This FAQ addresses what steps should be taken by faculty, staff, or students when a breach of information is suspected or confirmed. Any of the examples below constitute a breach that must be reported, in accordance with Drake University policy
Definitions
Security Incident: Electronic activities - such as "hacking" or a compromised or abused computer - that result in damage to or misuses of the Drake network or a device connected to it. Primary examples are:
- The theft or loss of a computer containing confidential information
- Communication of confidential information to an unauthorized party, or
- Compromise of an account or system with access to confidential information
Confidential Information: The following data elements, when they appear in conjunction with an individual name or other identifier:
- Passwords
- Social security numbers
- Credit card numbers
- Driver's license numbers
- Bank account numbers
- Protected health information, as defined in the Health Insurance Portability and Accountability Act (HIPAA)
- Student records protected by the Federal Education Rights and Privacy Act (FERPA) requests for confidentiality
Reporting an Incident
When any employee of the University has been made aware of a possible incident, they must contact ITS (Information Technology Services) through one of the methods listed below. ITS staff will gather information about the incident and escalate it as appropriate when an incident has or appears to have occurred. The IRT (Incident Response Team) will determine incident severity and undertake discussion and activities to best determine the course of action.
In accordance with University security policy 1.6, Reporting Electronic Security Incidents, prompt and consistent practices are required when an incident is suspected, in order to quickly confirm the incident, reduce impact, and respond in accordance with applicable law.
Suspected incidents should immediately be reported to the Security & Compliance team. Email informationsecurity@drake.edu.
When any employee of the University has been made aware of a possible incident, they must contact the Security & Compliance team as quickly as possible.
If no response is received, please contact a member of the ITS leadership team or the Support Center at 515-271-3001.
Handling an Initial Incident
The first objective when learning of a possible incident is to determine legitimacy and severity. In some cases, the issue may be resolved using other troubleshooting and resolution options, and will not constitute an incident.
Potential questions you may be asked upon initial discovery:
- Did physical theft take place? If so,
- Describe the incident
- What data was stored on the device?
- What data is accessible from the device?
- Were any of the following data types (or, is it possible that any of the following data types were) accessed inappropriately or released?
- Drake/Banner IDs and/or passwords
- Social Security Numbers, Passport numbers, Driver License numbers
- Medical records
- Credit card numbers
- Financial records, such as bank account numbers, credit scores, credit reports, compensation information, employment records, performance evaluations, or payroll information
- Student and prospective student records (with or without SSNs)
- Donor and alumni records
- Information protected by a non-disclosure agreement or similar contract
- Was a third party involved? (E.g. vendor storing data experienced a breach)
If the answers to these initial questions indicate that information was probably compromised, proceed with the assumption that an incident has occurred.
Contact and Escalation
The Information Security Director will gather information about the incident and either work to remediate it directly, or escalate it to the IRT, depending on severity.