Whenever Virginia Tech is notified of potential cybersecurity incidents or data exposure, specific steps should take place to work with university officials to determine a course of action to ensure compliance with university policies and federal and state regulations.
The ITSO manages and coordinates detection, identification, containment, eradication, and recovery efforts of reported cyber security incidents with Virginia Tech departments’ IT personnel. The IT Security Officer also has the authority to classify threats as a risk to the enterprise and can activate the VT-CIRT team at his discretion. The CIRT Team will only be activated if a cyber security incident has been identified as affecting University IT systems/services at an enterprise or a multi-departmental level.
In the case of data exposures, the department responsible for the exposure should inform their department head of the incident and work with the University Legal Counsel and the IT Security Office to determine appropriate action(s).
The department responsible for the exposure assumes primary responsibility for dealing with issues of the exposure. They should work with data stewards to verify the confidentiality of the data and take responsibility for developing a communications plan that includes any publicity, notification to individuals and others, and necessary remediation.
Personal information requiring notification (PIRN) includes sensitive information as covered by Virginia Tech’s Standard for Storing and Transmitting Personally Identifying Information:
- Social Security number
- Credit card number
- Debit card number
- Bank account number
- Driver’s license number
- Passport number
- First name or first initial and last name with date of birth
PIRN also includes elements of FERPA and HIPPA. Contact the IT Security Office for help determining if data qualifies as PIRN.
For more information on how to deal with data exposures, view the following document:
For a list of Data Trustees and Data Stewards, please see this link.