Technology is an integral part of how the university carries out its mission. The university must be prepared to evaluate unwanted technical events effectively and to respond appropriately when security incidents are identified. Preparation and planning for an incident and ensuring that the right resources are available is vital to the university's ability to further prevent, detect, respond and recover from information technology security incidents.
This policy defines adverse technology events and incidents and identifies their respective security response requirements.
This policy applies to all university organizational units.
The university maintains an information technology security incident response capability. This capability provides the ability to detect and respond to adverse events, determines if an adverse event has become an incident, determines the severity of the incident, and identifies the individuals responsible for determining how the incident is to be handled. The university's incident response capability shall include, but not limited to, the following:
Permanent members (must be notified of any major incident regardless of the relative level of involvement with responding to a particular matter):
Under the vice president, chief information officer/chief technology officer "CIO/CTO", the information security office leads the fact gathering and technical investigation of major incidents, and reports progress to the incident response team members and to executive leadership. The vice president, CIO/CTO serves as the senior executive interface for the technology incident response function.
Under internal audit and compliance, the privacy office provides coordination of major incident investigation functions across organizational lines, identifies applicable privacy concerns, monitors the progress of the investigation, and handles routine communications with regulatory bodies. This coordination is intended to enable the controlled sharing of information and the prevention of cross-purpose actions.
The office of legal affairs serves as legal counsel to the incident response team and ensuring that the university establishes its response in a defensible manner.
Under the office of legal affairs, the risk management administrator coordinates the relationship with the university's insurers.
Ohio Admin. Code 3364-65-10
Promulgated Under: 111.15
Statutory Authority: 3364
Rule Amplifies: 3364
Prior Effective Dates: 04/01/2018