This policy supplements the Saint Michael's College Information Security Plan: Sections 3, 7 and 9
Purpose
The purpose of this policy is to outline the different responsibilities of the Information Technology department with regards to reacting and responding to various types of network and information security incidents that may occur at Saint Michael's College.
Scope
This policy applies to all employees and faculty of Saint Michael's College as well as vendors, contractors, partners, students, collaborators and any others doing business or research with the college. Any other parties, who use, work on, or provide services involving Saint Michael's College computers, technology systems, and/or data will also be subject to the provisions of this policy. Saint Michael's College computing resources have been developed to encourage widespread access and distribution of data and information for the purpose of accomplishing the educational, research missions of the college. This policy will not supersede any Saint Michael's College developed policies but may introduce more stringent requirements than the college policy.
Policy
3.1 The appropriate compliance officer has the authority to take actions necessary to protect Saint Michael's College people, resources, data and/or communications in the event of a security incident.
3.2 The CIO serves as the investigative and operational lead for the conduct of all Saint Michael's College IT security incident investigations. The CIO will be the primary authority for invoking incident response procedures.
3.3 Various Saint Michael's College departments will provide members of the incident response team to assist with the security incident investigations. All incident response team members will be assigned duties based on the circumstances of the incident.
Enforcement
Violation of this policy may result in disciplinary action which up to and including termination for employees and temporaries; a termination of the contract without compensation in the case of contractors or consultants; or dismissal for interns and volunteers. Additionally, individuals are subject to loss of Saint Michael’s College information resource access privileges, civil, and criminal prosecution or other legal action. They may also be held financially liable.
Definitions
A Saint Michael's College security incident is defined as an event that exposes Saint Michael's College-held data to unauthorized individuals and impacts or has the potential to negatively impact safety or privacy, or the reputation of Saint Michael's College.