Purpose The purpose of this toolkit is to provide institution ISOs and other response team members with the information and guidance needed to respond to a significant security incident. The toolkit includes information on:
- when to report a security incident to UT System
- reporting to the DIR
- reporting to law enforcement
- reporting to other agencies
- responding to the public and media outlets
Important: If the answer to any of the following questions is YES the incident MUST be reported to the UT System CISO using the Information Security Incident Reporting Tool at https://apps.utsystem.edu/SecurityIncident
- Has a University owned, leased or managed computer or computing device been lost or stolen?
- Has unencrypted University data been lost, stolen, or maliciously corrupted?
- Has there been unauthorized access to or disclosure of confidential data, personally identifying information, or Controlled research data?
- Are effects of the incident likely to propagate or cause harm to systems or organizations beyond the control of the institution?
- Has a malicious disruption or a denial of service attack occurred affecting more than 10% of individuals at the institution?
- Has a University Information Resource been used to conduct illegal activities requiring police involvement?
- Has a University information resource been used to attack another organization?
- Was a University website defaced or compromised?
- Has an unauthorized change been made to mission critical hardware, firmware, data, or software?
- Has there been an unauthorized disclosure of Confidential University printed records? The Systemwide CISO will notify the appropriate System Administration staff including System CIO, academic or health affairs, media relations, audit, compliance and OGC.
TAC 202 requires each state agency and institution of higher education to provide timely reporting of certain types of security incidents to DIR which, depending on the threat or level of risk to the State, could mean emergency reporting. Timely reporting is required (preferably within 24 hours) for incidents that may:
- Propagate to other state systems; (emergency reporting)
- Result in criminal violations that shall be reported to law enforcement; or
- Involve the unauthorized disclosure or modification of confidential information, e.g. sensitive personal information
Each agency/IHE is responsible for assessing the significance of a security incident within their organization and for providing a report to DIR based on the business impact on affected resources and the current and potential technical effect of the incident (e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks). The DIR incident reporting instructions can be found at http://www.dir.state.tx.us/security/incidentmanagement/Pages/incidentreporting.aspx
IMPORTANT: For emergency reporting of security incidents meeting the above criteria, please call the DIR Computer Security Incident Response Team (CSIRT) at (512) 350-3282. The phone is answered 24 hours a day, 7 days a week. This number is NOT to be used for SIRS related inquiries or questions.
If criminal action is suspected, the institution should contact the campus police department immediately. Before you contact law enforcement, review your policies and procedures for guidance and discuss the activity with your management, institution police department and legal counsel.
Institutions may be required to notify others depending on the situation. For example, if research data is lost or compromised, the institution may need to contact the research sponsor.
During the security incident management process you should contact your institution's media relations office and your legal office (or UT System Office of General Counsel) if you suspect that the incident may have compromised or exposed confidential or personally identifiable information.