Information Security Manual
Section 500: Security Operations
Effective: 01/11/2010
The purpose of this section is to articulate how OSU will conduct risk assessment by first proactive and then reactive means.
The proactive component of risk assessment will be the actual categorization of Information Systems and specifically the identification of Protected Information Assets. As discussed in section 200 of this manual, Protected Information Assets will be those assets which the university has an obligation to protect and will be identified by the appropriate Records Custodian and will have handling instructions/baseline security measures defined. This will ensure that critical elements are identified and appropriate security measures defined to protect them.
The reactive component of risk assessment will be a periodic review of information security incidents. The Chief Information Security Officer will periodically review the tracked information security incidents and will identify problem areas to be addressed in an Annual Information Security report to the Chief Information Officer.
Information Security Manual
Section 500: Security Operations
Effective: 01/11/2010
The purpose of documenting this procedure in the Information Security Manual is to clarify and formalize Security Operations and Procedures in the event of Information Security incidents.
The scope of these procedures is limited to Information Security Incidents. Incidents overlapping with physical security, personnel action, or student conduct will be handled in accordance with established protocols and procedures; however, the CISO will be appraised to ensure that Information Security specific aspects of any incident are addressed.
In compliance with RFC2142, OSU maintains appropriate Email aliases for the reporting of various activities originating from hosts on OSU’s network. The abuse@oregonstate.edu alias in particular is widely accepted across the internet, and specifically identified by OSU in our network registration, as the appropriate alias to notify when a breach is suspected or other Information Security Incidents are detected. Network Engineering will maintain this Email alias; respond to and track all reports of Information Security Incidents; and will ask that responsible parties verify whether or not Personal Information, Protected Information, or Sensitive Information was involved.
In the case where Personal Information or Protected Information is involved, these incidents will be initially escalated to the attention of theChief Information Security Officer who will create an incident response report.
Information Security Incidents involving Personal Information will be reviewed by legal counsel to ensure appropriate responses are taken in accordance with Oregon law, and a copy of the report will be shared with the appropriate Records Custodian(s), the University Provost, the Oregon University System Vice Chancellor for Finance and Administration, the Oregon University System Internal Audit Division, and University News and Communications Services as appropriate to deal with media implications.
Information Security Incidents involving Protected Information will be reviewed by the appropriate Records Custodian(s) along with a copy of the incident report to be shared as deemed appropriate by the Records Custodian(s).
Information Security Incidents involving Sensitive Information will be logged and noted in the annual Information Security Report.