Cybersecurity Breach/Incident Response Policy/Procedure
Policy Overview
All security breaches will be thoroughly investigated by IT following the procedures in this document. The University of Arkansas at Fort Smith shall provide timely and appropriate notice to affected individuals when there is reasonable belief that a security breach has occurred or when notified by a regulator or other third party.
Scope
Attacks on University IT resources are infractions of the Acceptable Use Technology Resources Policyconstituting misuse, vandalism, or other criminal behavior. Reporting security breaches occurring onUniversity systems and/or on University networks to appropriate authorities is a requirement of allpersons affiliated with the University in any capacity, including staff, students, faculty, contractors,visitors, and alumni.
Definitions
Breach in security
This defined as an unauthorized acquisition of private and confidential information,
typically maintained in an electronic format by the University.
Highly Sensitive Information
If the information acquired is of a very sensitive, private, confidential, or proprietary
nature, the security breach will be investigated and University officials, including
the Chancellor and Vice Chancellors, in consultation with the UA System General Counsel,
will determine if a public notification is warranted. Examples of highly sensitive
information include but are not limited to:
1) Records protected by FERPA, HIPAA, GLBA, or other applicable federal laws and regulations
2) Information subject to contractual confidentiality provisions
3) Usernames and associated passwords
Personally Identifiable Information(PII)
If the information acquired includes a name (first and last name or first initial
and last name) in combination with any of the following (not a complete list), and
the information was not in an encrypted format, a public notification may be warranted:
1) Socialsecurity number
2) Driver’s license Number
3) Bank account, Credit or Debit Card account number with a security code, PIN, or
password that would permit access to the account
Personal information that is publicly and lawfully available to the general public,
such as address, phone number, and email address are not considered private information
for the purposes of this policy.
SIEM server
Security Information and Event Management – A logging software that collects security
related data from a variety of sources, including servers, devices, networking equipment,
and applications.
Policy Statement
Suspected or confirmed information security breaches must be reported to University
authorities. Breaches include, but are not limited to the following:
✓ Unauthorized access to UAFS owned technology such as the LAN (local area network),
servers, software applications, and other University owned devices.
✓ Unauthorized access to UAFS owned technology by using stolen credentials.
✓ Unauthorized acquisition of data that compromises the security, confidentiality,
or integrity of personal information maintained by the University of Arkansas at Fort
Smith.
✓ Destruction of an information system such as deleting data files, folders, or other
related data.
✓ Compromising an information system with malware such as ransomware.
✓ A lost laptop or usb drive that contains highly sensitive or private information.
The Vice Chancellor for Finance and Administration will investigate the report, and
if a security breach of private and/or highly sensitive information may have occurred,
he/she will inform the University Chancellorand/or law enforcement, as appropriate.
In the event that a public notification of the security breach may be warranted, the
Vice Chancellor for Finance and Administration will consult with the University Chancellor
and appropriate Vice Chancellor(s),Provost, and General Counsel to develop the response
and make the final determination if a public notification of the event is warranted.
Emergency Procedures - Make sure ALL steps are Reviewed
The entity responsible for support of the system or network under attack is expected
to:
1) Report the attack to their supervisor and to the Vice Chancellor for Finance and
Administration
2) Contact the Director of IT/Chief Information Officer to assess the situation.
3) IT tasks:
(1) Investigate and look for signs ofsuspicious activity and data breaches using some
of the following tools: (See Cybersecurity Event Analysis Policy and Security Incident
Response Procedures)
• Firewall and firewall logs
• SIEM server, along with individual security and audit logs ofservers, systems,and
Active Directory that are not being reported to by the SIEM server
• Network activity using various networking tools
(2) Block and/or prevent escalation of the attack
(3) If this is an account compromise, then review the Account Compromise Policy
document
4) Contact (AREON) for assistance as needed - Email – noc@areon.net Phone – 877-398-0012
5) for a MAJOR breach – Monday – Friday 8:00am to 4:30pm (501) 664-7705 or 1-800-358-7741.
Email: GGB.NRCClaimsCenter@aig.com. After hours call 501) 664-9252. Note: Prompt reporting for a major breach is a policy coverage requirement.
6) Contact DOE - Department of Education SAIG (Student Aid Internet Gateway) on the day of the breach,
at 1 st option - email: cpssaig@ed.gov or fsa_ihecybercompliance.ed.gov or 2nd option
is fill out this FORM. 3rd option - phone: 202-245-6550 (24X7 with the following information:
(1) Date of breach (suspected or known)
(2) Impact of breach (# of records)
(3) Method of breach (hack, accidental discourse, etc)
(4) Email and phone details
(5) Remediation Status (in progress, completed, and include details)
(6) Next steps (as needed)
7) Report the incident to the Arkansas Legislative Audit within 5 business days
(1) HB110 (click for link to the Arkansas code – AR Act 260)
(2) Report the Security Incident for unauthorized:
• Access to an information system of a public entity
• Destruction of an information system public entity or its data
• Stolen credentials used to successfully login as the compromised user
• Acquisition of data from an information system public entity
• Fill out on online form click here
(3) Include a brief timeline of events in the incident description.
8) Contact the UA System CISO (Chief Information Security Officer), UA System CIO (Chief Information Officer),
and potentially the UA General Counsel. The UA General Counsel can assist with legal
notifications concerning state and federal regulations, along with coordinating law
enforcement investigations. Be sure to include the following information:
(1) Description of the incident
(2) The number of individuals affected
(3) The nature of the information affected
(4) Actions taken to prevent further incidents of security
9) Contact UA System Internal Audit department after filling out the incident for the Arkansas Legislative Audit so they
can log the incident. Send email to the Chief Audit Executive, UA System CIO, and
UA System CISO. Copy the incident description from the Arkansas Legislative Audit
incident report form and give a short summary of what happened.
(1) https://uasys.edu/system-office/internal-audit/
10) Block and/or prevent escalation of the attack
11) Follow instructions communicated from the Chancellor or the VCFA in the subsequent
investigation of the incident and preservation of evidence, and implement any recommendations
12) Repair any resultant damage to the system
13) Notifications to affected individuals shall be made solely through electronic
means unless a law requires a different method.
14) Write up postmortem documentation
Internal Notifications
The Chief Information Officer (CIO) will report serious computer security breaches
to the Vice Chancellor for Finance and Administration in a timely manner (no longer
than one workday). The Vice Chancellor for Finance and Administration will consult
with the Chancellor, or one or more Vice Chancellors, as appropriate, and decide if
the Information Technology Services Management Team must be convened to
determine a response strategy, or if an alternate group is appropriate for the response.
This determination may be made prior to completion of the investigation of the security
breach. The Vice Chancellor for Finance and Administration will report the incident
to the Chancellor and the UA System General Counsel when, based on preliminary investigation,
criminal activity has taken place and/or when
the incident originated from a University computer or network.
Determination of External Notification
To determine if unencrypted private or highly sensitive information has been acquired,
or is reasonably believed to have been acquired by an unauthorized person, the following
will be considered:
1) Physical possession (lost orstolen device?)
2) Credible evidence the information was copied/removed
3) Length of time between intrusion and detection
4) Purpose of the intrusion was acquisition of information
5) Credible evidence the information was in a useable format
6) Ability to reach the affected individuals
7) Applicable University policy, and/or local,state, or federal laws
8) Evidence that a user’s credentials were compromised and used to login as the compromised
user
External Notification
If it is determined that an external notification to the affected individuals is warranted,
the following procedures will apply:
1) Written notice will be provided to the affected individuals using U.S. Mail, unless
the cost is excessive or insufficient contact information exists. The letter will
be developed by the department responsible for the system experiencing the breach,
and approved by the University Public Relations Office and others, as appropriate.
The cost consideration will be the decision of the Chancellor or the UA System General
Counsel.
2) If written notice to the affected individuals is not feasible, the following methods
will be considered for providing notice:
• Personal e-mail notices (provided addresses are available), developed by the
department responsible for the system experiencing the breach, and approved by
the Vice Chancellor forFinance and Administration and other administrators, as
appropriate.
• A press release to media, to be written by University Relations and approved by
the Chancellor andother administrators as appropriate.
• An informational web site, developed and hosted by the department responsible
for the system experiencing the breach, and approved by the Chancellor, University
Public Relations, and others as appropriate, with a conspicuous link on the University
public website home page.
3) All expenses associated with external notification will be the responsibility of
the department responsible for the system that experienced the security breach.
Authorization
This policy was approved and subsequently adopted by Mark Horn, UAFS Interim VCFA, on November 12, 2015. Last revised 8/19/2025 by Terry Meadows/Chief Information Officer
References and Related Documents
Account Compromise Policy
Cybersecurity Event Analysis Policy
Security Incident Response Procedures
Acceptable Use Technology Resources Policy
Policy Document Information
Postmortem I. Following a verified security breach incident, this policy should be reviewed for
any improvements needed.
Continuous improvement. The content of this document is subject to regular review based on input from UAFS
Technology Services staff and the campus community. Suggestions for improvement should
be directed to the Director of Information Technology Services.