Information Security page 13
defined in the Incident Response Standard and reviewed promptly by
authorized employees. Reference: ISO 27002:2013-16.1.2,16.1.3
b. Management of Information Security Incidents – Response actions
related to security incidents will adhere to a documented set of procedures,
including appropriate communication and coordination of efforts. Methods
to preserve electronic evidence will follow adequate standards of
discovery and preservation to prevent spoliation. Knowledge gained
during the analysis of security incidents will be captured, reviewed, and
appropriately shared to identify security corrections or control measures
that may help address similar events. Reference: ISO 27002:2013-16.1.4,
16.1.5,16.1.6,16.1.7; GLBA Safeguards Rule, 16 C.F.R. § 314.4(b)(3)
12. Business Continuity Management
a. Information Security Continuity – Continuity plans will be developed,
reviewed and tested for information resources that are critical for ongoing
operations, as identified by information resource trustees and stewards.
Periodic verification of these plans will be performed. Reference: ISO
27002:2013-17.1.1,17.1.2,17.1.3
b. Resilient Information Resources – Information software and hardware
resources will be implemented with sufficient resiliency to meet identified
and documented availability needs. Assessment of these needs will be
included in the implementation process. Reference: ISO 27002:2013-17.2
13. Compliance Management
a. Information Security Compliance – The Director of Information
Security Services, in consultation with the CIO, shall have primary
responsibility for enforcement of the information security policy. The
CIO, Director of Information Security Services and the appropriate
information resource trustee(s) will address policy violations in
accordance with section IV.D.2. c..
b. Identification of Compliance Requirements – Regular periodic review
will be conducted to ensure that relevant legal, policy, and contractual
requirements are identified for the university and relevant information
resources. Reference: ISO 27002:2013-18.1.1
c. Intellectual Property Rights – Procedures will be implemented to ensure
compliance with applicable legal, policy, and contractual requirements
related to intellectual property rights and use of proprietary information
resources. Reference: ISO 27002:2013-18.1.2
d. Protection of Records – University data will be protected from loss,
destruction, falsification, and unauthorized release in accordance with
legal, policy, and contractual requirements. Reference: ISO 27002:2013-