Last Edit: 10/23/2017
Purpose
This document outlines processes for identification, reporting, and response to a data breach, systems compromise, or other electronic security incident. CCIT is obligated and committed to compliance with University policy, as well as city, state, and federal laws. This policy provides guidance when there is a breach in acquisition, access, use, or disclosure of sensitive information. Data may be protected under FERPA, HIPAA, and GDPR regulations.
Definition of a Breach/Compromise
An unauthorized use or release of sensitive or confidential information from any system on-premises, or from any third party hosted or cloud based service, is considered a breach. Unauthorized acquisition, access, use, or disclosure of information outside of what is permitted under law and University policy is considered a breach.
Examples of breaches may include, but are not limited to, the release of sensitive or confidential information by:
- any form of email that is not encrypted - LionMail, corporate, or personal email
- web based document or file storage in which the files are not encrypted
- privileged account access passwords leaked
- any type of web server that allows unauthorized access to information - Apache, IIS, NGINX
Documentation
Any suspected or confirmed compromise of sensitive and/or confidential information should be documented as an incident within the CCIT Service Desk. The following information, if known or applicable, should be documented:
- Date of compromise discovery
- System(s) affected
- Listing of sensitive or confidential data in compromise
- Source of sensitive of confidential data
- System(s) breach occured in
- Source system(s) data may have originally come from (in some cases this may be user entered)
- CCIT employee reporting the incident
- End user(s), if any, reporting the incident
- Department(s), if any, involved with the breach
All documentation created to log the incident, as well as analysis provide during the investigation, shall be collated into a final report and archived and retained for a period of five (5) years.
Containment and Analysis
Immediately, upon discovery of a potential breach, take the following actions during this time sensitive period, where appropriate:
- Determine if the host can be removed from the network.
- If possible, with approval, remove from public accessibiltiy
- If not, initiate a full log dump of all past and current network activity to monitor activity
- Eliminate any unauthorized or attacker access to compromised information.
- Preserve forensic information regarding the incident:
- CCIT Systems will work directly with the affected systems, or with those with access to these systems, to collect all available data
- Capture disk images, log copies, where possible
This phase should focus on gathering system information and clues to the cause of the breach, stopping data leaks and/or attacker access, and determination of the extent of the breach. Information that should be gathered includes:
- Suspicious Network and Access logs
- How was data accessed?
- Evidence that data was actually accessed- when and how often?
- Compromise time period - when did this first occur and for how long did it occur?
- Methods used to breach data
- If deemed an attack or some intentional type of breach- determine goals and motivation for attack - was specific data breached for a reason?
Procedure
Upon notification or discovery of a breach, the following steps should be taken:
- Notify the Executive Director, Information Technology and Strategic Analytics with any initial information available. The Executive Director will immediately notify the Associate Dean for Planning and Information Systems.
- If appropriate, without destruction of evidence, isolate and contain compromised systems.
- Identify a primary investigator that will handle information collection, documentation, and policy execution. This investigator will be responsible for all research and management of the investigation.
- Gather all information about data involved in the potential breach and create documentation as described in the "Documentation" section of this policy.
- Begin an immediate investigation of the situation- determine what happened and when this may have first occurred. This investigation should strive to protect any and all evidence discovered.
- Perform a risk assessment to determine the extent of the breach- how and where the data may have been accessed.
- Based on the investigation and risk assessment:
- If a breach is deemed to have occurred:
- The Executive Director, Information Technology and Strategic Analytics shall convene an emergency meeting with the primary investigator and the Associate Dean for Planning and Information Systems.
- Notify CUIT, the appropriate University departments and/or law enforcement if deemed necessary.
- Advise the end user(s) and department(s) where breach occurred on communications and notifications to be sent out to those affected.
- Make recommendations on immediate corrections and improvements, if applicable, to systems compromised.
- If a breach is deemed to not have occurred, work with end user(s) and/or department(s) involved to discuss best information security practices.
- If a breach is deemed to have occurred:
Definitions
- FERPA - Family Educational Rights and Privacy Act (USA) - protects certain private and confidential information, but does allow for the release of "directory information"
- GDPR - General Data Protection Regulation (European Union)
- HIPAA - Health Insurance Portability and Accountability Act (USA)
- PHI - Protected Health Information - any health related information that can be identified to an individual
- PII - Privately Identifiable Information - any data or information that can be used to directly link to an individual
- Social Security Number (SSN)
- DMV license ID
- Financial account information - bank accounts, credit cards, identification numbers
References
- CUIT Policy - http://policylibrary.columbia.edu/files/policylib/imce_shared/ecurity_Breach_Reporting_and_Response_Policy_0.pdf
- Educause - Data Breach - https://library.educause.edu/topics/policy-and-law/data-breach
- Family Educational Rights and Privacy Act (FERPA) - https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
- Internet2 Breach Checklist - https://spaces.internet2.edu/display/2014infosecurityguide/Incident+Checklist