Amherst College Security Breach Action Plan Draft
Draft rev 04.29.09
I. Sensitive College Data
- Click on the icon below to see the working file
II. Breach of Security
- Known theft of sensitive data.
- Loss/Theft of device, such as a laptop, PDA (Blackberry), CD-ROM, or flash drive, containing sensitive data.
- Unauthorized access to sensitive data.
- Sensitive data exposed in such a way that controls for access were not in place.
- Computer with access to sensitive data infected by spyware.
III. Security Breach Action Plan
- When a breach is suspected contact Director of IT and Chief of Campus Police.
- Chief of Campus Police alert Director of Public Affairs.
- Director of IT take immediate steps to halt or minimize the impact of the breach (e.g. take server off-line, remotely wipe Blackberry, disable user access, etc.).
- Director of IT assess magnitude of breach and create a plan and budget proposal to prevent future breaches of the same type.
- Director of IT, Director of Public Affairs, and Chief of Campus Police, with others, such as College attorneys, assess who effected, the legal and public affairs issues in play, and who gets notified (i.e. just the affected users, the entire community, the press, etc).
- Director of Public Affairs create plan for appropriate notification.
- Directors of IT and Public Affairs assess financial impact of plans for preventing future breaches and for notification (including such things as offers of future credit checks) and present them to the Treasurer.
- Directors of IT and Public Affairs implement plans.