Cyber Security Incident Reporting Standard


Application


This standard applies to all members of the University community whether at the University or elsewhere, and refers to all IT resources.

Purpose


To minimize the negative consequences of IT security incidents and to improve the University’s ability to promptly restore operations affected by such incidents. It ensures incidents are promptly reported to the appropriate University officials, that they are consistently and expertly responded to, and that serious incidents are properly monitored.

Standards


IT users:

1. IT users and administrators of IT resources must promptly report all IT security incidents to the ITS service desk

2. The ITS service desk must route the incident to the IT Risk Analyst

3. The IT Risk Analyst will convene the Cyber Security Incident Response Team (CSIRT) to respond to the incident

CISIRT:

4. If an incident involves any private, personally identifiable, or human research subject information, the CSIRT must report the incident to the University Privacy Officer

5. If an incident involves any human subject research information and has not already been reported to the University Privacy Officer, the CSIRT must report the incident to the Office of Research

6. Incidents must be reported to Performance and Risk by CSIRT as soon as possible, but no later than within 24 hours from the time an incident is identified or initially reported, unless the incident is evaluated as minor, in which case the incident may be reported within the next weekly situation report

7. The CSIRT will evaluate and respond to IT security incidents in accordance with University and unit policies and procedures, including the Cyber and Information Security Incident Management Guidelines

Privacy and confidentiality of sensitive information:

8. When University staff report, track, and respond to IT security incidents, they must protect and keep confidential any sensitive data

9. Tracked incident data will exclude any sensitive information that is not required for incident response, analysis, or by law, regulation, or University policy

Definitions


The following definitions apply to this standard:

IT resources refers to any University owned or operated hardware or software and the data that is used or stored on it

IT security incident(s) includes attempted or successful unauthorised access, use, disclosure, modification or destruction of information, interference with IT operations, impersonation of any member of the University community through electronic and/ or social media, spoofing, or setting up any web presence (including presence on social media) that purports to be, or might reasonably be perceived to be, an official University of Auckland website or social media group, page or account

IT user means any member of the University community using IT resources

Sensitive data refers to data whose unauthorised disclosure may have serious adverse effect on individuals or on the University’s reputation, resources, or services

University means the University of Auckland and includes all subsidiaries

University community includes all staff members (whether permanent, temporary or part time), honorary staff members, students (whether full time or part time), contractors, subcontractors, consultants, alumni, associates, business partners or official visitors or guests of members of the University or UniServices

Document management and control



Owner : CIO

Content manager: IT Risk Manager

Approved by: The Vice-Chancellor

Date approved: November 2013

Review date: November 2016