Purpose: The purpose of this toolkit is to provide institution ISOs and other response team members with the tools and guidance they need to respond to a significant security incident. The toolkit includes:
Important: If the answer to any of the following questions is “Yes” the incident MUST be reported to the UT System CISO using the Information Security Incident Reporting Tool at www.utsystem.edu/ciso
- Has a University owned, leased or managed computer or computing device been lost or stolen?
- Has unencrypted University data been lost, stolen, or maliciously corrupted?
- Has there been unauthorized access to or disclosure of Confidential data, personally identifying information, or Controlled research data?
- Are effects of the incident likely to propagate or cause harm to systems or organizations beyond the control of the institution?
- Has a malicious disruption or a denial of service attack occurred affecting more than 10% of individuals at the institution?
- Has a University Information Resource been used to conduct illegal activities requiring police involvement?
- Has a University information resource been used to attack another organization?
- Was a University website defaced or compromised?
- Has an unauthorized change been made to mission critical hardware, firmware, data, or software?
- Has there been an unauthorized disclosure of Confidential University printed records?
Reporting to UT System CISO: If the situation is critical and requires an immediate response, contact the UT System CISO immediately by phone. Report all significant security incidents through the UT System Incident Reporting Tool: https://www.utsystem.edu/securityincident.
UT System Resources: The System-wide CISO will notify the appropriate System Administration staff including System CIO, academic or health affairs, media relations, audit, compliance and OGC.
Reporting to DIR: Security incidents that are critical in nature and could be propagated to other state systems beyond the control of the institution must be reported to DIR within 24 hours. In addition, DIR requests that you report all incidents of a serious nature as soon as possible to notify other agencies and institutions to be on the lookout for similar attempts on their sites.
To report a security incident critical in nature to DIR, call their emergency cell phone at 512-350-3282. The phone is answered 24 hours a day, 7 days a week. An IT Security Analyst will take the pertinent information that is needed. The following information will be requested:
- Name of agency
- Name/title of person who called
- Phone number of person who called
- How you were contacted for incident (cell phone, phone call or email)
- Date and time of call
- Details of incident
- Action taken
Reporting to Law Enforcement: If criminal action is suspected, the institution should contact the campus police department immediately. Before you contact law enforcement, review your policies and procedures for guidance and discuss the intruder's activity with your management, institution police department and legal counsel.
Reporting to other agencies: Institutions may be required to notify others depending on the situation. For example, if research data is lost or compromised, the institution may need to contact the research sponsor.
Responding to the public and media: During the security incident management process, you should contact your institution’s media relations office and your Legal Office or UT System Office of General Counsel if you suspect that the incident may have compromised or exposed confidential or person identifiable information.
The System-wide CISO will notify the appropriate System Administration staff including System CIO, academic or health affairs, media relations, audit, compliance and OGC.
UT System can provide the following resources to assist you in responding to the incident:
- website template to host on your website or the UT System website if needed to address the incident
- assistance to address the incident
- sample template to use for notification e-mails and other incident response documents
- legal counsel