Information Security Incident Response Policy

Policy Number: CS-1515-2023

Policy Title: Information Security Incident Response

Policy Owner: Chief Information Officer

Effective Date: March 22, 2023

Last Revised: Intentionally Left Blank


On this Page:

  1. Purpose
  2. Application and Scope
  3. Definitions
  4. Principles
  5. Accountability and Compliance
  6. Roles and Responsibilities
  7. Rules
  8. Policy Revision Date
  9. Attachments
  10. Specific Links

1. Purpose

This Policy ensures commitment to the protection of Information and Technology resources by governing accepted College requirements and activities as they relate to Cyber and Information Security Incident Response processes, enables incident response teams to act quickly and decisively, and sets roles and responsibilities within these processes.

2. Application and Scope

This policy applies to all employees, contractors, consultants, volunteers, researchers, or other workers including College community members that use any component of the College’s technology and information resources regardless of the physical location or device used. This policy applies to both electronic and hard copy information and records.

3. Definitions

"Event" is an anomalous activity that may impact the normal day to day operations of the Mohawk network and systems or may expose the data stored on Mohawk systems to improper access. Examples include system events, network communications, phishing emails, brute force attacks, etc.

"Incident" is an Event that requires additional triage, analysis, containment, or remediation efforts as a result of the impact of the event. Examples include Ransomware outbreaks, execution of malicious code, data breaches, suspected criminal activity, loss of devices, unauthorized use, events that could impact campus operations, and exploitation of unpatched systems by an attacker, among others.

"Information Security Incident Response Team" is a defined group of technical subject matter experts with hands on experience in different domains within Information Technology lead by College cyber security professionals.

4. Principles

4.1 Ethics, Values, and Fairness: Exercise common decency, good judgement, and respect for the College community members and property.

4.2 Security: Preserve the integrity and availability of systems and services and ensuring that actions taken by College community members do not negatively affect College IT resources.

4.3 Privacy: Protect and safeguard College IT infrastructure and information.

4.4 Compliance: Use of IT resources adheres to all legal, regulatory and College policy requirements.

4.5 Productivity: Access to IT resources is uninterrupted and accessible when needed.

4.6 Safety: The College fosters a safe and welcoming campus which requires operational technology, and community members are free from harm caused by malicious actions.

5. Accountability and Compliance

5.1 Accountability Framework

This policy has been approved by the Senior Leadership Team.

5.2 Compliance

The Chief Information Officer, in cooperation with the Information Security Incident Response Team, will monitor and ensure compliance with this policy as well as the Information Security Incident Response Handbook, Information Technology Major Incident Response Process, and, related incident response playbooks.  

6. Roles and Responsibilities

6.1 Chief Information Officer

The Chief Information Officer is accountable for the security of all IT Resources.

6.2 Senior Leadership Team

Members of the Senior Leadership team are responsible for ensuring all incidents in their area of purview are reported immediately and supporting the Incident Response Team by setting business context to information and events, gathering information, making resources available as required and supporting the overall incident response process.

6.3 Director, Cyber Security

The Director, Cyber Security is responsible for the College’s Cyber security program and for the implementation of the College’s Incident Response Program, including, ensuring that policies and processes are documented, followed, and continually improved.

6.4 Information Security Incident Response Team

The Information Security Incident Response Team is responsible for coordinating and responding to Information Security Incidents in compliance with this Policy, and the Information Security Incident Response Handbook. This team is also responsible for annual review and approval of procedures, oversight of Information Security Incidents, and recommendations to enhance processes and communications from lessons learned.

6.5 Office of the General Counsel and Corporate Secretary

The Office of the General Counsel and Corporate Secretary supports the Incident Response team by providing or enabling legal advice as required, and, ensuring that incidents involving privacy breaches are properly assessed, contained, and, documented. Where incidents involve a breach of privacy, the Office of the General Counsel and Corporate Secretary will manage any notification and reporting requirements.

6.7 Public Affairs

The Public Affairs department is responsible for coordinating external communications to the College related to Information Security Incidents.

7. Rules

  • The Information Security Incident Response Team has the authority to temporarily interrupt infrastructure and Information Technology services and resources as a response to an Information Security Incident where the severity threatens substantial loss to community members privacy, safety, or operations of the College.
  • Information Security Incidents must be responded to by the Information Security Incident Response Team in accordance with this Policy, and Mohawk College’s documented Information Security Incident Response Handbook as follows:
    • Incidents must be assessed, categorized by type, and prioritized for severity against the Information Security Incident Priority Matrix;
    • Incidents classified as Critical or High (>= Priority 2) must take precedence over operations and delivery and be formally documented;
    • Forensic analysis must be performed as part of the incident response lifecycle where there is substantial risk to community members privacy, security, or safety;
    • Procedures for identification, collection, acquisition, and preservation of incident information must be followed;
    • Remediation and mitigation must be executed in high priority; and
    • Post incident analysis and reporting must be performed to identify the source of the incident.
  • Information Security Incidents prioritized as Critical or High (>= Priority 2) must be reported by the Information Security Incident Response Team Members to the Chief Information Officer, Vice President, Corporate Services and the General Counsel and Corporate Secretary once confirmed.
  • All external communications from the College about an Information Security Incident must be coordinated and completed by the College’s Public Affairs department or Office of the General Counsel and Corporate Secretary, as required.

  • Organizational Support and funding for forensic analysis and legal services must be provided by the College where:

    • College employees do not have the required skillsets to provide the services; or

    • Where incidents or investigations may require evidences to be prepared for a court of law or arbitration; and
    • Operational Funding for Incident Response has already been exhausted.
  • The Information Security Incident Response Handbook must be reviewed and maintained annually with an up to date table of resources, including, roles and responsibilities. The handbook must be prepared and available to respond to Information Security incidents on demand.
  • The Information Security Incident Response Team will be trained on a bi-annual basis and provide training to the Senior Leadership Team on their responsibilities to identify incidents and support incident response practices.

  • Mohawk College must continually improve the Incident Response Program to reduce the likelihood or impact of future incidents by:

    • ​​​​​​​acting on lessons learned from events, incidents, and information sharing;

    • Implementing additional controls as guided by frameworks and best practices; and
    • Capturing Key Performance Indicators and tracking continual improvement.

8. Policy Revision Date

8.1 Revision Date

March 2026

8.2 Responsibility

The Chief Information Officer and Director, Cyber Security will review this policy every 3 years or earlier where required.

9. Attachments

  • Information Security Incident Response Handbook (Available by Request)
  • IT Major Incident Handling Process (Available by Request)
  • Mohawk College Emergency Response Plan (Available by Request)

10. Specific Links