DHS home | Policies | Administrative policies | Admin policies index | policy

DHS Policy: Oregon Department of Human Services
Administrative Services
 
Policy Title: Privacy and Information Security Incident Response
Policy Number: DHS-090-005
Version:
1.0
Effective Date:
 10/01/2004

Approved By: DHS Chief Administrative Officer
Approved Date: 10/01/2004



policy section link  link to procedures section  link to forms section  link to references  link to definitions section  link to contact section  link to history section

Overview

Description: This policy requires DHS to establish an incident response team to address the handling of privacy and information security incidents. It requires DHS managers, workforce members and other authorized information users to report privacy and information security incidents. An incident is a threat or event that compromises, damages, or causes a loss of confidential or protected information. (e.g. unauthorized disclosure of information, failure to protect user ID’s, theft of computer equipment or client files, unexplained changes to a systems file, viruses, etc.) A more complete list of examples of privacy or information security incidents can be found at the DHS Information Security Office Incident Response web page

Purpose/Rationale: To provide quick, effective and orderly response to privacy and information security incidents ranging from unauthorized intrusions into DHS network systems to the mishandling of data in such a way that the privacy, integrity, or availability of confidential information is at risk.

Applicability: All individuals granted access to DHS information or systems are covered by this policy and shall comply with this and associated policies, procedures and guidelines. These individuals include full and part-time employees, volunteers, contractors, temporary workers, those employed by others to perform DHS work, and others authorized to access DHS information, network and/or systems.

Failure to Comply: Failure to comply with this policy and associated policies, standards, guidelines, and procedures may result in disciplinary actions up to and including dismissal from state service for employees, volunteers or termination of contracts for contractors, partners, consultants, and other entities. Legal actions may also be taken for violations of applicable regulations and laws.

Back to top

Policy

  1. General
    2.
    1. The DHS Information Security Office shall establish an incident response team to provide quick, effective, and orderly response to privacy and information security related incidents.
    2. DHS managers, workforce members and other authorized information users are required to report privacy or information security incidents.
    3. Users shall be informed of what constitutes a privacy or information security incident, reporting procedures, and how to avoid risks.
  2. Incident Reporting
    3.
    1. Incident reports must be submitted to the OIS Customer Service and Support Office (Help Desk) or directly to the Information Security Office.
    2. Reports may be submitted verbally, electronically, printed or by fax as outlined in DHS-090-005-01, Information Security Incident Reporting Procedure.
  3. Incident Response
    4.
    1. The incident response team shall maintain incident response handling procedures regarding notification, assessment, investigation, remediation, monitoring, and reporting to the Information Security Officer.
    2. The incident response team shall maintain procedures to report criminal related privacy and information security incidents to outside authorities complying with appropriate legal requirements and regulations.
    3. The incident response team shall inform and coordinate incident response activities with the Cyber Security Incident Response Team.
  4. Incident Documentation, Process Improvements and Mitigation
    5.
    1. The Information Security Office shall document privacy and information security incidents and maintain incident activity logs.
    2. The Information Security Office may facilitate privacy and information security related process improvement activities to reduce the risk of repeated incidents.
    3. The Information Security Office shall inform DHS Executive Management of privacy and information security vulnerabilities that threaten the confidentiality, integrity or availability of DHS information, network or systems and provide strategies to mitigate the identified risks.
Back to top

Procedure(s)

Back to top

Form(s)

Back to top

Reference(s)

Back to top

Definition(s)

Back to top

Contact

Back to top

Policy History

Back to top

If you have comments about this site, send email to dhs.policyinfo@state.or.us.

Oregon.gov, FindOR state search engine, and Get Acrobat Reader icons

Oregon Department of Human Services
500 Summer St. NE E25, Salem, OR 97301-1098
Phone: (503) 945-5944
Fax: (503) 378-2897
TTY: (503) 947-5330