Willamette University Logo
Menu
 

Cybersecurity Incident Response Policy

Purpose

To mitigate the risks from cybersecurity threats, including regulatory, operational, financial, and reputational risks.

Definitions

Cybersecurity Incident - Any malicious act or suspicious event that actually or imminently jeopardizes the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits. The following are some indicators of a cybersecurity incident, but this list is not inclusive:

  • A device containing University data or access to University systems has been stolen or lost
  • A law enforcement agency, such as the FBI, notifies the University that confidential data has been breached
  • University systems experience an unplanned, unexplained disruption
  • An individual is able to view or modify data or access a computer system for which they do not have authorization
  • Anti-virus alerts are being displayed on a workstation
  • An individual clicks on a link in a questionable email and has reason to question the response
  • An individual enters their userid and password in response to a questionable email and has reason to question the response
  • A University web address is displaying an erroneous page
  • An individual receives an extortion attempt, such as ‘send money or else’
  • A workstation or application suddenly slows down significantly
  • Unexpected software or application appears on workstation or in web browser

Confidential Data  - All information about Willamette University or in the university's possession or care that it deems confidential or is required by law or contract to keep confidential. It includes the following:

  • Government-regulated Confidential Information which includes:
    • The following types of Personal Identifying Information (PII): Social Security number, driver license number, passport number, other government-issued identification card number, birthday, biometric identifiers (e.g. fingerprints) and personal medical information;
    • Protected Health Information (PHI) as specified by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) which includes information relating to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual (e.g. diagnosis, treatment, or insurance-related information);
    • Education records of students, applicants and alumni as defined by the Family Educational Rights and Privacy Act (FERPA), including information about test results, grades, and other academic performance information, financial aid information, disciplinary records, and records received from previously attended institutions;
    • Personally Identifiable Financial information as specified by the Financial
      Services Modernization Act of 1999 (Gramm Leach Bliley Act or GLB) that
      protects the disclosure of customer financial information. Examples include
      information on student loan or financial aid applications, information about loans or financial aid received by a student, and any list of students who received or applied for a loan or other financial aid.
    • Human subject research data which falls under the jurisdiction of the
      university’s Institutional Review Board (IRB);
    • Confidential medical records used to provide an employee with a reasonable
      accommodation under the Americans with Disabilities Act of 1990 (ADA); and
    • Payment card data such as credit and debit card numbers, security codes or PINs covered by the Payment Card Industry (PCI) standards.
  • Other Confidential Information includes but is not limited to:
    • Payroll records or employment and/or personnel information such as
      disciplinary or grievance information, annual review information; and
    • Nonpublic information about third parties that the university has a contractual obligation to keep confidential, including confidential information about or received from suppliers, vendors, sources of funding, grantors, donors, alumni, and research partners and sponsors.

Policy

  • Cybersecurity incidents must be reported to WITS as soon as they are discovered. If the incident is impacting only one person’s workstation or email, it should be reported by calling the Help Desk at x6767 (503-370-6767) or emailing wits@willamette.edu. If the incident has the potential to impact more than one person’s workstation or email, it should be reported by contacting the CIO or Director of Infrastructure whose contact information can be found on willamette.edu.
  • If a cybersecurity incident involves confidential data, the individual(s) reporting must not share the data with others.
  • All communications regarding a cybersecurity incident must be conducted through channels that are known to be unaffected by the cyber incident. For example, if an individual’s email is compromised (or suspected to be), they should not use email to report the incident.
  • Containing a critical, severe, or serious cybersecurity incident, as defined in the Cybersecurity Incident Response Plan, has a higher priority than maintaining normal business traffic. WITS personnel may disrupt normal operations, as needed, to contain such an incident.

Procedures

See the CyberSecurity Incident Response Plan, which outlines the processes and responsibilities for responding to a cybersecurity incident.


Status: This policy was approved in 2019
Effective Date: 7/1/2019
Last Review Date: 7/1/2019
Next Anticipated Review: 7/1/2020
Responsible Person/Primary Contact: Chief Information Officer
Responsible University Office: WITS

Willamette University

Willamette Integrated Technology Services

Address
900 State Street
Salem Oregon 97301 U.S.A.
Phone
503-370-6004 voice
503-375-5456 fax
Email
wits-info@willamette.edu

Back to Top