Personal tools
You are here: Home Department IT Security Technical Staff Incident Handling IPET Information Protection Evaluation Team (IPET) Procedures
Contact information
rusecure@rutgers.edu
(732) 445-8011

RU Secure Home
 
Document Actions

Information Protection Evaluation Team (IPET) Procedures

last modified 2008-02-25 12:59

The intent of this document is to describe the procedures to support the identity theft compliance policies, provide reporting guidelines and guidance to departments. The CIRT works with departments to help in the data gathering process.

Step by Step

  • Establish that a data breach took place.
    • Review definition of NPPI
    • Review details of  the original report received by
  • Notify management
    • Notify the director of IPS (or designate) of possible NPPI exposure.  This is commonly done via email to: abuse@rutgers.edu
    • The CIRT will enter an HDRT ticket in the IPS - Abuse - Incidents - Critical queue following the established procedures.  The director of IPS is automatically included in subsequent correspondence.
    • Identify the owner of the data.  (The data owner can be outside of Rutgers University, even though the data is on a Rutgers network device.)
    • Identify the corresponding director or department chair.
  • Determine the extent of the data exposure
    • Approximate the number of target individuals
    • Gather demographic or other information in common that describes the individuals as a group, such as academic department, college affiliation, special program affiliation, or applicant status.
      • Example: Federal Work Study Program participants in the department over the past 5 years
      • Example: Current applicants for admission to graduate studies
    • Obtain a detailed description of data fields or elements in the exposed data
    • Gather logs that show whether the data was viewed or exposed
    • Determine as closely as possible when (date, time) the data was exposed and for how long it was exposed
  • Determine the vector of data exposure.
    • For remediation advice, see Compromise of Confidential Data and related links in Advice for specific incidents.
    • Possible vectors include (but are not limited to:
      • Unprotected or improperly protected web page(s)
      • Mistaken placement of data on web page(s)
      • Unauthorized access to a host or data base
      • Improper disposal of hard copy documents or other media ("dumpster diving")
      • Failure to sanitize computer media during disposal
      • Theft of laptop or other equipment where data was stored
      • Loss or theft of computer media
  • Summarize these findings for the Director (or designate) of IPS to report to the IPET.
  • IPET Action
    • IPET discusses recommendations via email
    • Recommendations are sent to Dr. Furmanski or one of the Provosts (depending upon the campus) for final
      approval. 
    • IPET decision conveyed to the department
    • IPET assists  the department where the breach occurred with
      executing upon notification assuming we decided that notification was
      required. 
    • If the decision is made to notify, access the DRAFT: Breach Notification as a sample letter. 
  • Advise the Help Desks of large scale notifications.

See also:

Identity Theft Compliance Policy

Identity Theft Prevention Act

Identity Theft Reporting Guidelines

Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: