6.6.1 Information Security Incident Response
Formerly Known As Policy Number: 67
This Guide Memo describes the procedures to be followed when a computer security incident is discovered to have occurred involving an Academic or Administrative Computing System operated by Stanford University, its faculty, students, employees, consultants, vendors or others operating such systems on behalf of Stanford. It also describes the procedures to be followed when Prohibited or Restricted Information residing on any computing or information storage device is, or may have been, inappropriately accessed, whether or not such device is owned by Stanford. This policy outlines the procedures for decision making regarding emergency actions taken for the protection of Stanford's information resources from accidental or intentional unauthorized access, disclosure or damage.
Applicability: This policy is applicable to all University students, faculty, staff, and to all others granted use or custodianship of Stanford University information resources ("University Community").
The purpose of information security incident response is to:
- mitigate the effects caused by such an incident,
- protect the information resources of the University from future unauthorized access, use or damage, and
- ensure that Stanford fulfills all of its obligations under University policy, and federal and state laws and regulations with respect to such incident.
Stanford recognizes the need to follow established procedures to address situations that could indicate the security of the University's information assets may have been compromised. Such procedures include ensuring the appropriate level of University management becomes involved in the determination of actions implemented in response to an information technology security incident.
A standard University-wide approach to information security is important in order to protect the security of Stanford's intellectual capital and to ensure that Information Security Incidents are handled properly, effectively and in a manner that minimizes the adverse impact to the University. Every user of any of Stanford's information resources has responsibility toward the protection of the University's information assets; certain offices and individuals have very specific responsibilities.
a. Academic Computing System
Any application, or information system, that directly or indirectly deals with or supports the University's primary mission of teaching, learning and research.
b. Administrative Computing System
Any application, or information system, that directly or indirectly deals with or supports financial, administrative, or other information that is an integral part of running the business of the University (as defined in Guide Memo 6.7.1: Administrative Computing Systems).
c. Electronic Information Security Incident
An Electronic Information Security Incident is defined as any real or suspected adverse event in relation to the security of computer systems, computer networks, electronic Prohibited information or electronic Restricted Information. Examples of incidents include:
- Attempts (either failed or successful) to gain unauthorized access to a system or its data.
- Theft or other loss of a laptop, desktop, PDA, or other device that contains Prohibited or Restricted Information, whether or not such device is owned by Stanford.
- Unwanted disruption or denial of service.
- The unauthorized use of a system for the processing or storage of data.
- Changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent.
d. Information Security Incident
An Electronic Information Security Incident or a Non-electronic Information Security Incident.
e. Non-electronic Information Security Incident
Real or suspected theft, loss or other inappropriate access of physical content, such as printed documents and files.
f. Prohibited Information
Information defined as Prohibited.
g. Restricted Information
Information defined as Restricted.
A member of the University Community who becomes aware of an Information Security Incident should immediately:
- Disconnect the compromised system and equipment from Stanford's network.
- Avoid making any updates or other modifications to software, data, or equipment involved or suspected of involvement with an Information Security Incident until after the Information Security Office has completed its investigation and authorizes such activity.
- Contact the University's Information Security Office via HelpSU or by calling (650) 723-2911.
When an Information Security Incident is reported, the University’s Chief Information Security Officer (CISO) will do the following:
- The CISO will investigate the Information Security Incident. In order to minimize the impact of the Information Security Incident on the University and in order to complete a proper investigation, the CISO has the authority to restrict information system access or operations to protect against unauthorized information disclosures. In order to complete the investigation, the CISO may convene a preliminary fact-finding working group comprised of relevant business and technical personnel.
- If the CISO concludes that applicable federal or state laws or regulations may have been violated, the CISO will notify the Office of the General Counsel, which will, in turn, notify law enforcement agencies if appropriate.
- If the CISO concludes that there is a possibility of unauthorized access to Restricted or Prohibited Information, or other sensitive information, the CISO will notify the University Privacy Officer, who will convene an Information Security Incident Response Team.
- If appropriate, the CISO will notify offices of the Deans, Vice Provosts and Vice Presidents with responsibility for areas affected by the Information Security Incident.
- If the CISO determines that an employee may not have carried out their assigned tasks as instructed or in accordance with University rules and policies, the CISO will notify the employee’s manager and the Vice President for Business Affairs and CFO. If the University opens an investigation into the situation, the CISO will cooperate with the employee’s manager and/or Stanford’s Human Resources Group in its investigation of the incident to determine appropriate corrective or disciplinary action, if any. The office conducting the investigation and making the recommendation will complete and submit to the appropriate parties all supporting documentation related to the investigation and recommended action.
5. Information Security Incident Response Team
Based on information provided by the CISO and in consultation with the Office of the General Counsel, the University’s Privacy Officer will convene an Information Security Incident Response Team (ISIRT) to develop an appropriate Information Security Incident Response Plan (Plan). Depending on the circumstances of each situation, the Privacy Officer shall include in the ISIRT representatives of some or all of the following offices:
- Information Security Office
- Office of the General Counsel
- Internal Audit and Institutional Compliance Department
- Office of the Vice President for Public Affairs
- Administrative Systems
- IT Services
- Departments or schools directly affected by the Information Security Incident (including both the appropriate business and technical personnel)
- Other constituencies, as appropriate.
The ISIRT, led by the University Privacy Officer, will develop and execute communication and other action plans to ensure:
- Appropriate action is taken in a timely manner, including reporting, notification and other communication of the Information Security Incident, as required by law or otherwise deemed appropriate.
- Appropriate progress reports are made on the Information Security Incident and execution of the Plan, including to:
- Office of the President and Provost
- Board of Trustees
- Alumni Association
- Office of Student Affairs
- Office of Development
- Other impacted constituencies, as warranted by the situation
In carrying out this responsibility, the ISIRT will ensure that important operational decisions are elevated to the appropriate levels to protect the fundamental interests of the University and others impacted by the incident.
The University Privacy Officer will also be responsible for documenting the deliberations and decisions of the ISIRT as well as all actions taken pursuant to ISIRT deliberations.
6. Report Preparation
The Information Security Office, jointly with the Internal Audit Department, will be responsible for writing a final report on the incident and the ensuing investigation (Report), which summarizes findings regarding the Information Security Incident and, if appropriate, makes recommendations for improvement of related information security practices and controls. The Report will be distributed to the Vice President for Business Affairs and CFO, and other appropriate University office(s), if any.
7. Additional Information
Specific guidelines, procedures, standards, and best practices for secure computing can be found at: http://securecomputing.stanford.edu.Additional information can be found at:
Guide Memo 6.1.1: Administrative Computing Systems
Guide Memo 6.2.1, Computer and Network Usage Policy
Guide Memo 6.3.1, Information Security