Electronic Data Security Breach Reporting and Response Procedure

A. Reason for Procedure

This Procedure established measures that must be taken by the IT Custodian of a system to report and respond to a possible breach or compromise of Sensitive Data in order to comply with all applicable federal and state laws and regulations.

B. Responsible Office and / or Officer

The Project Owner / Project IT Custodian is responsible for initiating the Electronic Data Security Breach Procedure.  The LDEO IT Department is responsible for determining the extent of a confirmed breach.

The LDEO IT Department is responsible for the maintenance of this procedure, and for responding to questions regarding it.

C. Procedures

The following procedures will be followed when a breach of Sensitive Data is suspected or known to occur:

  1. Report

    Any suspected or confirmed compromise of Sensitive Data must be reported to Lamont Information Security Office <[email protected]> as soon as possible - include the keyword "[Data Security Breach]" in the subject of the email.  This will automatically open a ticket with <[email protected]> that will be used to document and track the response to the incident.

  2. Breach Confirmed - Report to CU

    If a breach is confirmed, LDEO IT will report the breach to the CU ISO, who will report the breach to the appropriate Columbia University Office to mitigate the risk to the University's Information Resources and protect the University's operations.

  3. Isolate System

    The compromised system must be isolated from the Lamont network as soon as possible and preserved in its current state.  Systems affected by potential ransomware attacks should also isolate their backup systems and secure any uncompromised backups available.

  4. Secure Logs

    The IT custodian for the system should attempt to secure logs whenever possible to aid in the investigation.

  5. Incident Categorization

    The incident will be categorized based on the duration of the breach, the type of data that was affected and the potential to breach other systems in the Lamont network and external networks.  Categories include:

    • Vulnerability on a system with Sensitive Data detected
    • Inadequate security for Sensitive Data detected
    • Unauthorized access to Sensitive Data detected internal to Lamont network
    • Unauthorized access to Sensitive Data detected external to Lamont network
    • Breached system used to breach other systems on Lamont network
    • Breached system used to breach other systems external to Lamont network
  6. Damage Assessment

    Lamont IT will determine the extent of any data security breach.  Lamont IT may contact any additional offices and resources required to classify the incident and determine the extent of the breach.

  7. Recovery

    The affected system will be repaired / reconfigured / cleaned as necessary by the IT custodian responsible for the system.

D. Lessons Learned

An incident report will be generated, highlighting how the existing security systems failed and suggest ways to prevent similar breaches in the future.

Incident Report Details

  • What systems were affected?
  • System name
  • IP address
  • Which Data was compromised?
  • Identify from the Data Asset Inventory
  • When and how was the breach performed?
  • Software involved (include version numbers)
  • Hardware if relevant (include firmware version)
  • When and how was breach detected?
  • How can a similar breach be prevented in the future?

E. References

Refer to the CU Electronic Data Security Breach Reporting and Response Policy for further information.