Content

Security Incident Response Plan

Purpose

This document outlines the plan for responding to information security incidents at LightForce, including defining the roles and responsibilities of participants, the overall characterization of incident response, relationships to other policies and procedures and guidelines for reporting requirements. Due to the wide variety of incidents that could face LightForce and the rapid advancement of threats against LightForce, its data and systems, this document is designed to provide guidance in reacting to data security incidents, determination of their scope and risk, and ensuring an appropriate response to information security incidents, including communication of incidents to the appropriate stakeholders and reducing the incident from recurring. This protocol is not to be considered as policy due to the varied nature of incidents that can occur within a LightForce environment. This variation in incidents may cause deviations from this protocol that are meant to provide LightForce’ ability to respond to incidents in an optimal manner.

Anyone suspecting an exposure of LightForce data or systems should immediately contact: IT Help Desk Information Security Office – security@Lightforceortho.com

Scope

This plan applies to all information systems, data, and networks of LightForce and any person or device accessing these systems or data. The Information Security Office (ISO) acts on behalf of the LightForce community and will request cooperation and assistance in investigating incidents from community members as required.

Maintenance

LightForce’s Information Security Office (ISO) is responsible for the maintenance and revision of this document.

Definitions

Event

An event is an exception to the normal operation of IT infrastructure, systems or services. Events may be identified through the use of automated systems; reported violations to the ISO, Compliance/Privacy or other LightForce department; or in the course of normal system reviews including system degradation/outage. It is important to note that not all events become incidents.

Incident

An incident is an event that, as assessed by ISO staff, violates the Acceptable Use Policy, Access Control Policy, Confidential Data Policy or other LightForce policy, standard, or Code of Conduct or threatens the confidentiality, integrity, or availability of Information Systems or LightForce Data.

Regulated Data Classification

Regulated Data may have additional reporting and regulatory requirements when dealing with incidents. Examples of the various types of regulated data that may reasonably be found in LightForce environment are further detailed in Appendix C.

Roles and Responsibilities

Chief Information Security Officer (CISO)

Throughout the course of the protocol, the CISO is broadly responsible for:

  • Coordinating efforts to manage an information security incident;
  • Ensuring the prompt investigation of a security incident;
  • Determining what LightForce data may have been exposed;
  • Securing any compromised systems to prevent further damage;
  • Providing guidance to the LightForce stakeholders

Privacy Officer

Throughout the course of the protocol, the Privacy Officer is broadly responsible for:

  • Coordinating efforts to manage regulatory requirements and notifications;
  • With assistance from General Counsel, reviewing applicable federal and state laws and developing appropriate course of action to comply with such laws in the event a data exposure occurred;
  • Ensuring all aspects of a data exposure management plan are completed

Executive Response Team

The Executive Response Team (ERT) consists of LightForce Officials with the authority to make key decisions in managing an incident related to data with regulatory requirements for reporting. The ERT shall be comprised of the following standing members (note: other members may be asked to collaborate where appropriate):

  • CISO
  • Privacy Officer
  • General Counsel
  • Representative from the Office of the CEO
  • Compliance and Risk Management (Cyberliability Insurance)
  • Director or Department Head of the area where the exposure is determined to have occurred

Incident Response Coordinator

Throughout the course of the protocol, the Incident Response Coordinator is broadly responsible for:

  • Directing efforts to gather appropriate information
  • Providing expertise in the procedural aspects of gathering information and documentation of process
  • Updating CISO and other leadership as necessary

Incident Response Handler

Throughout the course of the protocol, Incident Response Handlers are broadly responsible for:

  • Gathering data from systems
  • Providing specific expertise in technology and data
  • Entering appropriate data for Incident Management including procedural information

Incident Response Methodology

This plan outlines the general tasks for Incident Response. Due to the ever-changing nature of incidents and attacks upon LightForce, this incident response plan may be supplemented by specific internal guidelines, standards and procedures as they relate to the use of security tools, technology, and techniques used to investigate incidents.

Scope

The Information Security Office represents all LightForce provided Information System(s) and Data including data residing in cloud-based services. To the extent possible during an investigation, the ISO will attempt to coordinate investigation efforts with other groups in ensuring the security of LightForce systems and data in relation to the activities in support of LightForce. Specific actions and resources utilized in the investigation of an incident will be in alignment with the type, scope and risk of the threat to LightForce systems and data.

Evidence Preservation

The primary goals of incident response are to contain the scope of an incident and reduce the risk to LightForce systems and data and to return affected systems and data back to an operational state as quickly as possible. The ability to quickly return systems to operation may at times be hampered by the collection of data necessary as evidence in the event of an exposure of data.

Operational-Level Agreements

In today’s technology centered world many individuals have expectations about the availability of systems and data for themselves and the constituents they serve. The interruption of services can cause hardship and the ISO will cooperate with the affected groups to ensure downtime is minimized. However, LightForce leadership supports the priority of investigation activities where there is significant risk, and this may result in temporary outages or interruptions.

Training

The continuous improvement of incident handling processes implies that those processes are periodically reviewed, exercised and evaluated for process improvement. LightForce staff inside and outside of IT will be periodically trained on procedures for reporting and handling incidents to ensure there is familiarity with the process and with the responsibilities of the Incident Response Team. These exercises may take the form of either external or internal training including tabletop exercises.

Incident Response Phases

The Incident Response process encompasses six phases including preparation, detection, containment, investigation, remediation and recovery. These phases are defined in NIST SP 800-61 (Computer Security Incident Handling Guide). In the execution of responding to an incident, the Incident Response Team will focus on the detection, containment, investigation, remediation and recovery of the specific incident.

Preparation

Preparation for incident response includes those activities that enable the organization to respond to an incident and include the creation and review of policies, standards and guidelines supporting incident response; security and technology related tools; effective communication plans and governance. Preparation also implies that the Departments across LightForce have implemented the controls necessary to enable the containment and investigation of an incident. As preparation happens outside the official incident process, process improvements from prior incidents should form the basis for continuous improvement at this stage.

Detection

Detection is the identification of an event or incident whether through automated means with security tools or notification by an inside or outside source about a suspected incident. This phase includes the declaration and initial classification of the event/incident.

Containment

Containment of an incident includes the identification of affected hosts or systems and their isolation or mitigation of the immediate threat. Communication with affected parties is established at this phase of incident response.

Investigation

Investigation is the phase where ISO/IT personnel determine the priority, scope, risk and root cause of the incident.

Remediation

Remediation includes the repair of affected systems and services, addressing residual attack vectors against other systems, communication and instructions to affected parties and an analysis that confirms the threat has been contained. If the CISO or Privacy Officer reasonably believe that an exposure of regulated data may have occurred, the CISO or Privacy Officer will contact the Office of the General Counsel to provide situational information in determining a proper response at this stage. Apart from any formal reports, the after-action analysis will be completed at this stage.

Recovery

Recovery is the analysis of the incident for possible procedural and policy implications. Recovery also includes the incorporation of any “lessons-learned” from the handling of the incident into future exercises and/or training initiatives.

Appendix A – Executive Response Team

The Executive Response Team is responsible for actions such as communication, information sharing, and minimizing impact from an exposure of regulated data. As LightForce responses to each incident may vary, this section provides an overview of those actions that the Executive Response Team may take in responding to an incident in which regulatory data has been exposed.

  • Once it is determined that enough information about the situation and the extent of the exposure has been collected, the Privacy Officer and CISO will collaborate with the Office of the General Counsel to determine if the incident rises to the level of a security breach. In the event that this is determined, appropriate members of the ERT should work together to determine what, if any, level of notification is required, how individuals impacted by the exposure should be notified and what, if any, services should be offered to the individuals impacted by the data exposure to help protect themselves from potential or actual identity theft. As part of this analysis, the Privacy Officer will coordinate with the Office of the General Counsel to review applicable state and federal privacy, data security and breach notification laws and a plan of action to comply with applicable requirements of such laws.
  • If it is determined that notification and credit monitoring protection is appropriate and/or required, the Privacy Officer and Procurement may engage LightForce’s designated vendor to provide notification and credit monitoring services on LightForce’s behalf. When applicable, LightForce may engage with our cyber-liability insurance carrier for assistance. Unless an exception is determined to be appropriate by the ERT, the office or department responsible for the data that was lost or exposed shall be responsible for the costs associated with remediating the exposure, including but not limited to notification and credit monitoring services.
  • Where required by state and or federal law, the Privacy Officer will coordinate with the Office of the General Counsel, the Office of the CEO to ensure that appropriate state and/or federal government entities (e.g., state attorneys general, other state agencies, FTC, DHHS) are notified of the exposure, who has been impacted, and LightForce’s course of action related to managing the exposure of data.
  • Where appropriate, the Executive Response Team will contact the Office of the Attorney General (through the AG’s Privacy and Data Security Department), the Governor’s Office and/or any other appropriate State Officials to inform them about the data exposure.
  • Where necessary or appropriate, the ERT will expeditiously collaborate to develop press releases, letters to affected individuals (by email and/or U.S. post). Where appropriate, the CISO will coordinate with LightForce to create web page(s) with information regarding the exposure and how individuals can take steps to protect themselves.
  • The ERT will also designate a single point of contact to address questions/concerns of individuals concerned about the exposure. The ERT may decide to set up a special toll-free phone number line for individuals to call with questions/concerns or to utilize services provide by our cyber-liability insurance carrier, when applicable. The Privacy Officer will ensure that appropriate offices are made aware of the single point of contact to whom questions/concerns should be directed.
  • In the course of managing and remediating the exposure, as expeditiously as possible:
    • The Privacy Officer will work with Purchasing and the department responsible for the costs of remediating the exposure to process necessary paperwork to engage LightForce’s designated vendor to provide notification and/or credit monitoring services.
    • The Privacy Officer will work with the vendor to process any appropriate paperwork (i.e., SOW, PO, etc.) to engage the vendor’s services.
    • The Privacy Officer will work with appropriate LightForce staff, the Office of the General Counsel and the vendor to draft notification letters, and where appropriate, FAQ’s regarding the incident.
    • The Privacy Officer and/or CISO will work with appropriate LightForce staff to collect the names and last known addresses of individuals who will need to be notified.
    • Notification letters will be sent to impacted individuals or organizations by First Class Mail, email and/or other methods required by law.
    • Press releases will be finalized and issued by LightForce where appropriate. The main LightForce website(s), faculty/staff webpage and/or student web page will include a link to the news release.
    • A special website, containing information regarding the exposure, how to get more information, and how to protect one’s credit, may be posted as appropriate by LightForce and/or the Information Security Office.
    • A mechanism for logging calls and/or inquiries received, as well as responses and/or assistance given, shall be created and implemented.
    • Once proper notifications have been sent and posted and the matter has been contained and handled, debriefing meeting(s) should be held with all of the individuals involved in the incident investigation, management and remediation. Additional follow-up activities should occur as appropriate.

Appendix B – Guidelines for Incident Response

Each incident presents a unique set of challenges and problems. This section provides some common guidelines for preferred actions in these types of events. For any issues outside of these guidelines, the Chief Information Security Officer or Office of General Counsel should be consulted.

Incidents within Chain of Command

In incidents where a member of the incident response team, their leadership or the leadership of LightForce is being investigated, appropriate resources will be selected to remove any conflicts of interest at the direction of or in conjunction with General Counsel.

Interactions with Law Enforcement

All communications with external law enforcement agencies are made after consulting with the Office of General Counsel.

Communications Plans

All public communications about an incident or incident response to external parties outside of LightForce are made in consultation with the Office of General Counsel and LightForce. Private communications with other affected or interested parties should contain the minimum information necessary as determined by the Incident Coordinator or Chief Information Security Officer.

Privacy

LightForce respects the privacy of all individuals, and wherever possible the incident response process should be executed without knowledge of any individual identities until necessary.

Documentation, Tracking and Reporting

All incident response activities will be documented to include artifacts obtained during any investigation. As any incident could require proper documentation for law enforcement action, all actions should be documented, and data handled in an appropriate manner to provide a consistent chain of custody for the validity of the data gathered.

Escalation

At any time during the incident response process, the Incident Response Coordinator or the Chief Information Security Officer may be called upon to escalate any issue regarding the process or incident. The Chief Information Security Officer in consultation with the Office of General Counsel will determine if and when an incident should be escalated to external authorities.

Appendix C – Primary Types of Regulated Data

Personally Identifiable Information (PII)

PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:

  • Social security number
  • State-issued driver’s license number
  • State-issued identification card number
  • Financial account number in combination with a security code, access code or password that would permit access to the account
  • Medical and/or health insurance information

Protected Health Information (PHI)

PHI is identified as “individually identifiable health information” transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium by a Covered Entity as defined in 45 CFR 160.103. PHI is considered individually identifiable if it contains one or more of the following identifiers:

  • Name
  • Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)
  • All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age if over 89)
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Universal Resource Locators (URLs)
  • Internet protocol (IP) addresses
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic or code that could identify an individual