Scope
This policy covers all computer systems, network devices, and any additional systems and outputs containing or transmitting Aurora University (AU) data.
Purpose
The purpose of this policy is to provide a process to report suspected thefts involving data, data breaches or exposures (including unauthorized access, use, or disclosure) to appropriate individuals; and to outline the response to a confirmed theft, data breach or exposure based on the type of data involved.
Aurora University Data
AU public data is defined as information that a user has a reasonable basis to believe is lawfully made available to the general public from:
(i) Federal, State, or local government records;
(ii) Widely distributed media; or
(iii) Disclosures to the general public required to be made by Federal, State, or local law.
AU private data is defined as private information (e.g., Social Security Number, birth date, credit card numbers) that can only be released to the subject (i.e., owner) of the information and to those within the University who have a legitimate need-to-know, outside agencies or departments with the subject’s written permission, and others as allowed by law.
Policy
Reporting of suspected thefts, data breaches or exposures
Any individual who suspects that a theft, breach or exposure of AU data has occurred must immediately provide a description of what occurred via e-mail to the Chief Information Officer via e-mail at itshelp@aurora.edu or by calling 630-844-5790. This e-mail address and phone number, are monitored by AU’s information security resources. The University’s information security resources will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the information security team will follow the appropriate procedure depending on the nature of the data involved.
The following flowchart specifies the steps to be taken upon notification of a data breach:
Questions about this Policy
If you have questions about this policy, please contact the Chief Information Officer at itshelp@aurora.edu or 630-844-5790.
Policy Adherence
Failure to follow this policy can result in disciplinary action as provided in the appropriate employment handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.
Appendix
For any data breaches, exposures, or thefts involving information listed below, a representative from the listed areas will be included on the response team:
Data Type |
Areas or individuals to be additionally included on response team |
Financial information, including but not limited to credit card numbers, bank account numbers, investment information, grant information, and budget information |
Finance, Director of Cash Management and/or Treasurer |
Information about individual employees, including but not limited to social security numbers |
Human Resources |
Student financial information |
Office of Financial Aid, Student Accounts, University Communications |
Student information protected by FERPA |
Student Life, Registrar, Chief Academic Officer, University Communications |
Student health information |
Student Life, Wellness Center, University Communications |
Student information not listed above |
Student Life, University Communications |
Research data |
University Analytics, Chief Academic Officer |
PII concerning faculty |
Faculty Administration, Chief Academic Officer |
PII concerning donors or unreleased information about gifts received |
Advancement |
Payroll information |
Controller and/or Payroll |
Action Item Checklist
This checklist outlines items that the response team should consider while responding to a security incident.
- All available information about the incident, including both information that has been confirmed and information that is suspected, should be provided to the response team. As new information is discovered, it should be provided to the response team as quickly as possible.
- Business recovery and continuity procedures should be followed
- Analysis of legal requirements for reporting compromises should be followed
- Reference or inclusion of incident response procedures from the payment brands
- Remember to alert university leadership teams (President, Senior Staff, Deans) so they understand what is being done to address the incident and are apprised of status. The order and frequency of updates to these groups will be determined by the VP – Information Technology Services depending on the incident.
- Track the amount of time that has passed between incident, discovery of incident, and notification of affected individuals.
- Daily conference calls to checkpoint progress and obstacles are required. They are tremendously helpful in keeping remediation on track and sharing information.
- If contracts need to be negotiated to provide services to the affected departments or individuals, those negotiations should begin immediately. Check to see if previously negotiated contracts can be applied to the situation.
- University Communications will be called upon to prepare outward facing information. Materials that may need to be developed to handle the incident include:
- Web pages
- Notification letter
- Press release
- Q&A for media
- Q&A for call center and other responders
History
- 8 April 2016: Initial Policy