To define the circumstances under which the University shall provide notice regarding a breach in security of college information.
Suspected or confirmed information security breaches must be reported immediately to the University's Chief Information Officer. A breach is defined as unauthorized access of University information.
UTS will investigate all reports of security breaches of electronic private and/or highly sensitive information. Reports of potential information breaches will be reported to the Information Security Officer, who will coordinate the University's investigation and keep the CIO informed. Based on the results of the University's investigation, internal and/or external parties may be notified, as necessary and appropriate.
NB: This document outlines the procedures that Worcester State University will follow in the event that data is lost or accessed in an unauthorized fashion. Note that that removable media (such as flash drives, CDs/DVDs), laptops, and smartphones represent significant vulnerabilities for individuals and the institution, which is why users are encouraged to store sensitive data encrypted in a secure network location, or in an encrypted form on local media.)
Upon notification of a suspected breach of information, University Technology Services will:
- Report the breach to the CIO
- Block or deny the escalation of the breach, when possible
- Follow communication instructions as determined by the CIO
- Repair any and all damage associated with the information breach
- Implement processes and procedures to prevent similar breaches from occurring in the future.
- The CIO in conjunction with the ISO will report all suspected cases of significant information breaches to the University’s President.
- Working in coordination with the University's President and Cabinet UTS will establish an appropriate response strategy.
- Based on the results of Information Technologies' investigation of the information breach, the CIO in conjunction with the ISO will report the breach to the appropriate student judicial body and/or University counsel, depending on whether criminal activity has taken place.
External notification will be based on the following considerations:
- Has unencrypted private or sensitive information be compromised
- Has a physical device that contains unencrypted private or sensitive information been lost or stolen
- Is there evidence that unencrypted private or sensitive information has been copied or removed
- Is there evidence that the intrusion was intended to acquire unencrypted private or sensitive information.
- The applicability of University policies, local, state, and federal laws
Based on the considerations above, the University's President and Counsel will determine if external notification will be required in the event of an information breach.
Private Information includes a name (first and last name, or first initial and last name) in combination with:
- Social Security number
- Driver license number
- Bank account, credit, or debit card account number
Public information, such as address, telephone number, and email address is not consider private information.
Highly Sensitive Information includes:
- Name, address, date of birth
- Information protected by FERPA, HIPPA, and other local, state, and federal regulations
- Security codes, combinations, passwords
- Research data/results prior to publication, patent application, or board review
- Information subject to contractual confidentiality and non-disclosure provisions
Approved By: Managers and CIO
Date of Origination: 4/2/2008
Last Review: 5/1/2012