Security Incident Policy

This document outlines procedures and protocols for notification of and response to a security incident or breach involving unencrypted electronic personal information processed and/or maintained by Oxcyon and its extended providers, servers, clients and organizations.

SECURITY INCIDENT NOTIFICATION REPORTING & INVESTIGATION PROTOCOL
- A.Security Incident Reporting
  In the event that a data owner, technology staff member, or Information Technology Services representative identifies a potential security incident involving a computer, the computer shall first be disconnected from the network, then shutdown. In all instances, the Operating Unit will await further instructions from Information Security Management and Compliance prior to continued operation of the computer.
  
  Any employee or data owner who believes that a security incident has occurred, shall immediately notify the Development Security Officer.
  
  Upon notification by an employee, Information Technology Services, of a suspected unauthorized acquisition of confidential information the Information Security Officer, or the Assistant Information Security Officer, shall promptly notify with the Security Breach Response Planning Group.
- B.Security Incident Investigation
  The acting Development Security Officer will conduct an investigation into the security incident to determine whether there has been a security breach. All investigatory work will be documented within a Confidential Information Security Incident Report within Oxcyon’s Issue Management System.
  - 1.Low/No Risk Incident
    A Low/No Risk incident typically occurs, but is not limited to, an instance when a User or Client, or Technology staff member will observe a problem with a computer. The computer may have been compromised due a form of malware installed on the computer:
    - a.Client or Oxcyon staff will notify Information Security Management and Compliance.
    - b.Client or Oxcyon staff will consult with Information Security Management and Compliance, and possibly Information Technology Services, to determine the level of risk with the incident.
      - 1.If it is determined the incident is a “High Risk”, skip to Step 2.
      - 2.If it is determined the incident is considered “Low/No Risk”, the Client or Oxcyon staff will work with the User and Appropriate Administrator to complete the Employee Identification of Stored Data statement, if deemed necessary by the Information Security Management and Compliance office.
  - 2.High Risk Incident
    A High Risk incident typically occurs, but is not limited to, an instance when Network Services notices an alert, suspicious activity, dos, attempted injection or spike in network activity. The computer may have been compromised due to remote program execution, unusual data traffic, RTP services, etc.
    - a. Oxcyon staff will notify Information Security Management and Compliance, and client immediately via Online Issue Management System (which will trigger an alert to all relevant client contacts associated with the project).
    - b.The affected computer will be temporarily transferred to ITS custody for forensic analysis.
    - Information Security Management and Compliance will conduct an incident investigation, which may include:
      - 1.Follow-up interview with the Staff member or User
      - 2.Follow-up interview with Client or Oxcyon staff
      - 3.Follow-up interview with appropriate administrator.
    - Upon completion of forensic analysis and interviews, the Information Security Officer, forensic analysis team, and appropriate administrators from Network Services and Academic Technology Services will meet to review all evidence and determine if there was a security breach.
      - 1.If there was no breach, Client or Oxcyon staff will work with the User and Appropriate Administrator to complete the Identification of Stored Data statement, if deemed necessary by the Information Security Management and Compliance office.
      - 2.If there is a breach, follow the steps outlined in Part II: Security Breach Notification Protocol
Upon completion of the investigation, the Information Security Officer or the Assistant Information Security Officer will inform the Security Breach Response Planning Group of the result of the investigation.
SECURITY BREACH NOTIFICATION PROTOCOL
- A.Internal Notifications
  If it is determined after investigation that a security breach involving notice triggering information has occurred, the Information Security Officer shall notify the client, project manager and Oxcyon’s General Counsel immediately.
  
  The acting Development Security Officer will notify the responsible parties (Oxcyon staff, and/or clients) confirming the security breach of notice triggering information and provide advice and guidance. The Development Security Officer shall also initiate the breach notification process and work closely with the designee of the department responsible for controlling access to, and security of, the breached electronic equipment to ensure the appropriate handling of the breach response and inquiries. The Development Security Officer will provide guidance to designated employees responsible for responding to breach notification inquiries.
- B.External Notification
  If it is determined after investigation that a security breach involving client data (HIPAA, PCI, credit/debit card information or any other sensitive information relating to the data of client) has occurred, the Information Security Officer will direct notification to the client (via online issue management) as well as any appropriate merchant bank(s) (in the event of PCI or credit card processing). In the event of any PCI or credit card confirmed breach, within three (3) business days , the Information Security Officer shall provide a follow up to the initial issue including an Incident Report to the appropriate merchant bank(s). Within ten (10) business days, the Information Security Officer shall provide to the appropriate merchant bank(s) a list of all potentially compromised accounts. Oxcyon will also promptly notify it’s insurance carrier of any confirmed security breach, CHUBB Insurance.
- Notification of Affected Individuals
  The department or project manager responsible for controlling access to, and security of, the breached electronic equipment shall compile the list of the names of persons whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. In consultation with the Information Security Officer or the Assistant Information Security Officer, a list of individuals to notify shall be compiled based on the following criteria:
- All individuals who are likely to have been affected, such as all whose information had been stored in the files involved, when identification of specific individuals cannot be made.
- Notification Timing
  Individuals whose notice-triggering information has been compromised shall be notified in the most expedient time possible, and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
- E.Content of Notice
  The breach notification will provide a brief description of the security breach, a contact for inquiries, and helpful references to individuals regarding identity theft and fraud. The content of the breach notification, and when appropriate, the content of both the web site page and the press release will be reviewed and approved by the Information Security Officer or Assistant Information Security Officer.
- F.Communications with Outside Agencies
  Oxcyon personnel are not authorized to speak on behalf of Oxcyon’s client to media personnel or representatives of other outside agencies. All media inquiries or other public affairs inquiries should be directed to the Office of Media Relations for Oxcyon’s client. All other inquiries should be directed to Information Security Management and Compliance at (440) 239-8611 at Oxcyon.
- G.Method of Notification
  Alert appropriate client contacts, as listed in Oxcyon Issue Management system, including all Oxcyon staff associated with the client Project, via Oxcyon’s Issue Management System.
- Notices by e-mail shall be sent to all affected individuals whose e-mails are known.
- Written “Notice of Breach” shall be sent to client, and multiple internal staff at Oxcyon.
DEFINITIONS
Confidential Information

Confidential Information is information that identifies or describes an individual. Confidential Information is further detailed with the SLA of each client project (HIPAA, PCI, other)

Data Acquisition

Unencrypted electronic personal information/notice-triggering information will be considered to have been acquired, or reasonably believed to have been acquired, by an unauthorized person in any of the following situations.

1. Equipment

Lost or stolen electronic equipment (including palm pilots, laptops, desktop computers, and USB storage devices) containing unencrypted personal information.

2. Hacking

A successful intrusion of server or computer systems via the network where it is indicated that unencrypted personal information has been downloaded, copied, or otherwise accessed.

3. Unauthorized Data Access

Includes situations where someone has received unauthorized access to data, such as sending non public mail/e-mail to the wrong recipient, incorrect computer access settings, inadvertent posting of personal information in electronic format or other non-hacking incidents. Unauthorized data access also includes indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.

Data Owner

The individual with primary responsibility for determining the purpose and function of a record system.

Encryption

All encryption algorithms, with the exception of trivial ciphers, meet the minimal requirements for encryption. If personal information stored on the compromised electronic equipment is encrypted, no notification is required.

Health Insurance Information

An individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

Incident Report

An investigatory summation of a Security Incident completed by the Information Security Officer or the Assistant Information Security Officer to determine if Oxcyon has incurred a Security Breach.

Medical Information

Information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.

Notice-Triggering Information

Specific items of personal information. This information includes an individual’s name in combination with Social Security Number, driver’s license/Medical Group/Patient ID, identification card number, health insurance information, medical information, or financial account number such as credit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Security Breach

An unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by Oxcyon.

Security Incident

A collection of related activities or events which provide evidence that confidential information could have been acquired by an unauthorized person.
LEGAL OR CIVIL ACTIONS

Subsequent to a breach, Oxcyon may be reviewed by a governing state or federal agency or a civil action could be brought against. Oxcyon office of Information Security Management, Audit and Compliance will represent all complaints and agency inquiries submitted to Oxcyon as a result of the security breach. Legal counsel will be solicited as needed to respond to complaints or actions.