Accessibility statement

Information Security Incident Management Policy

Related pages

This policy explains how information about reporting incidents is provided, who is responsible for reporting, responding and investigating and how these are handled.

It applies to everyone who is involved in an actual, suspected, threatened or potential incident which involves data loss or a breach of information security.

This potentially includes all staff, students, associates, and anyone else authorised to use University IT facilities and information


1. Policy

1.1 It is the policy of the University of York that Information Security incidents will be handled properly, effectively and in a manner that minimises the adverse impact to the University and the risk of data loss to members of the University and the public.

1.2 The University will ensure that:

  • incidents are reported in a timely manner and can be properly investigated
  • incidents are handled by appropriately authorised and skilled personnel
  • appropriate levels of University management are involved in the determination of response actions
  • incidents are recorded and documented
  • the impact of the incidents are understood and action is taken to prevent further damage
  • evidence is gathered, recorded and maintained in a form that will withstand internal and external scrutiny
  • external bodies or data subjects are informed as required
  • the incidents are dealt with in a timely manner and normal operations restored
  • the incidents are reviewed to identify improvements in policies and procedures.

1.3 The University will provide information on its website, and through other training and communications channels, which explains how information security incidents should be reported and will encourage the reporting of all incidents whether they are actual, suspected, threatened or potential.

1.4 The Information Security Board will monitor and review information security incidents to identify recurring incidents and areas of risk. The review process will be used to identify requirements for new or changed policies, to update the University risk register and to identify any other relevant controls.

1.5 If an information security incident occurs which requires a coordinated response across the University or the incident has possible external or media interest, the University’s Business Continuity Plan will be triggered.

1.6 The University will conduct periodic testing of the information security handling procedures to maintain and improve staff awareness of the procedures and the actions required.


2. Scope

2.1 This policy applies to all of the University’s information and to all methods of accessing that information.


3. Oversight

3.1 The Information Security Board, chaired by the Director of Information Services, will monitor the effectiveness of this policy and carry out regular reviews.





4. Responsibilities

4.1 University staff who have specific responsibility for receiving information security incident reports and for initiating investigations are:

  • The Director of Information Services
  • Deputy and Assistant Directors of the Information Services Directorate
  • Nominated members of the York Computer Emergency Response Team (CERT)
  • Information Governance Officer
  • Records Manager
  • IT Support Office (ITSO)

Incident reports may be received and escalated by managers in the Information Services Directorate.

4.2 All information users are responsible for reporting actual, suspected, threatened and potential information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage.

4.3 University Officers, Heads of Departments and Section Heads are responsible for ensuring that staff in their area act in compliance with this policy and for assisting with investigations as required.

4.4 Staff, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

4.5 Any breach of information security or violation of this policy must be reported to the Director of Information Services who will take appropriate action and inform the relevant authorities.


5. Policy implementation documents

5.1 An up to date set of policy and supporting documents can be found at:

5.2 Method Statement – Data loss and information security breach management

5.3 Contacting the Computer Emergency Response Team


Appendix A Definitions

Information Security Incident: an adverse event in relation to the security of University information or IT systems which has already occurred, is suspected, has been threatened or has the potential to occur.

Examples of information security incidents include:

  • Data loss due to any cause
  • Attempts (either failed or successful) to gain unauthorized access to a system or its data
  • Theft or other loss of a laptop, desktop, PDA, or other device that stores University information, whether or not the device is owned by the University of York
  • Unwanted disruption or denial of service
  • Unauthorized use of a system for the processing or storage of data
  • Uncontrolled system changes
  • Malfunctions of software or hardware
  • Noncompliance with information security and acceptable use policies
  • Human error e.g. personal data being emailed to the wrong recipient

Document history

Document history

14 November 2012 Approved by Information Policy Executive
13 December 2012 Approved by Information Security Board
29 January 2016 Reviewed and approved by Information Security Board
23 March 2017 Reviewed and approved by Information Security Board


Review cycle: Three yearly

Date of next review: March 2020