Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
Chapter 8 - Facilities and University Services
Publication Date: December 12, 2014
Responsible Executive: VP for Academic Affairs


8.17 Information Security Incident Response


I. POLICY STATEMENT


The University of Texas at San Antonio (UTSA) relies significantly on a wide variety of Information Resources to achieve its missions. The UTSA Office of Information Security (OIS) and the UTSA Office of Information Technology (OIT) are responsible for administering programs that create a reliable and secure university computing environment. In order to maintain the security and integrity of the computing infrastructure, every effort must be made to protect the data, intellectual property and Information Resources used to carry out UTSA business.

OIS is committed to addressing all suspected or confirmed Security Incidents with a swift and effective response to minimize any potential damage to UTSA’s network infrastructure.


II. RATIONALE


This policy describes the duties and responsibilities of all individuals who are tasked with reporting, investigating and resolving Information Security Incidents.  Information Security Incidents must be promptly and systematically addressed to reduce the possibility of exposure of confidential data and interruptions to the delivery of UTSA information resources and services.


III. SCOPE


This policy applies to all who are granted access to UTSA Information Resources, including, but not limited to, faculty, staff, students, alumni, vendors, contractors and visitors.


IV. WEBSITE ADDRESS FOR THIS POLICY


http://www.utsa.edu/hop/chapter8/8-17.html


V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS


UTSA or UT System Policies or the Board of Regents' Rules & Regulations

  1. UT System Policy INT124, Information Resources Acceptable Use and Security Policy
  2. UT System Policy UTS165, UT System Information Resources Use and Security Policy
  3. UT System Policy UTS178, Required Reporting of Significant Events 
  4. UTSA HOP policy 8.15, Acceptable Use Policy

Other Policies & Standards

  1. Title 1 Texas Administrative Code, Part 10, Chapter 202, Subchapter C
  2. Texas Public Information Act, Texas Government Code, Chapter 552

VI. CONTACTS


If you have any questions about HOP policy 8.17, Information Security Incidence Response, please contact the following office: 

Office of Information Technology (OIT) or Office of Information Security (OIS)
(210) 458-4555


VII. DEFINITIONS


A full list of definitions related to Information Resources Acceptable Use can be found in UT System Policy UTS 165, Information Resources Use and Security Policy.

Confidential Data: Data that is exempt from disclosure under the provisions of the Texas Public Information Act or other applicable state and federal laws.

Data Custodian: An employee who is responsible for day-to-day maintenance of UTSA Information Resources. In some instances, this responsibility is assigned to a third-party vendor or OIT.  

Data Owner: The manager or agent responsible for the business function supported by the Information Resource or the individual upon whom responsibility rests for carrying out the program using the Information Resources. 

Incident Response Team (IRT): The group of individuals who determine if a Security Incident is reportable to state authorities.  The members include the Information Security Officer (ISO), Chief Legal Officer and Executive Compliance Officer. Others will be included by the ISO as needed (e.g. Data Owner).

Information Resources:  The procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.  This may include but not limited to any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices,  pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment ( e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services.

Information Security Administrator: A staff member who, in close cooperation with the OIS, provides assistance with the implementation and administration of information security initiatives and Data Owner security needs.

Information Security Incident: An event which results in unauthorized access, loss, disclosure, modification, disruption or destruction of Information Resources, whether accidental or deliberate.

Information Security Officer (ISO): Staff member responsible for providing and administering the overall information security program for all centrally maintained and all distributed systems and computer equipment.

Response Planning Team (RPT): The group that plans and implements notification of affected individuals when an information security incident occurs.  Members include the Provost (or designee), ISO, Vice Provost for Information Technology and Chief Information Officer, Executive Director of Audit, Compliance and Risk Services, Associate Vice President of Communications and Marketing and other individual(s) the RPT deems necessary.  A team member may assign a designee to serve on the RPT.


VIII. RESPONSIBILITIES


  1. Information Security Administrator (ISA)
    1. Implements and complies with all information technology policies and procedures relating to assigned systems.
    2. Assists Data Owners in performing annual Information Security Risk Assessments for Mission Critical Information Resources.
    3. Reports information Security Incidents to the ISO.
    4. As a member of the ISA Work Group, assists the ISO in developing, implementing and monitoring the Information Security Program.
    5. Assists the Data Owner in maintaining metrics in InSight at or above UTSA’s stated goals.
    6. Monitors security policy and procedures changes and informs his/her Data Owners of changes so the Data Owners can make adjustments as necessary.
    7. Acts as liaison between the departments, Data Owners and the Information Security Program.
  2. Data Owner
    1. Participates on the IRT
  3. Director, Institutional Compliance & Risk Services (Compliance Officer)
    1. Participates in the IRT
  4. Associate Vice President of Communications and Marketing
    1. Participates on the IRT
  5. Vice Provost for Information Technology and CIO
    1. Participates on the IRT
    2. Participates on the RPT
  6. Chief Legal Officer
    1. Participates on the IRT
    2. Participates on the RPT
  7. Provost and Vice President for Academic Affairs
    1. Participates on the IRT
    2. Participates on the RPT
  8. Incident Response Team
    1. Determines whether a reportable incident has occurred
    2. Provides input on whether the Security Incident warrants notification to affected individuals
  9. Response Planning Team
    1. Plans and implements notification of affected individuals
    2. Drafts and send any pertinent communications to affected individuals
    3. Provides contact information for individual(s) assigned to provide information to respondents of any communication sent to affected individuals

In some instances, all members of a team may not be able to be present to perform their responsibilities.  The ISO, in consultation with other team members, may choose to re-assign or perform the required duties depending on factors such as the need to address critical vulnerabilities.


IX. PROCEDURES


  1. Information Security Incident Monitoring
    1. The ISO will aggregate Information Security Incident data and share it on a regular basis with the UTSA's Executive Compliance Committee, CIO, Data Owners and ISAs.  If criminal activity is suspected, the ISO will notify the UTSA Police Department.  These data may include number and type(s) of security incidents and other information.
  2. Information Security Incident Reporting
    1. Any individual who knows or suspects that an Information Security Incident has occurred must notify the OIS immediately by contacting OITConnect at 210-458-5555 or oitconnect@utsa.edu.
    2. Any attempt to interfere with, prevent, obstruct, retaliate for or dissuade the reporting of an Information Security Incident, critical security concern, policy violation, or information resource vulnerability is strictly prohibited and may be cause for disciplinary action.
    3. For Information Security Incidents involving criminal activity, the UTSA Police Department will notify other law enforcement agencies as required.
  3. Information Security Incident Investigation and Identification
    1. Upon notification of a potential Information Security Incident, the ISO shall promptly assess and gather information to determine the impacted data, systems and business processes. The IRT will determine whether an actual Information Security Incident has occurred. When applicable, the Data Owner will be required to complete and submit a statement describing the stored or processed data and submit it to the ISO. The ISO may also require copies of files.
    2. If a Security Incident is confirmed, the following individuals shall be notified: CIO, unit or department head, dean (if in an academic area) and UT System’s Chief ISO. In addition, if the Information Security Incident involves extramurally funded research, the RIO also shall be notified.
    3. If investigation of a potential Information Security Incident will take more than the required timeframe for incident assessment, the ISO shall report the potential Information Security Incident to the CIO, unit or department head, dean (if in an academic area), vice president or associate vice president (if administrative area) and UT System’s Chief Information Security Officer.
    4. The IRT will be contacted to provide input on whether the incident warrants notification to affected individuals.
  4. Information Security Incident Containment
    1. In some cases action will be necessary to limit the magnitude and scope of the Information Security Incident.
    2. Should any action be necessary which has a likelihood of having a substantial impact on business processes, the unit or department head or Data Owner, CIO and Data Custodians will be notified in advance.
    3. Reasonable efforts will be made by OIT to minimize the impact.
    4. In rare cases it may be necessary to take action without receiving input from individuals who manage the affected information resources. In those cases, authorization from the Provost or President will be required before action is taken.
  5. Information Security Incident Eradication
    1. The affected unit is responsible for taking action to identify and either eliminate or mitigate the vulnerabilities resulting in the Security Incident.
    2. The ISO will provide recommendations to the affected unit and coordinate any remaining efforts needed to eliminate or mitigate the vulnerabilities.
  6. Information Security Incident Follow-up
    1. The ISO will develop a Security Incident report summarizing the Information Security Incident and outlining recommended actions.
    2. The Security Incident report will be amended to include the responsible unit head's action plan and action plan progress and will be shared with the RPT.
  7. Security Incident Notification
    1. The ISO will notify the University of Texas System Information Security Office in a timely fashion of all confirmed Information Security Incidents and suspected Information Security Incidents if substantial time will be required to assess whether an Information Security Incident has occurred. The ISO, Compliance department and Legal department will determine the appropriate time frames, based on current operating procedure.
    2. The ISO will notify state and federal entities as required by law.
    3. If a decision has been made to notify individuals affected by the Information Security Incident, the RPT will develop and implement a data breach notification process.
    4. Individuals will be notified as expediently as possible without unreasonable delay. Note that the creation and dissemination of the communications may be assigned outside of the RPT.
    5. Any media inquiries regarding the Information Security Incident are to be directed to the Associate Vice President of Communications and Marketing.

X. SPECIAL INSTRUCTIONS FOR INITIAL IMPLEMENTATION


None


XI. FORMS AND TOOLS/ONLINE PROCESSES


Classifying your data: Data Classification Examples

Examples of Reportable Security Incidents


XII. APPENDIX


Video: Handling of an Information Security Incident - This video outlines responsibilities for all individuals regarding reporting a potential security incident, and includes information on the process followed if an incident has occurred.

Website: Security Incident Handling: What to Do - The Office of Information Security website provides tips and resources for individuals involved in a security incident.