数据泄露 Notification Standard
日期 of Current Revision or Creation: 2021年10月1日
的目的 Information 技术 Standard is to specify requirements for compliance with 最靠谱的网赌软件 Information 技术 policies, 其他大学政策, as well as applicable laws and regulations. 标准 may include business principles, 最佳实践, 技术标准, migration and implementation strategies, 指导设计, deployment and management of information technology.
目的
The purpose of this standard is to specify the data breach notification requirements for 最靠谱的网赌软件 by identifying the triggering factors and necessary responses to unauthorized release of unencrypted sensitive information.
定义
数据泄露 is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen and/or used by an individual unauthorized to do so.
个人信息 is any piece of data that can potentially be used to identify a single person. 一般来说,名字 and one or more personal information data elements are necessary to place identity at serious risk.
标准声明
ODU will identify all University systems, 流程, and logical and physical data storage locations, 包括 those held by third parties, 包含第1类的,2, and 3 regulated data as described in the ITS Standard 02.3.0 Data 政府 and Classification.
ODU will include provisions in third-party contracts that involve Class 1,2、3调节数据, requiring that the third party and third-party subcontractors:
- Provide timely notification to the agency of suspected breaches
- Allow the agency both to participate in the investigation of incidents and exercise control over decisions regarding external reportings.
ODU will provide appropriate notice to affected individuals upon the unauthorized release of any unencrypted Class 1,2, and 3 regulated data by any mechanism, 包括, 但不限于:
- Theft or loss of digital media 包括 laptops, 台式电脑, 闪存, 智能手机, 平板电脑, 光盘的, DVD的, 磁带, 等.
- Theft or loss of physical hardcopy
- Security compromise of any system containing Class 1,2, and 3 regulated data
- Encrypted data in which the encryption key is also compromised
ODU will provide this notice without undue delay as soon as verification of the unauthorized release is confirmed, 除了下面描述的情况.
ODU will provide notification that consists of:
- A general description of what occurred and when
- The type of personal information was involved
- Whether actions have been taken to protect the individual's personal information from further unauthorized disclosure
- 什么, 如果有什么区别的话, ODU will do to assist affected individuals, 包括 contact information for more information and assistance
- 什么 actions ODU recommends that the individual take
ODU will provide this notification by one or more of the following methods, listed in order of preference:
- Standard mailing to any affected individuals whose mailing addresses are available
- Electronic mail to any affected individuals whose email address has been provided to the agency as a contact mechanism
- In the case of large-scale breaches or data breaches where neither form of communication listed above is available or feasible, public communications channels, 包括:
- Conspicuous notification on the agency website
- Notification by statewide public media, 包括 newspaper, radio and television
ODU will not provide notification immediately following verification of unauthorized data disclosure only if requested by:
- Law Enforcement entities where it would interfere with an ongoing investigation
- 首席信息官, ISO or designee where it would interfere with a determination of the scope of the data breach or investigation of root cause
程序,指导方针 & 其他相关资料
- 联邦和州法律
- Data and System Breach Response Framework
- 大学政策3505 - Information 技术 Security Policy
- IT标准02.3.0 -数据管理 & 分类标准
历史
日期 |
负责任的政党 |
行动 |
2008年10月 |
ITAC /首席信息官 |
创建 |
2009年10月 |
ITAC /首席信息官 |
重申 |
2010年10月 |
ITAC /首席信息官 |
重申 |
2011年10月 |
ITAC /首席信息官 |
重申 |
2012年10月 |
ITAC /首席信息官 |
重申 |
2012年12月 |
资讯科技政策办事处 |
Minor rewording for clarity Link updated; departmental name update; numbering revision |
2016年12月 | 资讯科技政策办事处 | Minor rewording for clarity |
2019年12月 | 资讯科技政策办事处 | Minor rewording for clarity |
2021年10月 | CISO | Minor edits for clarification |