Accessibility statement

Information Security Incident Management Policy

Related pages

This policy explains how information about reporting incidents is provided, who is responsible for reporting, responding and investigating and how these are handled.

It applies to everyone who is involved in an actual, suspected, threatened or potential incident which involves data loss or a breach of information security.

This potentially includes all staff, students, associates, and anyone else authorised to use University IT facilities and information.

Policy

1. Policy

1.1 It is the policy of the University of York that Information Security incidents will be handled properly, effectively and in a manner that minimises the adverse impact to the University and the risk of data loss to members of the University and the public.

1.2 The University will ensure that:

  • incidents are reported in a timely manner and can be properly investigated
  • incidents are handled by appropriately authorised and skilled personnel
  • appropriate levels of University management are involved in the determination of response actions
  • incidents are recorded and documented
  • the impact of the incidents are understood and action is taken to prevent further damage
  • evidence is gathered, recorded and maintained in a form that will withstand internal and external scrutiny
  • external bodies or data subjects are informed as required
  • the incidents are dealt with in a timely manner and normal operations restored
  • the incidents are reviewed to identify improvements in policies and procedures.

1.3 The University will provide information on its website, and through other training and communications channels, which explains how information security incidents should be reported and will encourage the reporting of all incidents whether they are actual, suspected, threatened or potential.

1.4 The Information Security Board will monitor and review information security incidents to identify recurring incidents and areas of risk. The review process will be used to identify requirements for new or changed policies, to update the University risk register and to identify any other relevant controls.

1.5 If an information security incident occurs which requires a coordinated response across the University or the incident has possible external or media interest, the University’s Business Continuity Plan will be triggered.

1.6 The University will conduct periodic testing of the information security handling procedures to maintain and improve staff awareness of the procedures and the actions required.

Scope

2. Scope

2.1 This policy applies to all of the University’s information and to all methods of accessing that information.

Oversight

3. Oversight

3.1 The Information Security Board, chaired by the Director of Technology, Estates and Facilities, will monitor the effectiveness of this policy and carry out regular reviews.

Responsibilities

4. Responsibilities

4.1 University staff who have specific responsibility for receiving information security incident reports and for initiating investigations are:

  • The Director of Technology Estates and Facilities (DTEF)
  • Directors and Assistant Directors of DTEF
  • Nominated members of the York Computer Emergency Response Team (CERT)
  • Data Protection Officer
  • Records Manager
  • IT Support Office (ITSO)

Where the incident involves personal data, the University’s Data Protection Officer (DPO) will be informed. Staff are expected to notify the DPO directly on identification of a suspected or actual personal data breach.

4.2 All information users are responsible for reporting actual, suspected, threatened and potential information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage.

4.3 University Officers, Heads of Departments and Section Heads are responsible for ensuring that staff in their area act in compliance with this policy and for assisting with investigations as required.

4.4 Staff, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

4.5 Any breach of information security or violation of this policy must be reported to the Director of Technology, Estates and Facilities who will take appropriate action and inform the relevant authorities.

Implementation

5. Policy implementation documents

5.1 An up to date set of policy and supporting documents can be found at: University Information Policy index

5.2 Method Statement – Data loss and information security breach management

5.3 Contacting the Computer Emergency Response Team

Appendices

Appendix A Definitions

Information Security Incident: a breach of security leading to, or that may lead to, the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Examples of information security incidents include:

  • Data loss due to any cause
  • Attempts (either failed or successful) to gain unauthorized access to a system or its data
  • Theft or other loss of a laptop, desktop, mobile or other device that stores University information, whether or not the device is owned by the University of York
  • Unwanted disruption or denial of service
  • Unauthorized use of a system for the processing or storage of data
  • Uncontrolled system changes
  • Malfunctions of software or hardware
  • Noncompliance with information security and acceptable use policies
  • Human error eg personal data being emailed to the wrong recipient

Document history

Document history

14 November 2012 Approved by Information Policy Executive
13 December 2012 Approved by Information Security Board
29 January 2016 Reviewed and approved by Information Security Board
23 March 2017 Reviewed and approved by Information Security Board
4 March 2021 Reviewed and approved by Information Security Board

Review

Review cycle: Three yearly

Date of next review: March 2024