Incident Response Protocol
Identity & Information Security
One Washington Square
San Jose, CA 95192-0042
Terminology, Definitions and Contacts
- Unauthorized acquisition—Unencrypted electronic personal information will be considered to have been acquired,
or reasonably believed to have been acquired, by an unauthorized person in any of
the following situations:
- Equipment: Lost or stolen electronic equipment (including palm pilots, laptops, desktop computers, and USB storage devices) containing unencrypted personal information.
- Hacking Incident: A successful intrusion of computer systems via the network.
- Unauthorized Data Access: Includes situations where someone has received unauthorized access to data, such as sending non public mail/e- mail to the wrong recipient, incorrect computer access settings, or other non-hacking incidents. Unauthorized data access also includes indications that unencrypted personal information has been downloaded or copied or that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.
- Security Breach—A security breach is any unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by San Jose State University.
- Personal Information that triggers Notification—Personal Information means an individual's first name or initial and last name in
combination with any one or more of the following data elements, when either the name
or the data elements are not encrypted:
- Social security number, or last 4 digits of SSN with DOB;
- Driver's license number or California Identification Card number; and
- Account number (which could include a student identification number), credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
- Encryption: All commercial encryption algorithms are admissible as meeting the campus requirements for encryption. If personal information stored on the compromised electronic equipment is encrypted, no University notification is required.
It is the responsibility of the employee who discovers a security breach to immediately notify his or her supervisor.
Security Breach Notification
- Any employee who believes that a security breach has occurred, shall immediately notify his or her supervisor.
- The supervisor will notify the Vice President, Administration and Finance and the Information Security Officer (ISO).
- If the ISO determines that personal information is reasonably believed to have been
acquired by an unauthorized person, the incident will be immediately reported to the
Security Breach Response Planning Group (SBRPG)—this Group is comprised of the following:
- AVP, Information Technology
- AVP, AS&F
- AVP, AT
- AVP, Student Life
- Executive Director, Associated Students
- Executive Director, Spartan Shops
- Executive Director, Student Union
- Executive Director, SJSU Foundation
- Director, Communications and Public Affairs
- Based on the nature, location, or extent of the security breach and the recommendation of the Security Breach Response Planning Group, additional individuals may be requested to participate in breach investigation and response planning.
- If it is determined after appropriate investigation that the security breach is of the magnitude that it could potentially be published in the press, the Information Security Officer shall notify the CSU's General Counsel; the Senior Director, Information Security Management / Office of the Chancellor; and copy the CIO/Assistant Vice Chancellor. In addition, Campus President will also notify the Chancellor independently.
- When a security breach has been confirmed, the Information Security Officer shall work closely with the Division Executive or designee of the department responsible for controlling access and security of the breached electronic equipment, to ensure the appropriate handling of incident notification and inquiries.
- Determination of Whom to Notify
- In consultation with the Information Security Officer, the department or office responsible for controlling the breached electronic equipment will compile a list of individuals to notify based on the following criteria (the process for determining inclusion in the notification group shall be documented):
- California residents whose notice-triggering information was or is reasonably believed to have been acquired by an unauthorized person.
- All individuals who are likely to have been affected, such as all whose information is stored in the files involved, when identification of specific individuals whose personal information was acquired or is reasonably believed to have been acquired by an unauthorized person cannot be made.
- If more than 10,000 individuals are identified, the following consumer credit reporting
agencies shall be notified:
- Experian: E-mail to Business Records Victim Assistance.
- Equifax: E-mail to Lanette Fullwood
- TransUnion: E-mail to TransUnion, with "Database Compromise" as subject.
- Timing of External Notification to Affected Individuals—Affected individuals shall be notified, without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
- The information considered when determining the notification date shall be documented.
- Content/Method of Notification
- The notice will provide essential information explaining the incident, with a reference to a web site page that provides additional details, a contact for incident inquires, and helpful references to individuals regarding identify theft and fraud. The content of the notice and the content of the web site page will be reviewed and approved by the Security Breach Response Planning Group. The University's incident notice shall consists of a sealed notice or letter, printed with official San José State University logo, addressed to the individual at the recorded address registered with the University. Any notices returned with address forwarding information will be re-sent by the responsible department.
- If less than 500,000 individuals were affected or if the cost of giving individual notices to affected individuals is less than $250,000, notices shall be sent by first class mail.
- If more than 500,000 individuals were affected or if the cost of giving individual notices to affected individuals is greater than $250,000, the following substitute notification procedures shall be followed:
- Notices by e-mail shall be sent to all affected individuals whose e-mails are known.
- A "Notice of Breach" shall be conspicuously posted on the campus web site.
- Major statewide media including television, radio, and print shall be notified.
- The campus Information Security Officer will give to the Senior Director, Information Security Management / Office of the Chancellor a copy of any press-release in advance of actual release.
Process to Respond to Incident Inquiries
- Subsequent to an incident,the University can expect several inquires from notified users, their parents/spouse, and security vendors. The Information security officer will provide an Incident Communication Guideline to be used by the individual(s) designated by the Division Executive to respond to any phone calls/emails/letters/walk in traffic with inquiries regarding the incident.
- In general the Incident Communication Guideline will direct employees:
- Not to offer unsolicited information or comments to the media
- Advise the inquirer that the incident is under investigation (if this is the case)
- Direct the inquirer to a website for incident information
- Direct inquirers from law enforcement to University Police
- Direct inquirers from the media to Campus Public Affairs