August 2022
This policy fosters compliance with national laws, regulations, and recommendations, including the Desirable Characteristics of Data Repositories for Federally Funded Research; complies with Cornell University’s policy on Reporting Electronic Security Incidents; makes clear rules for staff to act in the event of a breach; and represents industry standard data security procedures. While the Roper Center prioritizes maintenance of security to prevent data breaches from occurring, this policy provides guidelines for required actions and responsibilities should a data breach nonetheless occur.
Process for response to possible data breach:
- Possible identification of a data breach may occur through third-party notification, ITSO network anomaly detection, or Roper IT detection of data and traffic anomalies via internal system monitoring tools. The Lead Software Engineer and Systems Administrator share responsibility for ongoing monitoring to facilitate detection of possible data breaches.
- If any member of the Roper Center staff suspects that an electronic security incident may have occurred or may be imminent, whether through their own observation or a third-party notification, they are expected to notify the Roper Center Associate Director, the Lead Software Engineer, and Systems Administrator. If none of these are available (for example, if the breach occurs during non-standard business hours and these individuals are non-responsive to contact attempts), the staff member should directly contact the Cornell IT Security Office (ITSO) at itsecurity@cornell.edu or (607) 255-6664.
- If the IT Security Office has not yet been contacted, the Lead Software Engineer and/or Systems Administrator must immediately notify the Cornell IT Security Office (ITSO) at itsecurity@cornell.edu or (607) 255-6664.
- The Lead Software Engineer and/or Systems Administrator must complete the Cornell IT Security Office Incident Response Questionnaire; https://confluence.cornell.edu/x/yR_LFQ.
- The Lead Software Engineer and/or Systems Administrator shall continue to collaborate with the IT Security Office throughout the incident until closure. The IT Security Office will communicate the appropriate actions that need to be taken, the rationale, and path to remediation and recovery after working with appropriate offices within the University, including convening the Data Privacy Incident Response Team (DPIRT) if appropriate; https://it.cornell.edu/it-partners/data-privacy-incident-response-team-dpirt.
- The Lead Software Engineer and/or Systems Administrator will assist to determine the extent of the breach and whether additional Roper Center stakeholders may be affected by the breach. These stakeholders could include member institutions, data providers, and/or individuals.
- In the event that Roper Center external stakeholders are affected by the breach, the Associate Director will notify these stakeholders. The Executive Director will also notify the Board of Directors of the Roper Center. The Lead Software Engineer will confirm that Cornell IT Security Office is also aware.