黑料视频

Helpful Links

Navigate OHIO

Connect With Us

Tech Help Desk
Alden Library 4th floor
30 Park Place
Athens, OH 45701

Security incident response standard

Purpose

This standard outlines the process for notification of and response to an information security incident involving data processed, stored, or transmitted by the University.

Scope

Where a security incident, as defined in the definitions section of this standard, involving data processed, stored, or transmitted by the University is suspected, University employees, faculty, students, or other individuals, must report any suspected incident to the Office of Information Technology (OIT) Information Security Office (ISO), via the ISO website Report Information Security Incidents.

Standard

Security Incident Identification & Reporting. An information security incident is an event that poses a threat to the integrity, availability, or confidentiality of an IT system. Incidents must be reported immediately to the Information Security Office (ISO) upon discovery.

Security Incident Investigation, Classification and Response. Upon notification of a suspected information security incident, the ISO will immediately deploy the processes outlined within the 黑料视频 Information Security Incident Response document. The ISO or designee will act as the Incident Response Manager (IRM) for all reported cyber incidents. The ISO, with the assistance of the reporting operating unit or college, will work together to coordinate all aspects of the incident response process. In accordance with 黑料视频 Information Security Incident Response document, the ISO will conduct the investigation, and work with the reporting operating unit or college to identify the class and severity of the incident. As deemed appropriate by the incident classification (High, Medium, or Low), ISO will coordinate with the Critical Incident Response Team (CIRT), OHIO Breach Response Committee, and other stakeholders as necessary, to determine the actionable response to the incident.

Security Breach Notification Protocol. If upon investigation, it is determined that a security breach involving notice triggering information has occurred, the Chief Information Security Officer (CISO) or their designee will respond in accordance with the Data Breach Response Standard and the corresponding Notification of a Data Security Break Administrative Procedure.

Responsibilities

The following University roles and administrative departments act as University Authorities; those who are authorized to make requests and decisions regarding information security incident response at OHIO:

All Individuals. Report suspected information security incidents or unauthorized disclosures of private data to University Information Security at security@ohio.edu.

Chief Information Officer (CIO). Empowered to respond to IT security incidents by Board of Trustees Resolution 鈥淩egarding the Leadership, Responsibility, and Security of OHIO's Information Technology Infrastructure鈥

Chief Information Security Officer (CISO).  Delegated authority by CIO to decide whether to activate CIRT.

OHIO Critical Incident Response Team (CIRT). A broad range of University stakeholders (see University Policy 44.100).

University Legal Counsel. Any law enforcement/legal actions, questions about information disclosure, and legal aspects of the investigation.

University President. Personnel actions for staff and faculty.

Executive Vice President and Provost. Personnel actions for faculty.

Vice President of Human Resources. Personnel actions for staff.

University Office of Internal Audit and Compliance. Data integrity of critical University data, compliance with University procedures, fraud investigations, compliance with laws, and privacy matters.

University Risk Management. Alert regarding significant incidents and/or incidents involving critical data, coordinate with IUC-Risk Management & Insurance, compliance with insurance reporting requirements.

Division of Student Affairs/Student Conduct. Offenses by OHIO students.

黑料视频 Police Department. Criminal matters.

Departmental Leadership. Engaged as applicable in coordination with designated University Data Stewards for regulatory compliance acts such as FERPA, HIPAA, PCI-DSS, etc.

NOTE: Requests from local, state, or federal law enforcement officials do not necessarily constitute proper authority. All requests from these agencies must first be made to University Counsel before contacting any university departmental personnel.

Definitions

Security Incident: Anything that indicates a threat to computer systems or university data   Examples include but are not limited to: unauthorized use of university computers; log in attempts (successful or not) to gain access to someone else鈥檚 account; improper or unauthorized use of sensitive data, anything that diminishes the confidentiality, integrity or availability of university data or OHIO systems.  Where confidentiality refers to measures taken to ensure privacy; integrity refers to accuracy, consistency, and trustworthiness of data; and availability refers to the accessibility of systems when needed.

Event: An event is an exception to the normal operation of Ohio Systems, infrastructure or services. Not all events become incidents.

Confidentiality: The requirement and need for preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. 

Integrity: The necessity of guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

Availability: The requirement to ensure timely and reliable access to and use of information.

Security Breach: An unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information stored, processed, or transmitted by 黑料视频.

Notice-triggering information: Specific items of personal information identified in Ohio Revised Code Chapter 1347.12 Agency disclosure of security breach of computerized personal information data. This information includes an individual鈥檚 name in combination with social security number, driver鈥檚 license / state issued identification card number, health insurance information, medical information, or financial account number such as credit card number, in combination with any required security code, access code, or password that would permit access to an individual鈥檚 financial account.

References

Policy 93.001 Data Classification

Policy 91.003 Acceptable Usage

Policy 91.005 Information Security

Ohio Revised Code Chapter 1347.12 Agency disclosure of security breach of computerized personal information data

Security Incident Report Form

黑料视频 Information Security Incident Response

Data Breach Response Standard

Administrative Procedure Notification of a Data Security Breach

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.

Governance

This standard will be reviewed and approved by the university Information Security Office as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

  • Audit Risk & Compliance: Josh Gonzalez, Chief Privacy Officer
  • Audit Risk & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance
  • Faculty: Hans Kruse, Instructor; Emeritus (Scripps College)
  • Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences)
  • Faculty: Shawn Ostermann, Associate Professor (College of Engineering)
  • Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College)
  • Finance: Julie Allison, Associate Vice President, Finance
  • Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations
  • Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security & Digital Accessibility
  • Regional Higher Education: Larry Tumblin, Director of Information Technology for Regional Higher Education

History

Draft versions of this policy were circulated for review and approved on September 24, 2021.

Draft revisions to this policy were circulated for review and approved on May 16, 2025.