UT System Information Security Incident Reporting Toolkit

Purpose: The purpose of this toolkit is to provide institution ISOs and other response team members with the tools and guidance they need to respond to a significant security incident. The toolkit includes:

  • overall guidance on when to report a security incident to UT System.  
  • guidance from Internet2 and Educause on how to respond to incidents
  • templates for messages from the President
  • templates for communication with the press
  • templates for notification to people whose confidential information has been compromised
  • templates for web pages

If you answer ‘yes’ to any of the following questions, the incident is considered significant and you should report the incident through the Security Incident Reporting Tool: https://www.utsystem.edu/securityincident. 

  • Has a University owned computer or other University owned computing device been lost or stolen?
  • Was there an unauthorized disclosure or compromise of the security, confidentiality, or integrity of Sensitive Digital Data or Personal Identifying Information confidential or sensitive information? 
  • Does the incident involve a harmful virus, worm or other attack that propagates through the network?
  • Could the attack be propagated to other state systems beyond the control of the institution?
  • Was there an unwanted disruption or denial of service?
  • Were there successful attempts to gain unauthorized access to a mission critical information resource or confidential/sensitive data?
  • Was a University information resource used for the processing or storage of data such as illegal file sharing or for distribution of illegal materials?
  • Were there attacks on the Internet and widespread automated attacks against Internet sites including website defacement?
  • Did the incident involve new types of attacks or new vulnerabilities?
  • Were University information resources used to attack others?
  • Were there failures in change management processes or unauthorized changes to mission critical hardware, firmware, data or software?

Reporting to UT System CISO: If the situation is critical and requires an immediate response, contact the UT System CISO immediately by phone. Report all significant security incidents through the UT System Incident Reporting Tool: https://www.utsystem.edu/securityincident.

 

UT System Resources: The System-wide CISO will notify the appropriate System Administration staff including System CIO, academic or health affairs, media relations, audit, compliance and OGC. 
           
Reporting to DIR: Security incidents that are critical in nature and could be propagated to other state systems beyond the control of the institution must be reported to DIR within 24 hours.  In addition, DIR requests that you report all incidents of a serious nature as soon as possible to notify other agencies and institutions to be on the lookout for similar attempts on their sites.

 

To report a security incident critical in nature to DIR, call their emergency cell phone at 512-350-3282. The phone is answered 24 hours a day, 7 days a week. An IT Security Analyst will take the pertinent information that is needed. The following information will be requested:

  • Name of agency
  • Name/title of person who called
  • Phone number of person who called
  • How you were contacted for incident (cell phone, phone call or email)
  • Date and time of call
  • Details of incident
  • Action taken

Reporting to Law Enforcement:  If criminal action is suspected, the institution should contact the campus police department immediately. Before you contact law enforcement, review your policies and procedures for guidance and discuss the intruder's activity with your management, institution police department and legal counsel.

 

Reporting to other agencies: Institutions may be required to notify others depending on the situation.  For example, if research data is lost or compromised, the institution may need to contact the research sponsor. 

 

Responding to the public and media: During the security incident management process, you should contact your institution’s media relations office and your Legal Office or UT System Office of General Council if you suspect that the incident may have compromised or exposed confidential or person identifiable information.

 

The System-wide CISO will notify the appropriate System Administration staff including System CIO, academic or health affairs, media relations, audit, compliance and OGC. 
           
UT System can provide the following resources to assist you in responding to the incident:

  • website template to host on your website or the UT System website if needed to address the incident
  • assistance to address the incident
  • sample template to use for notification e-mails and other incident response documents
  • legal counsel

  • © 2006 The University of Texas System
  • 702 Colorado Street, CLB 3.100
  • Austin, TX 78701
  • Phone: (512) 499-4390
  • Phone: (512) 499-4426

    •