Academics Future Students Current Students Faculty/Staff Alumni/Friends Parents

  Home > Offices > University Information Services

DATA SECURITY BREACH OR LOSS OF CONFIDENTIAL OR PRIVATE INFORMATION

 

Information Security Response Team
 

  • For any event involving a possible data security breach or loss of student, faculty or staff confidential or private information, immediately notify the Information Security Response Team for evaluation. This group consist of:
     

Director of UIS (3468)
 

General Counsel (3283)
 

Director of Human Resources (3398)
 

Registrar (3207)
 

Executive Director of Communications (3478)
 

Responsible User
 

  • Notify a member of the response team of the perceived loss of data, communicating the general nature of the event, date and time of the occurrence, information perceived to be lost or stolen and the storage device associated with the loss. Leave contact information (if off-campus during the occurrence).

  • Identify any missing hardware or software associated with the data loss.

  • Immediately complete and submit the form titled Confidential Information-Data Loss or Breach of Security Incident Notification Report accessed from http://www.shawnee.edu/off/uis/information_security/report_loss.html.
     

Information Security Response Team Member
 

  • The Information Security Response Team member contacted by the Responsible User should submit a communication to the Information Security Response Team distribution list to ensure each member is aware of the event disclosure. Immediately contact the Director of UIS to communicate a suspected breach in security and the ability to organize and meet in person. If the UIS Director is not available convene the Information Security Response Team to review and evaluate the communicated event.

  • Meet with other Information Security Response Team members to determine if notification to impacted individuals is necessary. Decision criteria include:
     

1.        A confirmation that confidential or private data was lost or stolen.

2.        An interpretation by General Counsel in terms of applicable laws.

3.        An analysis of data in scope of event and qualification of whether data is useable if accessed, i.e. unencrypted or non-redacted. 

4.        A reasonable belief that data in question was or can be acquired by unauthorized individuals for misuse.
 

  • Communicate to other emergency response constituents, i.e. Cabinet, Security, Facilities regarding developments, issues, actions taken and path forward, in accordance with the broader Emergency Response plan.

  • Enforce necessary campus policies and procedures to limit exposure of loss.
     

Director of UIS
 

  • Upon notification of a suspected breach in data security review the information submitted by the Responsible User or Information Security Response Team member contacted. Alert the Information Security Response Team of the suspected loss of data, providing a preliminary assessment of the event based on known information.

  • Convene the Information Security Response Team to review and evaluate the communicated event.

  • Enforce necessary technical procedures to limit exposure of loss.

  • Secure evidence for analysis by state and local authorities if necessary.
     

Executive Director of Communications
 

  • Develop a notification plan based on action steps recommended by the Information Security Response Team. This potentially includes but is not limited to:
     

  1. Communication to campus

  2. Written notifications to individuals impacted

  3. Dedicated telephone assistance and critical contact information via Help Lines

  4. Dedicated web site communications

  5. Press releases to public

  6. Credit file monitoring and expenses of impacted individuals

  7. Legal requirements and campus policies

  8. Managing news media