Legal Seminar, Denver, CO

Identification, Scoping & Communications

What is an Incident? 

Classification

• Actually or potentially jeopardizes  confidentiality, integrity or availability of  information or information systems;  financial, legal, reputational, operational  impacts

• Low – 0‐5 users; non‐production systems;  publicly available info; solution available; no  external impact; no PII/PHI/confidential info • Medium – 6‐20 users/VIP; internal systems;  internal use information; possible PII/PHI;  weak solutions; possible external impact • High – 20+ users/entire system/VIPs;  external systems; definite PII/PHI; no  solutions; definite external impact • Can change over time; based on holistic  analysis of all characteristics

Identification, Scoping & Communications

Notification/Communications • Board notification (Executive Committee; SRR Board; CSBSEF Board)

– Low Severity – reported on quarterly basis – Medium – within 12 hours of declaration – High – within 4 hours of declaration – Always before notification to any other party (CFPB; FBI)