This policy describes the procedures to be followed when a computer security incident occurs involving an Academic or Administrative Computing System operated by Emerson College, its faculty, students, employees, consultants, vendors or others operating such systems on behalf of Emerson. It also describes the procedures to be followed when High Risk or Moderate Risk Data residing on any computing or information storage device or system is, or may have been, inappropriately accessed, whether or not such device is owned by Emerson. This policy outlines the procedures for decision making regarding emergency actions taken for the protection of Emerson’s information resources from accidental or intentional unauthorized access, disclosure or damage.
This policy is applicable to all College faculty, staff, students, and to all other third parties granted use of Emerson College’s information resources (collectively called the “College Community”).
Reason for Policy
The purpose of information security incident response is to:
a. mitigate the effects caused by such an incident,
b. protect the information resources of the College from future unauthorized access, use or damage,
c. ensure that Emerson fulfills all of its obligations under College policy, and federal and state laws and regulations with respect to such incident.
Emerson recognizes the need to follow established procedures to address situations that could indicate the security of the College's information assets may have been compromised. Such procedures include ensuring the appropriate level of College management becomes involved in the determination of actions implemented in response to an information technology security incident.
A College-wide approach to information security is important in order to protect the security of Emerson's intellectual capital and to ensure that information security incidents are handled properly, effectively and in a manner that complies with law and minimizes the adverse impact to the College. Every user of any of Emerson's information resources has a responsibility toward the protection of the College's information assets; certain offices and individuals have very specific responsibilities.
a. Academic Computing System
Any application, or information system, that directly or indirectly deals with or supports the College's primary mission of teaching, learning and research.
b. Administrative Computing System
Any application, or information system, that directly or indirectly deals with or supports financial, administrative, or other information that is an integral part of running the business of the College.
c. Electronic Information Security Incident
An Electronic Information Security Incident is defined as any real or suspected adverse event in relation to the security of computer systems, computer networks, electronic High Risk Data or electronic Moderate Risk Data. Examples of incidents include:
- Attempts (either failed or successful) to gain unauthorized access to a system or its data.
- Theft or other loss of a laptop, desktop, or any electronic device that contains High or Moderate Risk Data, whether or not such device is owned by Emerson.
- Unwanted disruption or denial of service.
- The unauthorized use of a system for the processing or storage of data.
- Changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent.
d. Information Security Incident
An Electronic Information Security Incident or a Non-electronic Information Security Incident.
e. Non-electronic Information Security Incident
Real or suspected theft, loss or other inappropriate access of physical content, such as printed documents and files.
f. High Risk Data
Information defined as High Risk from the Data Classification, Access, Transmittal and Storage Guideline.
g. Moderate Risk Data
Information defined as Moderate Risk from the Data Classification, Access, Transmittal and Storage Guideline.
Statement of Policy
A member of the College Community who becomes aware of an Information Security Incident should immediately:
a. Disconnect the compromised system and equipment from Emerson's network (both wired and wireless) or arrange for its disconnection.
b. Avoid making any updates or other modifications to software, data, or equipment involved or suspected of involvement with an Information Security Incident until after the Information Security Officer and/or the Information Security Incident Response Team has completed its investigation and authorizes such activity.
c. Contact the Emerson IT Help Desk at http://it.emerson.edu/help or by calling (617) 824-8080. If the IT Help Desk is closed, contact the Emerson College Police Department (ECPD) Emergency Line, (617) 824-8888, which is staffed 24/7. IT will maintain, at the ECPD dispatch desk, a list of IT employees whom ECPD can contact 24/7 in the event an Information Security Incident is reported to ECPD.
When an Information Security Incident is reported, the Information Security Officer (ISO) will do the following:
a. The ISO will investigate the Information Security Incident. In order to minimize the impact of the Information Security Incident on the College and in order to complete a proper investigation, the ISO has the authority to restrict information system access or operations to protect against unauthorized information disclosures. In order to complete the investigation, the ISO may convene a preliminary fact-finding working group comprised of relevant business and technical personnel.
b. If the ISO concludes that there is a possibility of unauthorized access to Restricted or Confidential Information, or other sensitive information, the ISO will convene an Information Security Incident Response Team.
c. If the ISO concludes that applicable federal or state laws or regulations may have been violated, the ISO will notify the Office of the General Counsel, which will, in turn, advise the College of its obligations to notify law enforcement and agencies.
d. If appropriate, the ISO will notify offices of the Vice Presidents and Deans with responsibility for areas affected by the Information Security Incident.
e. If the ISO determines that an employee may not have carried out their assigned tasks as instructed or in accordance with College rules and policies, the ISO will notify the employee’s manager and/ or the Vice President of the department. If the College opens an investigation into the situation, the ISO will cooperate with the employee’s manager and/or Emerson’s Human Resources Department in its investigation of the incident to determine appropriate corrective or disciplinary action, if any.
3. Information Security Incident Response Team (ISIRT)
Based on information provided by the ISO and in consultation with the Office of the General Counsel, the ISO will convene an Information Security Incident Response Team (ISIRT) to develop an appropriate Information Security Incident Response Plan (Plan). Depending on the circumstances of each situation, the ISO shall include in the ISIRT representatives of some or all of the following offices:
- IT Infrastructure
- The Vice President and General Counsel or the Associate General Counsel
- The Vice President for Communications and Marketing
- Office of Administration and Finance
- IT User Services
- Enterprise Systems
- Office of Library Services and Archives
- Departments or schools directly affected by the Information Security Incident (including both the appropriate business and technical personnel)
- Other constituencies, as appropriate.
The ISIRT, led by the ISO, will develop and execute communication and other action plans to ensure:
a. Appropriate action is taken in a timely manner, including reporting, notification and other communication of the Information Security Incident, as required by the Emerson College Written Information Security Policy, by law or otherwise deemed appropriate. If the Office of the General Counsel requires such reports, notification, and other communication in order to give legal advice to the College on the Information Security Incident, then all such reports, notification, and other communication shall be designated “PRIVILEGED AND CONFIDENTIAL: ATTORNEY-CLIENT COMMUNCIATION/ATTORNEY WORK PRODUCT.”
b. The ISIRT will make appropriate progress reports, subject to attorney-client privilege/attorney work product protection as the College designates, are made on the Information Security Incident and execution of the Plan, including to:
- The President
- Other impacted constituencies, as warranted by the situation
In carrying out this responsibility, the ISIRT will ensure that important operational decisions are elevated to the appropriate levels to comply with law and protect the fundamental interests of the College and others impacted by the incident.
The Information Security Officer will also be responsible for documenting the deliberations and decisions of the ISIRT as well as all actions taken pursuant to ISIRT deliberations, subject to attorney-client privilege/attorney work product protection as the College designates.
4. Report Preparation
The Information Security Officer will be responsible for writing a final report on the incident and the ensuing investigation (Report), subject to attorney-client privilege/attorney work product protection as the College designates, which summarizes findings regarding the Information Security Incident and, if appropriate, makes recommendations for improvement of related information security practices and controls. The ISO will distribute the Report to the President and other appropriate College office(s).