Cyber Incident Reporting
Any member of the University community who suspects the occurrence of an IT security incident must report incidents in one of the following manners:
- Suspected high severity events, such as those involving possible breaches of personal identity data, should be immediately be reported directly to the Information Security Officer by phone, e-mail, or in person.
- All other suspected incidents may be reported to the Information Security Officer or by first reporting to IT support personnel who can then contact the Information Security Officer.
- In the event that the Information Security Officer is unavailable, the Assistant Vice President for Information Technology may be used as the initial point of contact.
Cyber Incident Classification
Upon notification, discovery, or suspicion of an incident, the Information Security Officer will launch an investigation. The Information Security Officer will determine whether the incident is a false positive or a real incident. In the event that the incident is real and actionable, the Information Security Officer will determine the severity level. In the event that the Information Security Officer cannot make a determination of an incident severity level, he will contact the Assistant Vice President for Information Technology for guidance.
Each Incident Severity Level has its own set of procedures, including escalation and response times, action items, and personnel involvement. At any time during an incident investigation, the severity can be raised or lowered, based upon newly discovered information.
Cyber Incident Tracking & Reporting
The Information Security Officer (or designated member of the CSIRT) will open a helpdesk ticket containing information about the security violation. Upon conclusion of the incident, the Information Security Officer (or designated member of the CSIRT) will finalize and close out any open help desk tickets related to the incident. Related incident tracking logs will also be finalized and stored appropriately.
If the severity of the incident requires or is otherwise requested by an appropriate administrator such as the Assistant Vice President for IT, the Information Security Officer (or designated member of the CSIRT) will compile a post-incident report utilizing the information logged during the incident as a basis of the report. The report will also include a summary of lessons learned and any recommended changes to be made to the environment to prevent future recurrence of the incident.