Hi, UNM has an incident response plan that was developed as a standard response for all information security incidents related to ERP and ERP components. In addition, there are specialized incident response plans that have been developed for units with requirements to do so, for example, the Payment Card Industry (PCI) incident response plan. For 2.1.2 Bullet 1, an example of an incident where the department would be responsible for costs associated with responding to an incident is: if a staff member in a department made an unauthorized copy of Personally Identifiable/ Sensitive and Protected (PII/ SPI) information, the department where that employee works would bear the responsibility of paying investigatory costs that the investigative body requires (such as when Internal Audit requires forensics analysis be conducted on that employee’s computer(s)). In addition, if there were a disclosure/ breach of that PII/ SPI where the UNM investigative body determined that Identity Theft Protection services are required as part of UNM’s response, the department would be responsible for those costs, as well. Section 6 reads: This section intentionally left blank. This is related to an incident against the service, not an information security incident. We do distinguish between minor and major incidents. An example of a minor incident is: a virus infection on a workstation where there were Antivirus definitions available that would have prevented an infection if the definitions had been updated, where that workstation has no PII/ SPI, and the workstation was not used as part of an attack on third parties or internal services. An example of a major incident is: a device on the UNM network that was not patched, was taken over by an unauthorized third party, was used to attack other third parties, was used to attack other UNM internal resources, and/ or was used to access and/ or exfiltrate PII/ SPI for which UNM is responsible. Stolen and lost UNM-owned devices, or devices storing PII/ SPI for which UNM is responsible, must be reported to Safety and Risk Services (and stolen devices reported to UNMPD). If PII/ SPI was stored on that device, Safety and Risk Services notifies the ISPO so that we can assist the appropriate UNM entities in responding to any potential or actual breach, as required for the type of PII/ SPI involved.
- This reply was modified 8 years, 7 months ago by base. Reason: Last of the formatting edits