Restricted Data Security Breach Reporting and Response Policy

Policy Volume: RD
Responsible Executive: CISER Secure Data Services Manager
Responsible Office: Cornell Institute for Social and Economic Research

Issued: 2020-10-06

NOTE: This policy replaces these previous policies:

  • CRADC Restricted Data Security Breach Reporting and Response Policy [issued 2015-07-15, revised 2016-09-30, 2019-04-18]
  • Secure Standalone Desktop – Restricted Data Security Breach Reporting and Response Policy [issued 2017-09-17]

POLICY STATEMENT

This policy establishes measures that must be taken to report and respond to a possible breach or compromise of restricted data, including the determination of the systems affected, whether any restricted data have in fact been compromised, what specific data were compromised and what actions are required for forensic investigation and legal compliance.

POLICY REQUIREMENTS

Cornell Restricted Access Data Center (CRADC) is committed to compliance of restricted data. For the purpose of this document, restricted data relates to any nonpublic data that is protected by regulation, law or policy and/or is subject to contractual access restrictions as defined by a Data Use Agreement (DUA). CRADC, as the Data Custodian of these data,along with the authorized research team (Researcher),are obligated to adhere to the conditions set forth by the Data Provider in a signed DUA and this policy.

Reporting

It is the responsibility of the Researcher to contact the CRADC Security Liaison or the CISER Secure Data Services staff in a timely manner, in accordance with Cornell University Policy 5.4.2, Reporting Electronic Security Incident, if the Researcher suspects or is aware of a compromise creating risk of unauthorized access to restricted data.

Response

Upon receipt of such report, the CISER Secure Data Services Manager, and the System Administrator will convene to review the report. Upon initial review, the Cornell University Security Office will be notified to assist, according to Cornell University Policy 5.4.2, Reporting Electronic Security Incident.

Process Steps
  1. Identify:
    1. Nature of incident to best of knowledge
    2. Identify data involved
    3. Establish Data Provider contact information
    4. Identify systems involved, remove from network if applicable
    5. Review applicable policies, regulations and/or laws involved
  2. Recovery and Response:
    1. Contact Cornell University IT Security Office for assistance in forensics
    2. Secure the system and preserve it without change
    3. If deemed necessary, the Security Office will alert Cornell University Data‐Loss Incident Response Team
    4. Resolve situation
  3. Communicate:
    1. Contact Office of Sponsored Programs (OSP)
    2. OSP will contact Data Provider to inform of current situation
    3. If required, notify individuals of data theft
  4. Document:
    1. Create an incident report
    2. Document lessons learned
    3. Update necessary documentation

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Contacts

If you have questions about specific issues regarding this Sharing, Transmission and Distribution of Restricted Data Policy, call the following offices:

NAMEEMAILTITLEPHONE
William BlockCISER Director607‐255‐4801
Elena GoloborodokoCISER Secure Data Services Manager607‐255‐4801
Jonathan BohanCRADC Secure Data Specialist607‐255‐4801
Resa ReynoldsCAC Assistant Director, Systems607‐254‐8686
Kim BurlingameSystem Administrator607‐254‐8686
Lucia WalleSystems Analyst/Programmer607‐254‐8686
Brenda LappTechnical Consultant607‐254‐8686
Cornell University
Security Office
607-255-6664