Guidance on what constitutes an Information Security incident and how this should be reported
This control procedure defines the University’s approach to Incident Response and directly supports the following policy statement from the Information Security Policy:
Guidance will be available on what constitutes an Information Security incident and how this should be reported. Actual or suspected breaches of information security must be reported and will be investigated. Appropriate corrective action will be taken and any learning built in to controls.
This procedure is intended to be read and understood by all users accessing University information in electronic or paper format, IT systems, networks or software using any University or personally owned device.
In the event of an information governance incident, it is vital that appropriate corrective measures are taken to reduce the primary impact and minimise secondary risks resulting from the incident. It is also necessary to learn from incidents so that preventative measures can be put in place to prevent similar incidents occurring again.
All users who access, use or manage University information are responsible for reporting information security incidents. This includes concerns about the security of an IT account, computer or University IT service, as well as loss or inappropriate disclosure of paper information, or weaknesses in a business process.
University-appointed Information Asset Owners (IAOs) and Information Asset Managers (IAMs) have explicitly responsibilities in reporting and following-up on incidents in their areas. (See section4, below.)
An information governance incident is a suspected, attempted, successful, or imminent breach of security leading to the threat of or actual accidental, unlawful or unauthorised access to, use, disclosure, breach/loss, modification, or destruction of information, including personal information as defined by the UK’s data privacy regulations; interference with the operation of information systems; or a breach of Information Security Policy or Procedures, including the Acceptable Use of IT Systems.
Examples include, but are not limited to:
All incidents should be reported promptly to the Information Governance Team by emailing email@example.com or calling Ext 3884
The notification should include as much detail as possible including:
An initial assessment will be made to establish the severity of the incident and who the lead investigating officer will be.
All incidents will be logged centrally by the Information Governance Team to ensure appropriate oversight of the types and frequency of confirmed incidents for management and reporting purposes. Where necessary, incidents will be escalated internally to ensure appropriate oversight by senior management. Escalation may include informing members of the Information Governance Board or UEG.
The Lead Investigating Officer along with relevant team members will determine the appropriate course of action needed to limit the impact of the incident. This might require isolating a compromised area of the network, shutting down critical equipment or contacting incorrect recipients to ask that they ignore and dispose of information accidentally compromised.
Appropriate steps will be taken to recover system or data losses to resume business as usual activity as soon as possible. This might involve attempting to recover lost equipment, using backup mechanisms to restore compromised or stolen data, or changing compromised passwords.
The Incident Response will involve the relevant Information Asset Owners (IAOs) and Information Asset Managers (IAMs), allowing an assessment of the risks to their business area and ensuring they can assist with the implementation of practical, corrective measures to contain an incident.
IAO and IAM involvement will be based on risk and meaningful actions that can be taken forward as the result of an incident.
Incident Risk Rating
Proposed IAO/IAM involvement
Notify IAM and IAO of the incident and request involvement in the containment, recovery and closure of the incident.
Notify IAM of incident and request their involvement with follow up actions and confirmation they have taken place
Notify IAM of incident and any immediate follow up action that have taken place
Further review of incidents may require IAOs to take preventative actions to protect against recurrence. IAOs will work with the Information Governance Teams to agree these measures, to ensure they are practical but achieve our goal of minimising further risk.
Quarterly reporting of incidents will be highlighted to the Senior Information Risk Owner, IAOs and IAMs to ensure information risk is understood across the organisation and proactively managed.
Once an incident has been reported, consideration should be given to any external agencies or stakeholders that may need to be contacted.
If a breach involving personal information has occurred which results in a risk to the rights and freedoms of data subjects it must be reported to the Information Commissioner’s Office within 72 hours. Support, engagement and cooperation of all incident stakeholders is essential to ensuring this reporting requirement can be met. The Data Protection Officer, will be ultimately responsible for considering if the breach should be reported to the Information Commissioner’s Office.
Where a breach is likely to result in a high risk of adversely affecting individuals whose personal data may have been affected we must notify them to allow them to take steps to protect themselves. The Data Protection Officer will be ultimately responsible for considering if the breach should be reported to the data subject and what relevant advice should be provided.
If the incident involves the JANET network the Information Security team will be responsible for considering if the incident should be reported to the JANET Computer Security Incident Response Team (CSIRT). JISC can be contacted on 0300 999 2340 or by emailing firstname.lastname@example.org
The Information Security Team will only consider reporting the incident to the National Cyber Security Centre (NCSC) via their web form tool, who may be able to provide further incident response assistance including assisting with recovery https://www.ncsc.gov.uk/scheme/cyber-incidents
The Information Security team will consider reporting incidents involving criminal behaviour to the Police.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.