University of Massachusetts Blackmail and Demands of Money Or Services Based on Information

UNIVERSITY OF MASSACHUSETTS BLACKMAIL AND DEMANDS OF MONEY OR SERVICES BASED ON INFORMATION SECURITYRANSOMMWARE POLICY – DRAFT December 28114, 2016

I. Introduction Blackmail and demands of money or services based on ransom are not unique to the internet, but as the internet and information technologies have become integrated into all sectors of contemporary economy, education and culture, individuals with criminal intent have increasingly used these technologies for such criminal purposes. In recognition of the intersection of such criminal activity, the University of Massachusetts establishes this policy on blackmail, fraud and demands of money or services based on ransom. With attention to the use of the internet and information technologies, this policy is not limited to that realm and applies equally in physical space and with traditional means of communications (e.g. postal mail, telephone, etc.) as it does to cyberspace.

Recognizing that the University’s mission increasingly relies on Information and Technology, the purpose of this policy is to formalize an information security program that, through the establishment of governance, rules, technical standards, and procedures, manages the risk to institutional information, research data, and Information Technology resources to an acceptable level.

1 II. Policy Statements The University of Massachusetts does not respond to or negotiate with perpetrators of blackmail , fraud, or demands of money or services based on ransom. All Any user must report the receipts of blackmail, fraud or a demand for money or services based on ransom that occurs in cyberspace are required to report such activity to the Chief Information Office or the Chief Information Security Officer of each campus, who will then contact Campus Safety. If the incident does not involve cyberspace, such activity is to be reported to Campus Safety directly.

In addition to this reporting protocol, each campus shall institutionalizetantiate a communication channel from either the Chief Information Officer or Campus Safety to the Office of the Chancellor. The Chancellor, and/or his/her delegate, is required to report such activity to the Office of the President of the University of Massachusetts System and/or his/her delegte or contact officer. , and/or his/her delegate, If the threat involves information technology, the Chancellor, and/or his/her delegate, will contact the Chief Information and Chief Information Security Officer for the campus. If the threat originates from an information technology source, the campus Chief Information Office will notify Campus Safety.

2 [Type text] [Type text] [Type text] III. ransom to Campus Safety.

IV. This policy requires that all users of information and its technology at the University of Massachusetts Amherst comply with the administrative, technical and physical safeguards outlined to provide appropriate access and preserve the integrity, confidentiality and availability of all institutional information, research data and University Information Technology resources.

VI. Governance

VII.

VIII. In order to manage information technology (IT) security comprehensively, this policy serves three major purposes.

IX.

X. It establishes the principle that every IT device connected to the UMass Amherst network must have at least one individual managing the security of that device.

XI. It requires units to designate unit security liaisons (see the Obligations of the Unit Security Liaison segment of procedures).

XII. It creates the following five categories of individuals, each with specific obligations regarding the security of IT devices. See section III for responsibilities.

XIII. Chief Information Security Officer 3 XIV. Unit head

XV. Unit security liaison

XVI. Campus IT Administrator

XVII. User

XVIII.

XIX. Breach Notification

XX.

XXI. All users of the network and custodians of institutional information must report security incidents and breaches of institutional information.

XXII.

XXIII. UMass Amherst procedures for Security Incident Reporting and Data Breach Notification.[ ]

XXIV.

XXV. Institutional Information and Research Data Classification

XXVI. Security Objectives

XXVII. Levels

4 [Type text] [Type text] [Type text] XXVIII. This policy establishes three institutional information security classifications:

XXIX. Level 1

XXX. Level 2

XXXI. Level 3

XXXII. All institutional information that is neither Level 1 nor Level 3 used in the conduct of University business is Level 2. Institutional information appropriately made available to the public is Level 3.

XXXIII. Level 1 information classification is defined as:

XXXIV. Protected health information, as defined in the Health Insurance Portability and Accountability Act (HIPAA).

XXXV. Personal information as defined in Mass General Law Chapter 93H Security Breaches. This is defined as a resident’s first name and last name or first initial and last name in combination with any one of more of the following data elements that relate to such resident:

XXXVI. Social Security Number

XXXVII. Driver’s License Number or State-Issued Identification Card Number

XXXVIII. Financial account number or credit or debit card number

XXXIX.

5 XL. Regulatory and Contractual Compliance

XLI. Protected health information, as defined in the Health Insurance Portability and Accountability Act (HIPAA).

XLII. Personal information as defined in Mass General Law Chapter 93H Security Breaches. This is defined as a resident’s first name and last name or first initial and last name in combination with any one of more of the following data elements that relate to such resident:

XLIII. Social Security Number

XLIV. Driver’s License Number or State-Issued Identification Card Number

XLV. Financial account number or credit or debit card number

XLVI.

XLVII. To Whom This Policy Applies This policy applies to all members and constituents including, but not limited to faculty, staff and students of the University of Massachusetts Ssystem.

XLVIII. User Expectations: (User Behavior)

XLIX.

L. Responsible Parties All members and constituents including, but not limited to faculty, staff and students of the University of Massachusetts system, are responsible parties.

6 [Type text] [Type text] [Type text] LI. All Parties All responsible parties are, in that they are required to report any threats, demands or other reasonable evidence of blackmail or ransom in cyberspace to the Chief Information Officer or the Chief Information Security Officer, who will then report the incident to Campus Safety. If the event does not involve the Internet or cyberspace, the report goes to Campus Safety directly.

Each campus shall instantiate a communication channel from either the Chief Information Officer/Chief Information Security Officer or Campus Safety to the Office of the Chancellor. The Chancellor, and/or his/her delegate, is required to report such activity to the Office of the President of the University of Massachusetts System and/or his/her delegte or contact officer. , and/or his/her delegate, If the threat involves information technology, the Chancellor, and/or his/her delegate, will contact the Chief Information and Chief Information Security Officer for the campus. If the threat originates from an information technology source, the campus Chief Information Office will notify Campus Safety.

… to Campus Safety

LII. Campus Safety

LIII. Campus Safety must be prepared to accept claims of blackmail or demands for money or services based on ransom and report such claims immediately to the Chancellor. If the threat involves information technology, the Campus Safety must immediatelyalso contact the Chief Information and Chief Information Security Officer for the campus. If the threat originates from an information technology source, the campus Chief Information Office will notify Campus Safety.

7 LIV. CLaw Enforcement or Campus Safety

LV. Campus Safety must have procedures in place to inform the Chancellor of their Campus.

LVI.

LVII. Chancellor The Chancellor, and/or his/her delegate, must inform the President of the University of Massachusetts Ssystem and/or his/her delegte or contact officer. m.

Every person at the university has a responsibility to protect institutional information, research data and IT resources. These responsibilities vary based on an individual’s roles at the university; individuals may have more than one role. This section identifies the roles and their corresponding responsibilities that each person has at the university.

a. Security Program Management and Oversight i. Chief Information Officer LVIII. Chief Information Security Officer

The Chief Information Security Officer is the University officer with the authority to harmonize campus information security. The Chief Information Security Officer will develop, implement and maintain a comprehensive, standards and risk based information security program.

LIX. Information Classification and Management a.i. Data Stewards a.ii. Data Administrators

8 [Type text] [Type text] [Type text] LX. Security Program a.iii. Security Liaisons

The unit security liaison is the person designated by the unit head as the primary contact for the Chief Information Security Officer. For further guidance or clarification, contact the Chief Information Security Officer. The unit security liaison is responsible to do the following in his or her unit (the unit):

1. Act as the unit point of contact with the Chief Information Security Officer. 2. Implement and report on a security program for the unit consistent with direction from the Information Security Office, university policy, guidelines and practices and in keeping with the specific information security requirements of the unit. This will include the following: a. Identify the IT resources of the unit. These include hardware, software, and information assets. b. Provide proper information and documentation about those resources. c. Participate in and support information security risk management to identify compliance gaps and risks, using the models and standards consistent with the university. d. Develop controls as needed to address identified gaps and risks. e. Implement controls 3. Act as the security coordinator the unit, including the following: a. Develop and execute processes that fulfill identified security objectives and are consistent with university and unit policy and procedure. These identified security objectives may range from long term security strategies to quick, urgent security fixes for critical vulnerabilities.

9 b. Provide unit Incident Response capabilities to information security events with guidance from the Information Security Office. These include: b.i. Assisting the Information Security Office in the investigation of security issues. b.ii. Implementing unit procedures and protocols for the reporting and handling of information security incidents. c. Disseminate information and communications about security policy, procedures, and other information from the Information Security Office to users within the unit.

LXI. IT Security a.iv. Service Administrator

A Campus IT Administrator is the individual with principal responsibility for the installation, configuration, and ongoing maintenance of IT Resources (e.g., system administrator or network administrator).

The Campus IT Administrator is responsible to do the following: a.iv.1. As requested by their unit liaison, participate in the unit information security program and incident response activities. a.iv.2. Be knowledgeable and comply with the current policies, requirements, guidelines, procedures, and protocols concerning the security of the unit’s and university’s IT resources. a.iv.3. Follow appropriate best practices guidelines for configuring and securing IT resources. a.iv.4. Understand and document the specific configurations and characteristics of the IT resources he or she supports to be able to respond to emerging IT threats and to support security event mitigation efforts appropriately.

10 [Type text] [Type text] [Type text] a.iv.5. Understand and recommend the appropriate measures to provide security to the resources and data under his or her control.

A Campus IT Administrator seeking guidance or clarification should contact his or her unit security liaison or the Information Security Office.

LXII. General Population a.v. Users

Any individual who connects to Information Technology (IT) resources through the campus network device is a user. Each of these devices may or may not have a local support provider assigned to it. Users have different obligations, based upon whether a local support provider has been assigned to a particular device.

Typically, university-owned IT devices located in campus workspaces have local support providers assigned to them. On the other hand, personally-owned computers used to connect to the University of Massachusetts network from any location (home, off campus, residence hall or other on-campus location) usually do not.

1. Responsibilities of a user who has a Campus IT Administrator: a. Understand and comply with current policies, requirements, guidelines, procedures, and protocols for University’s electronic networks and devices. b. Comply with guidelines and practices established by the local support provider for the IT device. c. Contact your Campus IT Administrator whenever a questionable situation arises regarding the security of your IT device. d. Report all electronic security incidents, and lost or stolen devices or data to your Campus IT Administrator, IT Service 11 Desk, or the Information Security Office immediately, and follow documented response procedures. 2. Responsibilities of a user who does not have a Campus IT Administrator: a. Understand and comply with current policies, requirements, guidelines, procedures, and protocols concerning the security of the University’s electronic networks and IT devices. b. Follow appropriate best practices guidelines for configuring and securing IT devices. c. Assist in the performance of remediation steps in the event of a detected vulnerability or compromise. d. Comply with directives of University officials, such as the Chief Information Security Officer, and unit security liaison to maintain secure devices attached to the network. e. Follow documented policies and procedures for reporting electronic security incidents, including but not limited to virus infection, unauthorized access, and lost and stolen devices or data.

LXIII. Standards Reporting Template Date of Infection Ransomware Variant (identified on the ransom page or by the encrypted file extension) Victim Company Information (industry type, business size, etc.) How the Infection Occurred (link in e-mail, browsing the Internet, etc.) Requested Ransom Amount Actor’s Bitcoin Wallet Address (may be listed on the ransom page) Ransom Amount Paid (if any) Overall Losses Associated with a Ransomware Infection (including the ransom amount) Victim Impact Statement

Technology Standards Service Plans 12 [Type text] [Type text] [Type text] 13