This policy explains how information about reporting incidents is provided, who is responsible for reporting, responding and investigating and how these are handled.
It applies to everyone who is involved in an actual, suspected, threatened or potential incident which involves data loss or a breach of information security.
This potentially includes all staff, students, associates, and anyone else authorised to use University IT facilities and information.
1.1 It is the policy of the University of York that Information Security incidents will be handled properly, effectively and in a manner that minimises the adverse impact to the University and the risk of data loss to members of the University and the public.
1.2 The University will ensure that:
1.3 The University will provide information on its website, and through other training and communications channels, which explains how information security incidents should be reported and will encourage the reporting of all incidents whether they are actual, suspected, threatened or potential.
1.4 The Information Security Board will monitor and review information security incidents to identify recurring incidents and areas of risk. The review process will be used to identify requirements for new or changed policies, to update the University risk register and to identify any other relevant controls.
1.5 If an information security incident occurs which requires a coordinated response across the University or the incident has possible external or media interest, the University’s Business Continuity Plan will be triggered.
1.6 The University will conduct periodic testing of the information security handling procedures to maintain and improve staff awareness of the procedures and the actions required.
2.1 This policy applies to all of the University’s information and to all methods of accessing that information.
3.1 The Information Security Board, chaired by the Director of Technology, Estates and Facilities, will monitor the effectiveness of this policy and carry out regular reviews.
4.1 University staff who have specific responsibility for receiving information security incident reports and for initiating investigations are:
Where the incident involves personal data, the University’s Data Protection Officer (DPO) will be informed. Staff are expected to notify the DPO directly on identification of a suspected or actual personal data breach.
4.2 All information users are responsible for reporting actual, suspected, threatened and potential information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage.
4.3 University Officers, Heads of Departments and Section Heads are responsible for ensuring that staff in their area act in compliance with this policy and for assisting with investigations as required.
4.4 Staff, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.
4.5 Any breach of information security or violation of this policy must be reported to the Director of Technology, Estates and Facilities who will take appropriate action and inform the relevant authorities.
5.1 An up to date set of policy and supporting documents can be found at: University Information Policy index
Information Security Incident: a breach of security leading to, or that may lead to, the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Examples of information security incidents include:
|14 November 2012||Approved by Information Policy Executive|
|13 December 2012||Approved by Information Security Board|
|29 January 2016||Reviewed and approved by Information Security Board|
|23 March 2017||Reviewed and approved by Information Security Board|
|4 March 2021||Reviewed and approved by Information Security Board|
Review cycle: Three yearly
Date of next review: March 2024