NYSPI Incident Management Procedures
The NYSPI computing environment supports a wide variety of data systems and data classifications. To provide agility, the environment is designed to support the flow of information throughout the Institute as appropriate. However, this also requires that incidents or potential incidents be handled carefully but swiftly to minimize risk to other Institute systems and ultimately patients and subjects.
NYSPI shall comply with all NYS security Policies and Standards, principally found at https://www.its.ny.gov/tables/technologypolicyindex, including but not limited to the NYS Cyber Incident Response Standard found at http://on.ny.gov/2doiFBP. This document defines minimum NYSPI-specific processes and procedures for managing incidents and potential incidents. Additional processes or actions may be required by regulation, protocols, contracts or other obligations. When requirements conflict, the most restrictive controls shall be applied.
This procedure shall apply to all technology developed or operated for NYSPI or within the NYSPI network, regardless of the operators or custodians of the solution or funding source of the operators or systems.
1. System Registration and Inventory
1.1. All multi-user computer systems shall be registered in an inventory maintained by psyIT. The inventory will minimally provide a reference to related servers and the data classification of the data sets stored on or within the system.
1.2. Data owners shall at least annually review their system inventory information and provide updates.
1.3. PsyIT may audit system inventory information for accuracy and may remove systems for which registration is not provided
2. User training
2.1. NYSPI workforce members with IT accesses will at least annually receive basic information security training inclusive of rudimentary incident detection.
2.2. NYSPI workforce who manage computing environments will at least annually receive IT-role-based training inclusive of incident detection and response.
3. Logging and auditing
3.1. All systems will comply with the NYS Security Logging Standard (http://on.ny.gov/2dxu6tP)
3.2. Multi-user systems will export log data in real-time or near-real-time to a psyIT approved log system
3.3. Internet-accessible systems shall write security logs to the NYS security information and events management (SIEM) solution
4.1. Any suspicious activity or events should be reported to the psyIT service desk (email@example.com) as soon as detected, regardless of whether psyIT support would be required to support the incident.
4.2. Where applicable, potential incidents should be reported prior to psyIT while the potential incident is being investigated.
4.3. psyIT will notify the OMH Chief Information Security Officer and, if appropriate, the CUIMC Chief Information Security Officer and/or NYS Enterprise Information Security Office Cyber Command Center as soon as practical.
5.1. The OMH Cyber Risk Coordinator / HIPAA Security Official will assign a primary point of contact for the incident. This may be program-specific, psyIT, OMH or other NYS staff as appropriate for the incident.
5.2. The point of contact shall coordinate regular but secure communication between all involved parties.
5.3. Any communications with outside parties not directly connected with the incident (e.g. contractors or sponsors) will be handled through NYS counsel and/or public information offices. At no time may individuals communicate information related to any incident or any active potential incident with individuals outside NYSPI, OMH or NYS Office of Information Technology Services (ITS) unless approved by OMH executive staff.
Requests for exceptions to these procedures should be directed to the contacts listed below.
Questions or requests for exceptions shall be directed to both the director of PsyIT and the OMH Chief Information Security Officer. E-mails may be sent to the current individuals directly or to PsyIT-Admin@nyspi.columbia.edu.
Review Schedule and Version History
|Date||Description of Change|
|12/9/16||Updated to explicitly reference incident reporting to CUMC if applicable.|
|1/25/18||Updated to reflect title change of OMH CISO position.|
|5/14/19||Updated for formatting and to reflect CUIMC naming.|