UMGC Policy X-1.06 Information Security Incident Response

Purpose

The purpose of this policy is to ensure that the University is prepared to respond to information security Incidents, to protect University Information Systems and information, and prevent disruption of University Information Resources by providing the required management for incident handling, reporting, and monitoring.

Scope and Applicability

This policy and its supporting standards and procedures apply to all Users who use or have access to UMGC Information Systems and Information Resources.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

1. Under the direction of the Sr. Director, Information Security, a Computer Incident Response Team (CIRT) shall be established to ensure appropriate response to Security Incidents. The CIRT shall consist of Employees and Contractors with the technical, administrative, and communication skills required to facilitate a prompt and thorough mitigation and remediation response to Security Incidents.
2. An information security incident response plan shall be developed and implemented that:
   1. Provides a well-defined, organized approach for responding to critical Security Incidents affecting University Information Resources and Information Systems.
   2. Describes the structure, roles, and responsibilities of the incident response capability
   3. Identifies management and key personnel and ensures they are notified of information Security Incidents as required
   4. Defines reportable incidents
   5. Defines Severity Classifications for Information Security Incidents (High, Moderate, Low)
3. Upon notification of a Security Incident, the Sr. Director, Information Security (or designee) will carry out an initial investigation and make the decision whether to activate the CIRT.
4. The information security incident response plan and procedures shall be reviewed at least annually to address system/organizational changes or problems encountered during implementation, execution, or testing.
5. Handling of all Information Security Incidents shall be documented in the Information Security Incident Response Plan and all technology specific remediation processes shall be documented in a procedures document.
6. All operational units and other related University Employees and Contractors are required to provide the CIRT with any assistance requested for purposes of investigation, remediation, and reporting of an incident.
7. Continuous monitoring must be deployed and be prepared to provide operational visibility and managed change control in support of Incident response duties.

1. Any User who suspects or becomes aware of an Information Security Incident involving University information, Information Resources or Information Systems should contact the UMGC technical support service desk as soon as possible by calling 1-888-360-8682, emailing servicedesk@umgc.edu, or contacting the UMGC Information Security at infosec@umgc.edu.

Exceptions

Exceptions to this policy must be submitted to UMGC Information Security at infosec@umgc.edu for review and approval.

1. Any Faculty, Staff, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the Sr. Director, Information Security as soon as practicable.
2. Information System Stewards in consultation with the Office of Human Resources may instruct Access Account Managers, or other appropriate personnel to confiscate, temporarily suspend, or terminate Users' access to Information Resources while investigating an alleged violation of this Policy.
3. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, dated February 2020
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021

1. UMGC Policy X-1.02 Data Classification
2. UMGC Policy X-1.04 Information Security
3. UMGC Policy X-1.12 Acceptable Use
4. UMGC Policy X-1.19A Account Management (UMGC Learner Community)
5. UMGC Policy X-1.19B Account Management (UMGC Workforce)