This policy explains how information about reporting incidents is provided, who is responsible for reporting, responding and investigating and how these are handled.
It applies to everyone who is involved in an actual, suspected, threatened or potential incident which involves data loss or a breach of information security.
This potentially includes all staff, students, associates, and anyone else authorised to use University IT facilities and information
1.1 It is the policy of the University of York that Information Security incidents will be handled properly, effectively and in a manner that minimises the adverse impact to the University and the risk of data loss to members of the University and the public.
1.2 The University will ensure that:
1.3 The University will provide information on its website, and through other training and communications channels, which explains how information security incidents should be reported and will encourage the reporting of all incidents whether they are actual, suspected, threatened or potential.
1.4 The Information Security Board will monitor and review information security incidents to identify recurring incidents and areas of risk. The review process will be used to identify requirements for new or changed policies, to update the University risk register and to identify any other relevant controls.
1.5 If an information security incident occurs which requires a coordinated response across the University or the incident has possible external or media interest, the University’s Business Continuity Plan will be triggered.
1.6 The University will conduct periodic testing of the information security handling procedures to maintain and improve staff awareness of the procedures and the actions required.
2.1 This policy applies to all of the University’s information and to all methods of accessing that information.
3.1 The Information Security Board, chaired by the Director of Information Services, will monitor the effectiveness of this policy and carry out regular reviews.
4.1 University staff who have specific responsibility for receiving information security incident reports and for initiating investigations are:
Incident reports may be received and escalated by managers in the Information Services Directorate.
4.2 All information users are responsible for reporting actual, suspected, threatened and potential information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage.
4.3 University Officers, Heads of Departments and Section Heads are responsible for ensuring that staff in their area act in compliance with this policy and for assisting with investigations as required.
4.4 Staff, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.
4.5 Any breach of information security or violation of this policy must be reported to the Director of Information Services who will take appropriate action and inform the relevant authorities.
5.1 An up to date set of policy and supporting documents can be found at: http://www.york.ac.uk/
Information Security Incident: an adverse event in relation to the security of University information or IT systems which has already occurred, is suspected, has been threatened or has the potential to occur.
Examples of information security incidents include:
|14 November 2012||Approved by Information Policy Executive|
|13 December 2012||Approved by Information Security Board|
|29 January 2016||Reviewed and approved by Information Security Board|
|23 March 2017||Reviewed and approved by Information Security Board|
Review cycle: Three yearly
Date of next review: March 2020