7-7: SFCC Information Technology Incident Response Policy

Policy Overview

The incident response policy establishes an incident response program for managing risks through incident detection, response, and remediation at Santa Fe Community College (SFCC or College).

Scope and Applicability

This policy is applicable to all College information technology (IT) resources owned, contracted, or operated by SFCC. All users of IT resources are responsible for adhering to this policy.

Policy Statement

An effective incident response policy is essential to establishing a comprehensive and coordinated approach to preparing, identifying, containing, eradicating, and recovering from security incidents. By defining clear policies, standards, controls and procedures, this policy empowers the College to mitigate the impact of security incidents and swiftly restore normal operations. This policy aligns with the National Institute of Standards and Technology Cybersecurity Framework and the NIST Computer Security Incident Handling Guide, incorporating industry best practices to ensure effective response preparedness.

Definitions

1. Controls are the specific technical specifications and countermeasures that must be implemented to minimize security risks relating to College data, systems, reputation, or property to be in compliance with a standard.
2. Cybersecurity Incident Response Team (CSIRT) is a selected group of IT professionals whose primary role and responsibilities are related to system ownership and administration. Stakeholders from areas including, but not limited to marketing, safety and security, human resources, legal counsel, student services, finance, and any other area with compliance requirements will be granted membership and will be called upon to respond to incidents as needed by the team.
3. Incident is a security event that could threaten the confidentiality, integrity, or availability of the College’s information technology resources or has already done so. Examples include but are not limited to: Compromised user account; compromised endpoint (e.g. malware, ransomware or other unusual activity); unauthorized exposure of confidential or sensitive information; or compromised infrastructure.
4. Incident Response is the ability to identify, respond to, and manage security incidents to minimize impact and restore normal operations quickly.
5. Information Technology Resources refers to all contracted or owned SFCC technology facilities, services, subscriptions, hardware, software, data storage, accounts, networks, bandwidth, and all content and data (information) that comprise such technology.
6. Standard is a set of security features or directives that a system or users must provide before it can be deemed to be in accordance with this policy.
7. System Owner is an individual with operational, technical and overall responsibility for all aspects of a particular information technology system.
8. User is any person including, but not limited to students, employees, guests, volunteers, contractors, consultants, and vendors who interact with SFCC’s technology resources and services.

Policy Process

1. 1. 1. The CSIRT reviews, detects, and investigates security events to determine whether an incident has occurred, and the extent, cause, and damage of incidents.
         1. The CSIRT is made up of key IT and cybersecurity professionals along with stakeholders including, but not limited to:
            1. Human Resources
            2. Safety and Security
            3. Marketing and Public Relations
            4. Legal Counsel, and
            5. Student Services.
         2. Stakeholders will be called upon as required by the CSIRT based on the scope and impact of an incident.

      2. Monitoring: The Office of Information Technology and the CSIRT shall establish incident response capabilities to identify, contain, eradicate, and recover from security incidents in a timely manner.

      3. Incident Response Planning: The CSIRT, along with relevant stakeholders, shall develop and maintain a standard Incident Response and Handling Plan for the College. All system owners shall incorporate the College Incident Response and Handling Plan into their system security plans.

      4. Incident Response Testing: The CSIRT, along with stakeholders, shall conduct annual testing of the Incident Response and Handling Plan. As part of testing and lessons learned, updates to incident response procedure, plan, standards, and controls must be made to address emerging threats and vulnerabilities.

      5. In response to an incident that poses a threat to the College, the Office of Information Technology is authorized to take necessary steps to contain and/or disrupt malicious activity including but not limited to:

         1. Expediting changes to IT resources,
         2. Monitoring and retrieving relevant logs,
         3. Disconnecting systems from the network, or
         4. Disabling user access.
      6. Exceptions
         1. The Chief Information Officer or designated member of the CSIRT must approve any exceptions to the policies, standards, or controls in advance of a system change or implementation.
            1. General Exception Requests: Requests for exception must be made in writing and must contain the following information at minimum:
               1. The reason for the exception request.
               2. Technical / Logistical Issues preventing adherence.
               3. Risk to the organization of not following the policy or related standards and controls.
               4. Mitigating standard or control that will be implemented in lieu of approved standard or control.
      7. User Risk and Violations
         1. Users may be held liable for data breaches, damage to IT resources, theft of IT resources, or loss of data that occur due to user negligence.
         2. The Office of Information Technology may investigate any conduct prohibited by this policy.
         3. Violators of this policy may face disciplinary action up to and including removal of privileges, suspension, expulsion, termination, or removal from campus (SFCC Policy 2-2 Student Corrective Action and Disciplinary Action, SFCC Policy 4-2 Employee Corrective Action and Disciplinary Action).

Statement of Accountability and Responsibility

The President, through the Chief Information Officer and the Office of Information Technology, shall be responsible for enforcing technology policies, standards, controls, and procedures. The Office of Information Technology shall work with the different departments and offices to comply with this policy and to develop standards, controls, and procedures that will enforce this policy regarding awareness, prevention, and remediation.

Authority

Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
Gramm-Leach-Bliley ACT(GLBA) Safeguards Rule
SFCC Policy 2-1 Student Code of Conduct
SFCC Policy 2-2 Student Corrective Action and Disciplinary Action
SFCC Policy 4-1 Workplace Ethics and Code of Conduct
SFCC Policy 4-2 Employee Corrective Action and Disciplinary Action
SFCC Policy 7-1 Acceptable Use of Information Technology Resources

Approval

SFCC Governing Board approved: 08/27/2025

Associated Procedures

• SFCC Information Technology Incident Response Procedures