Formerly Known As Policy Number: 67
This Guide Memo describes the procedures to be followed when a computer security incident is discovered to have occurred involving an Academic or Administrative Computing System operated by Stanford University, its faculty, students, employees, consultants, vendors or others operating such systems on behalf of Stanford. It also describes the procedures to be followed when Prohibited or Restricted Information residing on any computing or information storage device is, or may have been, inappropriately accessed, whether or not such device is owned by Stanford. This policy outlines the procedures for decision making regarding emergency actions taken for the protection of Stanford's information resources from accidental or intentional unauthorized access, disclosure or damage.
Applicability: This policy is applicable to all University students, faculty, staff, and to all others granted use or custodianship of Stanford University information resources ("University Community").
The purpose of information security incident response is to:
Stanford recognizes the need to follow established procedures to address situations that could indicate the security of the University's information assets may have been compromised. Such procedures include ensuring the appropriate level of University management becomes involved in the determination of actions implemented in response to an information technology security incident.
A standard University-wide approach to information security is important in order to protect the security of Stanford's intellectual capital and to ensure that Information Security Incidents are handled properly, effectively and in a manner that minimizes the adverse impact to the University. Every user of any of Stanford's information resources has responsibility toward the protection of the University's information assets; certain offices and individuals have very specific responsibilities.
Any application, or information system, that directly or indirectly deals with or supports the University's primary mission of teaching, learning and research.
Any application, or information system, that directly or indirectly deals with or supports financial, administrative, or other information that is an integral part of running the business of the University (as defined in Guide Memo 6.7.1: Administrative Computing Systems).
An Electronic Information Security Incident is defined as any real or suspected adverse event in relation to the security of computer systems, computer networks, electronic Prohibited information or electronic Restricted Information. Examples of incidents include:
An Electronic Information Security Incident or a Non-electronic Information Security Incident.
Real or suspected theft, loss or other inappropriate access of physical content, such as printed documents and files.
Information defined as Prohibited.
Information defined as Restricted.
A member of the University Community who becomes aware of an Information Security Incident should immediately:
When an Information Security Incident is reported, the University’s Chief Information Security Officer (CISO) will do the following:
Based on information provided by the CISO and in consultation with the Office of the General Counsel, the University’s Privacy Officer will convene an Information Security Incident Response Team (ISIRT) to develop an appropriate Information Security Incident Response Plan (Plan). Depending on the circumstances of each situation, the Privacy Officer shall include in the ISIRT representatives of some or all of the following offices:
The ISIRT, led by the University Privacy Officer, will develop and execute communication and other action plans to ensure:
In carrying out this responsibility, the ISIRT will ensure that important operational decisions are elevated to the appropriate levels to protect the fundamental interests of the University and others impacted by the incident.
The University Privacy Officer will also be responsible for documenting the deliberations and decisions of the ISIRT as well as all actions taken pursuant to ISIRT deliberations.
The Information Security Office, jointly with the Internal Audit Department, will be responsible for writing a final report on the incident and the ensuing investigation (Report), which summarizes findings regarding the Information Security Incident and, if appropriate, makes recommendations for improvement of related information security practices and controls. The Report will be distributed to the Vice President for Business Affairs and CFO, and other appropriate University office(s), if any.
Specific guidelines, procedures, standards, and best practices for secure computing can be found at: http://securecomputing.stanford.edu.Additional information can be found at:
Guide Memo 6.1.1: Administrative Computing Systems
Guide Memo 6.2.1, Computer and Network Usage Policy
Guide Memo 6.3.1, Information Security