Definition and Purpose
An information system or data security incident is one that threatens or compromises confidentiality, integrity or availability of College information technology assets. A credit card data security incident is one that is defined as a suspected or confirmed compromise to a system or network where cardholder data (including physical files such as paper files) is collected, processed or transmitted. While such incidents may vary in severity and scope, the handling and response to such incidents must be managed appropriately in order to best preserve the College’s reputation as well as all personal or institutional information assets that reside under the College’s control.
Policy for Colby Student Employees, Faculty, and Staff
Upon discovery or suspicion of a past, present or potential information system, data, or credit card data security incident:
- Immediately contact a member of the ITS Support Center X4222 and send an email documenting the incident to email@example.com.
- Email documentation needs to include date, time, merchant (business involved), and a description of the incident.
- If reporting a suspected credit card data security incident, ask the Support Staff member who answers to “please create a PCI incident ticket”.
- If the suspected incident might endanger any Colby sensitive information or involves a computer device used to process card holder data:
- Do not turn off the computer or any attached devices. In order to preserve evidence, the computer device should remain powered on and no one should use the system until instructed otherwise by an Information Technology Services member.
- Disconnect the network cable connecting the device to the network jack.
Policy for Information Technology Services (ITS)
Information system, data security, or credit card data security incidents require the full participation of Information Technology Services, Financial Services, affected merchant, as well as leadership to properly manage the outcome. All threats or incidents reported by members of the campus community to ITS or discovered by ITS personnel must be brought to the attention of the Chief Information Officer and the Director of Information Security, who will ensure that appropriate leadership and technical resources are employed, when necessary, to:
- Review the incident or threat and classify its severity.
- Assess the extent of damage or potential for it.
- Identify the existing and/or potential vulnerability created and the individuals and/or systems involved.
- Communicate with relevant groups or personnel to arrive at and, if necessary, execute a mitigation plan.
- If appropriate, communicate through the leadership chain with appropriate local, state and federal law enforcement agencies and, on approval by leadership, with the CERT/Homeland Security.
- Communicate through leadership chain with legal counsel when the notification of the payment brands may be necessary:
- American Express Data Security Operating Policy 
- MasterCard Account Data Compromise User Guide 
- Visa – What to do if compromised 
Incident Communication and Follow-Up
If an incident requires additional attention following its initial report and classification, the Director of Information Security will work with all relevant personnel within Information Technology Services to fully evaluate the incident and any mitigating factors as well as determine if the incident warrants a formal response from higher levels of the Administration. Communication surrounding an incident should provide the following information to any and all relevant individuals or groups:
- Host(s) involved (systems and/or individuals)
- Timeline of events (or best estimate)
- Technical details (logs, timestamp, filename(s), etc)
- Assessment of potential for exposure of data, sensitive or otherwise
- Notification requirements (state and federal) based upon data elements involved (SSN/PII)
- The nature and/or extent of sensitive data, if applicable
- Steps to re-secure the host(s) involved and return to service
- Restoration of system backups, if required, are to be completed by ITS
- Mitigation measures to prevent future incidents, such as system (server, service, network, firewall) changes or additional monitoring of network traffic
Related policy or procedural changes or considerations
ITS will employ an internal tracking system to facilitate and archive communication, including the preceding elements, surrounding an incident. Any outages of IT services (including servers and networks) associated with an incident will be tracked in separate tickets as required by the ITS Outage and Event management procedures.
If an incident requires a formal response, the Director of Information Security will assist in coordinating the response with the Chief Information Officer and related members of the College administration. Such coordination will at a minimum include an incident summary involving the aspects listed above.
Any mitigating factors surrounding or resulting from an incident will be tracked and monitored by the Director of Information Security and relevant ITS personnel.