Security Incident Response
Security incident responses are an official reaction to an issue with a machine or piece of data associated with the University. When an incident is suspected or detected, follow the Personal Information Risk Assessment checklist before proceeding. If it is determined that a breach has occurred, Information Security will perform a forensics investigation on the machine in question to conclusively determine if a security incident has occurred. For more information on security incident response, please see the GuardIt Personal Incident Response Workflow. Security incidents can sometimes trigger forensic investigations.
There are several triggers for a security incident response including:
- Breach of confidentiality
- Violation of data integrity
- Denial of access
- Use of infrastructure for malicious purposes
Personal Information Risk Assessment: The Four Questions
Process managed by University Counsel and TTS Information Security
Note: As you proceed, you must minimize the number of parties who receive information about events of potential concern discussed here; only tell people about an event if required by this procedure or if they absolutely need to know. Communications should first be coordinated through the Office of University Counsel wherever possible. After your initial work, and then a more thorough investigation, senior management will determine whether an event is an incident---and whether an incident is a data breach.
The IT Support Specialist, Information Steward, and End User must together make an initial determination of the probability that personal information was stored on the computing resource.
Here are four questions that the IT Support Specialist should ask the End User in order to help make this initial determination. These questions provide a framework to make a qualitative assessment of the likelihood that personal information is at risk. If you have questions or would like help with this initial determination process, please contact TTS Information Security.
Question 1: Does the End User work in a “high risk” department or organization?
“High risk” is defined as a Tufts department that processes significant quantities of personal information within their core day-to-day activities and business procedures directly on the End User’s computing resource. Examples include groups that process personnel, financial, or student records. Try to determine if the End User is in one of these departments, and what practices the department use to manage personal information.
Question 2: Is the End User working in a “high risk” role?
Although a Tufts department may (or may not) be in the business of processing large quantities of personal information on a day-to-day basis, the business role carried out by an individual within a department may involve regular access to such data directly on their computing resource. Try to determine if the End User is in one of these roles and what practices he or she uses to manage personal information.
Question 3: Does the End User regularly collect Personal Information (e.g. SSNs)?
Often, an End User within a department has a legitimate business need to collect or use personal information. If so, these End Users may have records containing personal information directly on their computing resources. Try to determine if the End User regularly uses personal information and what practices he or she uses to manage personal information.
Question 4: Has the End User previously collected Personal Information (e.g. SSNs)?
As responsibilities evolve, an End User who may have once processed personal information directly on his or her computing resource might no longer do so today. If a data collecting or processing role has stopped, try to determine what practices he or she used to manage and subsequently destroy or remove (e.g. to scrub) the personal information.