or exposure of EnterMedia Protected data or EnterMedia Sensitive data
As soon as a theft, data breach or exposure containing EnterMedia Protected data or EnterMedia Sensitive data is identified, the process of removing all access to that resource will begin as soon as possible. If the information is available on a site outside of EnterMedia, that site will be contacted to have the information removed as soon as possible.
The CEO will chair a response team to handle the breach or exposure. The team will include members from:
Server Hosting Team
Sales and Marketing
If a theft of physical property occurred, the Server Team will be notified by ITS. This team will provide information to EnterMedia regarding how the breach or exposure occurred, the types of data involved, the EnterMedia classifications of those data types, any protective measures around the involved data (such as encryption), and the number of internal/external individuals and/or organizations impacted. EnterMedia will handle all communications about the breach or exposure. ITS will work with the appropriate parties to remediate the root cause of the breach or exposure.
Confirmed theft, breach or exposure of EnterMedia Public data
The CIO will be notified of the theft, breach or exposure, and will inform EnterMedia as soon as possible. ITS will analyze the breach or exposure to determine the root cause. ITS will work with the appropriate parties to remediate the root cause of the breach or exposure. ITS will also examine any involved systems to ensure that they did not also house any EnterMedia Protected data or EnterMedia Sensitive data. If the systems are found to also contain EnterMedia Protected data or EnterMedia Sensitive data, the CIO will be notified and the “Confirmed data breach or exposure of EnterMedia Protected data or EnterMedia Sensitive data” section of this policy will be invoked. If a theft of physical property occurred, the Department of Campus
Safety will be notified by ITS. The Server Team will determine if it is also appropriate to necessary other law enforcement agencies based on where the theft occurred.
Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.
Data Classification policy
This checklist covers items that the response team should consider while responding to a security incident.
Materials that may need to be developed to handle the incident including:
Q&A for media
Q&A for call center and other responders
Alert Organization leadership teams (President, Cabinet, Information Technology Executive Steering Committee, Deans) so they understand what is being done to address the incident and are apprised of status. The order and frequency of updates to these groups will be determined by the CIO depending on the incident.
All available information about the incident, including both information that has been confirmed and information that is suspected, will be provided to the response team. As new information is discovered, it will be provided to the response team as quickly as possible.
Daily conference calls to checkpoint progress and obstacles are tremendously helpful in keeping things moving and sharing information.
Size and severity (likelihood of fraud) of the incident may warrant different actions, i.e. whether credit monitoring is affordable and/or appropriate.
Track the amount of time that has passed between incident, discovery of incident, and notification of affected individuals. While none of these steps are necessarily long, each one of them adds to the number of days to notification.
If contracts need to be negotiated to provide services to the affected individuals, those negotiations should begin immediately. Check to see if previously negotiated contracts can be applied to the situation (especially for credit monitoring).
Depending on the number of individuals impacted, it can take some time to assemble mailing address information for large groups. Begin pulling this data immediately.
Identify the best location for mail merge and volume printing, envelope stuffing and metering of the mail.
Ensure that adequate letterhead and envelopes is available or ordered. Letter should come from the Vice President in charge of the area in which the incident occurred. Determine the type of envelopes (windowed vs. address labels) as this will affect printing and speed of envelope stuffing.
The cost of printing, letterhead, envelopes and credit monitoring will be covered by the area in which the incident occurred.
A percentage of the initial mailings will be returned as undeliverable so the number of deliveries to attempt and methods to pull additional delivery information should be identified.