POLICY SUMMARY

As a means of organizing and directing the company's response to observable threats to its Information Technology (“IT”) Resources and systems, this policy establishes roles, responsibilities, and procedures for reporting and managing IT Incidents. Written directions for responding to IT Incidents increase Elcen Metal Products Co company ability to mitigate threats, minimize risk of loss or destruction of company Information, and help to restore services more quickly when events do occur. All company Community Members that use company IT Resources are advised to immediately report any IT-related concern to Information Technology Services.

REASON FOR THIS POLICY

REASON FOR THIS POLICY Responding to IT-related threats or challenges is essential to maintaining the confidentiality, integrity, and availability of the company's IT Resources.

ENTITIES AFFECTED BY THIS POLICY

All units that interact with company Information or company IT Resources External entities granted access to company Information Information Technology Services

WHO SHOULD KNOW THIS POLICY

All company Community Members that use company IT Resources General Manager External agents granted access to company Information Information Technology Services Leadership Team

DEFINITIONS

Information Technology (“IT”) Resource: any computer, server, communication or mobile device, or electronic data, data storage, transmission or control device that is owned and/or operated by the company, used to conduct company business, or connected to the company's IT networking or communication systems regardless of ownership, location, or access method. These resources are referred to herein as “IT Resources.”

IT Incident: an observable or recognizable occurrence that threatens or causes adverse consequences for the confidentiality, integrity, or availability of the company's IT Resources.

Major IT Incident: an IT Incident of significant scope or scale that affects large numbers of company IT Resources and company Community Members, or that results in extended downtime of IT services.

Sensitive Information: all information that should remain private or confidential as designated by the Company or as required by law, including, but not limited to, educational and student conduct records, social security numbers, credit card or banking information, regulated research data, and health care provider records. Sensitive Information includes, but is not limited to, Level 3 – Sensitive Data and Level 4 – Highly Sensitive Data as defined in the company's Data Handling and Classification policy

company Information: all written or verbal data or information that the company or its employees, students, or designated affiliates or agents collect, possess, or have access to regardless of the medium on which it is stored or its format.

company Community Member: all company faculty, staff, student employees, students, alumni, affiliates, contractors, consultants, agents, and volunteers wherever located.

WHO SHOULD KNOW THIS POLICY

All company Community Members that use company IT Resources General Manager External agents granted access to company Information Information Technology Services Leadership Team

WHO SHOULD KNOW THIS POLICY

All company Community Members that use company IT Resources General Manager External agents granted access to company Information Information Technology Services Leadership Team