Policy

Plan for a Loss or Breach

Plan for a Loss or Breach
Policy

________________________________________
Document Number: REDFLAG--110 Revision #: 1.0
Document Owner: Executive VP Date Last Updated: 08/17/2012
Primary Author: Executive VP Status: Approved
Date Originally Created: 12/15/2011
________________________________________
General Description
Description: Information about the plan for a loss or breach relative to Red Flags Identity Theft Policy.

Purpose: Delineation of policy and procedure.

Scope: All faculty, staff, students, and administrators

Responsibility: Administration
Executive VP
VP of Business and Finance
________________________________________
Requirements
Relevant Knowledge: In order to comply with this policy you should know:
Current University policy
Federal statutes
Local statutes
Standard company policies
Standards of good practice
State statutes
Terms and Definitions: Additional training

Corrective Action

Loss of privilege, general
________________________________________
Policy Provisions
1. Plan for a Loss or Breach

1.1 Information Security Audits

The Identity Theft Prevention Officer is authorized to conduct security audits of any area containing CSI at anytime to ensure the safety and security of that information.


1.2 Discovery of a Breach in the Workplace

1. Employee Protocol
• Do not disturb the area.
• Secure the area.
• Notify manager or supervisor.
• Manager will contact Identity Theft Prevention Officer
• Document the event.
• Submit to Identity Theft Prevention Officer.

2. Manager or Supervisor Protocol
• Ensure affected area is secure. Do not let anyone use the phone or computer in that area.
• Gather visitor logs, employee time sheets, list everyone who had access before, during, and after the incident.
• Interview employee witness(es).
• Contact ISO.
• Identity Theft Prevention Officer Protocol
• Determine that there is a breach
• Interview Employee Witness
• Review Security Incident Report
• Contact the University attorney
• Make a police report
• Notify potential victims according to legal statutes.
• Public relations and continuity considerations.


1.3 Discovery of a Breach Through Accusation

1. Employee Protocol
• Be sympathetic to the potential victim
• Do not confirm or deny their allegations
• Document the conversation
• Document contact information
• Inform them that your Identity Theft Prevention Officer will contact them.

2. Identity Theft Prevention Officer Protocol
• Interview Employee Witness
• Review Security Incident Report
• Contact potential victim.
• Ask them to reiterate their story.
• Assure them that you will look into it.
• Contact your attorney.
• Determine that there is a breach
• Assess the extent of damage
• Make a police report
• Notify potential victims according to legal statutes.
• Public relations and continuity considerations





________________________________________
Performance Evaluation
Performance Metrics: Compliance with standard policy and procedure
Compliance with federal mandate

Consequences: Further training
Loss of privileges
________________________________________
Subject Experts
The following may be consulted for additional information.
Executive VP

VP of Business and Finance