Policy Violation Notification Procedure

Procedures Pertaining to UIS Mainframe Violations of Boston University’s Information Security Policy and/or UIS Non-Disclosure Agreement

Detection

1. When an employee detects or suspects a violation of the Boston University Information Security Policy or the UIS Non-Disclosure Agreement involving the UIS mainframe, the employee is required to notify immediately, the DSA of that department or UIS Information Security.
2. When a DSA suspects a violation, the DSA is required to investigate the incident immediately. The DSA should contact UIS Information Security if investigatory assistance is needed.
3. When a DSA confirms a violation, the DSA is to contact immediately UIS Information Security.
4. When UIS Information Security detects a violation or unusual activity, the DSA of the department involved will be immediately contacted and an investigation will be initiated. No physical or electronic evidence, related to the violation or suspected violation is to be destroyed or deleted.

Confirmation

A confirmed violation means that an individual admits to committing a violation or the evidence alone supports the existence of an actual violation.

Notification

When a security violation has been confirmed, the following procedures are followed:

• Information Security immediately suspends the UserID and notifies the departmental management and the departmental DSA.
• Information Security initiates a Policy Violation Report and forwards it to the appropriate individuals (see below). The purpose of this report is to notify other Boston University offices that a violation has occurred so that the appropriate actions will be taken within those offices.
• If a student employee has committed the violation, Information Security notifies the Dean of Students Office and Student Employment.
• If a faculty member has committed the violation, Information Security notifies the appropriate dean/director, the Office of the Provost and the Office of Personnel.
• If a staff employee has committed the violation, Information Security notifies the appropriate unit manager and the Office of Personnel.
• Information Security notifies the Office of Internal Audit.
• A review of confirmed violations will be conducted by the Office of Internal Audit at its discretion.
• If Internal Audit determines that there is a violation of state or federal law, it will contact the Boston University Office of the General Counsel.
• Information Security will coordinate and monitor the notification process for each incident.