Incident Reporting (IR-6)

| Show Notes
Created August 12, 2016

Description

This Control describes the requirements for appropriate reporting of information security incidents that are likely to expand beyond the capability of one unit’s ability to manage effectively, or if a security incident is determined to be significant.

An information security incident is considered significant if it meets one or more of the following criteria:
• involves actual or suspected unauthorized disclosure of confidential information
• involves consequential legal issues
• may cause severe disruption to unit mission critical services or university-wide Essential IT services
• involves active threats
• is widespread
• is likely to raise public interest

Applicability

This procedure applies to all information resource owners or designees, custodians, and third parties who are responsible for Texas A&M University information resources.

Common events such as malware, or other events that are detected, mitigated, and restored within a reasonable amount of time, by locally available unit staff, are not included in this Control.

Implementation

1

Anyone may report illegal, disruptive, or suspicious activity impacting Texas A&M information resources at any time to Texas A&M IT help desk (979)-845-8300, helpdesk@tamu.edu - 24 hours, 7 days a week.

2

Significant security incidents shall be reported immediately by calling the Texas A&M IT Help Desk at (979)-845-8300 and requesting contact with Security Operations or the CISO.

3

The university CISO has certain reporting responsibilities to the Texas Department of Information Resources.

3.1

Security incidents that require timely reporting include events that are assessed to:

3.1.1

Propagate to other university or state systems;

3.1.2

Result in criminal violations that shall be reported to law enforcement; or

3.1.3

Involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information as defined in §521.002(a)(2) of Texas Business and Commerce Code, and other applicable laws that may require public notification.

4

If the security incident is assessed to involve suspected criminal activity (e.g., violations of Chapters 33 of Texas Penal Code (Computer Crimes) or Chapter 33A Texas Penal Code (Telecommunications Crimes)), the security incident shall be investigated, reported, and documented in a manner that restores operation promptly while meeting the legal requirements for handling of evidence.

5

Depending on the criticality of the incident, it will not always be feasible to gather all the information prior to reporting. In such cases, the university CISO or designee should continue to report information to DIR as it is collected. DIR shall instruct the university as to the manner in which they shall report such information to the department. Supporting vendors or other third parties that report security incident information to the university shall submit such reports to the university in the form and manner specified by DIR, unless otherwise directed by the university.

6

Summary reports of security-related incidents shall be sent to DIR on a monthly basis no later than nine (9) calendar days after the end of the month. The university shall submit summary security incident reports in the form and manner specified by DIR. Supporting vendors or other third parties that report security incident information to the university shall submit such reports to the university in the form and manner specified by DIR, unless otherwise directed by the university.