Chapter 5 - Administration
Part 1. Purpose: This guideline establishes the minimum requirements for Information Security Incident Response within Minnesota State Colleges and Universities (System). Information Security Incident Response controls and minimizes the impact of an information security incident by establishing a process to report and address the incident
Part 2. Applicability. This guideline applies to all system information resources, and to all uses of those resources. This guideline establishes minimum requirements for incident response. Institutions may adopt additional requirements, consistent with this guideline and board policy 5.23.
Part 3. Guidelines.
Subpart A. Each system college, university and the system office shall adopt an Incident Response Plan addressing the requirements set out in this guideline. Incident Response Plans shall include reasonable and appropriate methods to control and remediate information security incidents affecting critical information technology resources that are controlled by an institution..
Subpart B. Information Security Incident Definition. An information security incident for the purposes of this guideline means a situation that presents a significant or imminent threat to the security of system information technology resources or information resources; it includes, but is not limited to the following:
Subpart C. Plan Components. The Incident Response Plan should include appropriate procedures to address the issues outlined below for security incidents.
Subpart D. Team Composition. Incident response teams should be prepared for a variety of security incidents, and include members who can provide expert advice for potential needs. Team members will be activated as necessary depending on the nature of the incident, and external resources may be used to fulfill some roles. The resources outlined below must be identified in the plan.
Subpart E. Links to Established Processes. The Incident Response Plan must include links to relevant system or campus policies or procedures where they exist. For example:
Subpart F. Testing. The Incident Response Plan must be tested at least annually. This test should include the items outlined below at a minimum.
Subpart G. Confidentiality. Information that is created, collected and maintained in connection with an information security incident is subject to the Minnesota Government Data Practices Act (MGDPA), Minnesota Statutes §13, and may be subject to other privacy laws depending on the content of the data. Information security incident documentation may include, in whole or in part, "security information," and should be labeled and handled appropriately, distributing only on a need-to-know basis.
Part 4. Definitions:
Subpart A. Access. Approved authorization to view, modify or delete system information/data. Access shall be authorized to individuals or groups of users depending on the application of law, system policy or guideline. Technical ability to access information is not necessarily equivalent to legal authority.
Subpart B. Authorized Individual. Employee, consultant, volunteer or other individual who is approved and allowed access to information within the system to perform an activity on behalf of an institution. The individual may have access to any class of information, according to policy.
Subpart C. Breach. Any accidental or deliberate non-compliance with policies or other security controls.
Subpart D. Data. Information collected, stored, transferred or reported for any purpose, whether in computers or in manual files. Data can include: financial transactions, lists, identifying information about people, projects or processes, and information in the form of reports. Because data has value, and because it has various sensitivity classifications defined by federal law and state statute, it must be protected.
Subpart E. Information Resources. Data collected, created, received, maintained or disseminated by any system user, regardless of its form, storage media, security classification, or conditions of use.
Subpart F. Information Technology Resources. Facilities, technologies, and information resources used for system member information processing, transfer, storage, and communications. Included in this definition are computer labs, classroom technologies, computing and electronic communications devices and services, such as modems, e-mail, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all inclusive, but rather, reflects examples of system equipment, supplies and services.
Subpart G. Institution. One of the separate entities, or having to do with an organizational entity as described under system.
Subpart H. May. A statement that is optional.
Subpart I. Minnesota Government Data Practices Act (MGDPA). Per Minnesota Statutes §13, MGDPA regulates the collection, creation, maintenance and dissemination of government data in state agencies, statewide systems, and political subdivisions. It establishes a presumption that government data are public and are accessible by the public for both inspection and copying unless there is a federal law, a state statute, or a temporary classification of data that provides that certain data are not public.
Subpart J. Must. A statement that is required for a compliant implementation.
Subpart K. Must Not. A statement that is prohibited for a compliant implementation.
Subpart L. Not Public Data. Data that is considered confidential, private, nonpublic or protected nonpublic data as defined in the MGDPA or any other relevant state or federal statute or system legal guideline. For examples of data classifications, see standard 5.23.E, Notice of Breach of Security, Part 4: Reporting a Suspected Breach.
Subpart M. Payment Card Industry (PCI) Data. Payment card information, as defined by the Payment Card Industry Security Standards Council. PCI data is subject to the PCI Data Security Standards. Such information includes payment account numbers (PANs) plus expiration dates, cardholder names, or verification codes, or data stored on track 2 of the payment card.
Subpart N. Should. A statement that is recommended but not required.
Subpart O. Should Not. A statement of practices that are not recommended but which may be followed.
Subpart P. Security Information. As defined by MGDPA, Minnesota Statutes §13, "government data the disclosure of which would be likely to substantially jeopardize the security of information . . .against theft, tampering, improper use. . . [or] illegal disclosure". Security information should be labeled as such and handled appropriately, distributing only on a need-to-know basis.
Subpart Q. System. Denotes the Minnesota State Colleges and Universities Board of Trustees, the system office, the state colleges and universities, and any part or combination thereof.
Part 5. Authority. Board policies 1A.1 and 5.23 delegate authority to the vice chancellor to develop system guidelines, consistent with Board policy and System procedure, for the purposes of implementing Board policy 5.23.
Date of Implementation: 05/04/10,
Date of Adoption: 11/04/09,
Date and Subject of Revisions:
1/25/12 - The Chancellor amends all current system procedures effective February 15, 2012, to change the term "Office of the Chancellor" to "system office" or similar term reflecting the grammatical context of the sentence.
There is no additional History for Guideline 220.127.116.11