500 Security Operations

501: Risk Assessment

Information Security Policies & Procedures Manual
Section 500: Security Operations
Effective: 01/11/2010
Revised: 02/20/2014

Purpose

The purpose of this section is to articulate how OSU will conduct risk assessment by first proactive and then reactive means.

Procedure

TThe proactive component will include the conducting of regular risk assessments on systems declared critical by the University, or on systems that house or process Protected or Sensitive Information by the Office of Information Security or by Internal Audit or an agent acting on their behalf. This will ensure that data elements identified as Protected or Sensitive have the appropriate security measures in place to protect them.

The reactive component of risk assessment will be a periodic review of information security incidents.  The Chief Information Security Officer will periodically review the tracked information security incidents and will identify problem areas to be addressed in an Annual Information Security report to the Chief Information Officer.

502: Incident Response and Escalation

Information Security Policies & Procedures Manual
Section 500: Security Operations
Effective: 01/11/2010

Purpose

The purpose of documenting this procedure in the Information Security Manual is to clarify and formalize Security Operations and Procedures in the event of Information Security incidents.

Scope

The scope of these procedures is limited to Information Security Incidents.  Incidents overlapping with physical security, personnel action, or student conduct will be handled in accordance with established protocols and procedures; however, the CISO will be appraised to ensure that Information Security specific aspects of any incident are addressed.

Procedure

In compliance with RFC2142, OSU maintains appropriate Email aliases for the reporting of various activities originating from hosts on OSU’s network.  The abuse@oregonstate.edu alias in particular is widely accepted across the internet, and specifically identified by OSU in our network registration, as the appropriate alias to notify when a breach is suspected or other Information Security Incidents are detected.  Network Engineering will maintain this Email alias; respond to and track all reports of Information Security Incidents; and will ask that responsible parties verify whether or not Personal Information, Protected Information, or Sensitive Information was involved.

In the case where Personal Information or Protected Information is involved, these incidents will be initially escalated to the attention of theChief Information Security Officer who will create an incident response report. 

Information Security Incidents involving Personal Information will be reviewed by legal counsel to ensure appropriate responses are taken in accordance with Oregon law, and a copy of the report will be shared with the appropriate Records Custodian(s), the University Provost, the Oregon University System Vice Chancellor for Finance and Administration, the Oregon University System Internal Audit Division, and University News and Communications Services as appropriate to deal with media implications.  

Information Security Incidents involving Protected Information will be reviewed by the appropriate Records Custodian(s) along with a copy of the incident report to be shared as deemed appropriate by the Records Custodian(s). 

Information Security Incidents involving Sensitive Information will be logged and noted in the annual Information Security Report.