Cyber Security Incident Reporting Standard

This standard applies to all members of the University community whether at the University or elsewhere, and refers to all IT resources.

To minimize the negative consequences of IT security incidents and to improve the University’s ability to promptly restore operations affected by such incidents. It ensures incidents are promptly reported to the appropriate University officials, that they are consistently and expertly responded to, and that serious incidents are properly monitored.

IT users:

1. IT users and administrators of IT resources must promptly report all IT security incidents to the ITS service desk.

2. The ITS service desk must route the incident to the IT Risk Analyst.

3. The IT Risk Analyst will convene the Cyber Security Incident Response Team (CSIRT) to respond to the incident.

CISIRT:

4. If an incident involves any private, personally identifiable, or human research subject information, the CSIRT must report the incident to the University Privacy Officer.

5. If an incident involves any human subject research information and has not already been reported to the University Privacy Officer, the CSIRT must report the incident to the Office of Research.

6. Incidents must be reported to Performance and Risk by CSIRT as soon as possible, but no later than within 24 hours from the time an incident is identified or initially reported, unless the incident is evaluated as minor, in which case the incident may be reported within the next weekly situation report.

7. The CSIRT will evaluate and respond to IT security incidents in accordance with University and unit policies and procedures, including the Cyber and Information Security Incident Management Guidelines.

Privacy and confidentiality of sensitive information:

8. When University staff report, track, and respond to IT security incidents, they must protect and keep confidential any sensitive data.

9. Tracked incident data will exclude any sensitive information that is not required for incident response, analysis, or by law, regulation, or University policy.

The following definitions apply to this document:

IT resources refers to any University owned or operated hardware or software and the data that is used or stored on it.

IT security incident(s) includes attempted or successful unauthorised access, use, disclosure, modification or destruction of information, interference with IT operations, impersonation of any member of the University community through electronic and/ or social media, spoofing, or setting up any web presence (including presence on social media) that purports to be, or might reasonably be perceived to be, an official University of Auckland website or social media group, page or account.

IT user means any member of the University community using IT resources.

Sensitive data refers to data whose unauthorised disclosure may have serious adverse effect on individuals or on the University’s reputation, resources, or services.

University means the University of Auckland and includes all subsidiaries.

University community includes all staff members (whether permanent, temporary or part time), honorary staff members, students (whether full time or part time), contractors, subcontractors, consultants, alumni, associates, business partners or official visitors or guests of members of the University or UniServices.

Include the following:

• Data Governance Policy
• IT Acceptable Use Policy
• IT Privacy and Monitoring Policy
• IT Security Policy

Owner: Chief Digital Officer (CDO)
Content manager: IT Risk Manager
Approved by: Vice-Chancellor
Date approved: November 2013
Review date: November 2018