PLEASE NOTE: This policy is published as binding draft while under campus review. If you would like to submit feedback on the draft policy and related documents, please use the feedback form.
Please report an information security incident or any phishing attempts immediately to firstname.lastname@example.org.
If you suspect a compromise or unauthorized access to credit card information:
Contact the campus ecommerce representative immediately to initiate the appropriate response, pursuant to the acquiring bank and card brand incident response procedures.
A "data security incident" is a catch-all term for different types of unauthorized activity involving computing devices and/or sensitive data. Members of the university community can use this page to learn about different types of data security incidents, the appropriate response procedures, and the consequences for mishandling them.
1. Respond to Data Security Incidents
Data security incidents involving university-owned devices or personal devices containing sensitive university data can have serious consequences. Responding to potential incidents promptly and efficiently helps protect the university's assets (e.g., data, computers, networks) and ensures compliance with state and federal law, and university policy. Please report any phishing attempts or other security incidents immediately to email@example.com.
2. Types of Data Security Incidents
- Computing Devices Compromised by Malware (Most Common)
Desktops, laptops, and servers are often infected with malicious software (e.g., viruses, malware). If the infected device contains sensitive university data, this may constitute a data security incident. If a server is compromised, IT Administrators should contact firstname.lastname@example.org for instructions.
- Computing Devices Accessed without Authorization (Non-Malware)
These include university devices accessed without permission - stolen or compromised credentials (e.g., usernames and passwords), credentials lost to phishing scams, and other attempts to access a device without authorization (e.g., former employees).
- Lost or Stolen Computing Devices
These include lost or stolen departmental laptops, USB drives, cell phones, or other devices that may contain sensitive data, or personal computing devices with sensitive university data. Report lost or stolen university-owned devices to UMass Dartmouth CITS.
3. Prevent Data Security Incidents
IT Administrators, faculty, and staff can take steps to help protect university-owned computers and sensitive data, and mitigate potential data security incidents. For more information, see Security Checklist for University-Owned Computers and Respond to Data Data Security Incidents caused by Malware - Checklist for IT Administrators.
4. Consequences of Mishandling Data Security Incidents
Under Chapter 93H of the Massachusetts General Law, the university is required to notify those individuals whose personal information may have been compromised as a result of a security breach. Failure to respond to a data security incident appropriately can lead to regulatory fines, legal action, and loss of funding and reputation.
In the event of a confirmed security breach, departments may be held financially responsible for the cost of the breach, lose accreditation, and risk legal action, among other consequences.
5. Related Documents
- ITS-001: Acceptable Use of Information Technology Resources Policy
- ITS-006: Information Security Policy
- Respond to Data Security Incidents - Information for Faculty & Staff
- Respond to Data Security Incidents - Information for IT Administrators
- Respond to Data Security Incidents Caused by Malware - Checklist for IT Administrators
- Security Checklist for University-Owned Computers
The UMass campuses strive to maintain consistent IT policies. The Information Security Policy and related documents have been adopted with permission from UMass Amherst.