Guideline for Reporting Information Security Incidents

I.  Purpose

The purpose of this document is to provide guidance for reporting potential or real information security incidents  in order to assure that every member of the UNC Charlotte community can identify a potential information security incident and follow established steps to report the incident through the appropriate channels.

II.  Scope

This guideline is applicable to UNC Charlotte faculty, staff, students and all authorized users granted use of university information resources.  Every authorized user of university information resources has a responsibility toward the protection of those resources.

III.  Contacts

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliance-group@uncc.edu.

IV.  Examples of Information Security Incidents

An information security incident is defined as an attempted or successful unauthorized access, use, disclosure, modification or destruction of information; interference with information technology operation; or violation of acceptable use policies. Examples of information security incidents include:

  • Employee, student or other authorized user has the ability to view sensitive or confidential information on a university system that should not be available to them.
  • Account issued to conduct University business (NinerNET, other enterprise system, third party access), appears to have been compromised as evidenced by changes to the account, files, or email that were not made by the owner of the account.
  • Individual has discovered university information on a public website that appears to contain confidential or sensitive information.
  • Compromise or attack of a computer or server has been detected.
  • Card reader equipment appears to have been tampered with or stolen.
  • Laptop containing sensitive or confidential information has been lost or stolen.
  • Attempts to illicitly obtain a University account holder’s credentials in order to gain access to university resources.
  • Provisioning of access to university system(s) or resources without proper authorization.
  • An employee, student or other authorized user is sharing their login or password information.

V.  Guidelines

UNC Charlotte faculty, staff, students, and all authorized users granted use of university information resources must notify ITS immediately of any suspected or real information security incident.  If it is unclear as to whether a situation should be considered an information security incident, ITS should be contacted to evaluate the situation.  ITS will be responsible for documenting and recording all information security incidents reported or discovered on the UNC Charlotte network.

1.  All information security incidents should be immediately reported to ITS:

  1. Send an email to SecurityIncident-group@uncc.edu with as much information as you can provide including date, time, and the nature of the incident.
  2. If unable to send email, contact the IT Service Desk at 704-687-5500 and report the incident.  IT Service Desk personnel will ensure the information you provide is directed to SecurityIncident-group@uncc.edu.

2.  If the potential information security incident involves a compromised computer system, take the following actions:

  1. Immediately remove the network cable to disconnect the computer from the network or disable the wireless card if using a wireless connection.
  2. The computer system should remain on, and all currently running computer programs should be left as is. Do not shutdown the computer or restart the computer.

3.  If the incident involves criminal activity, such as theft of a university resource or fraud, report it immediately to the UNC Charlotte Police and Public Safety Office.

4.  Notify the Data Security Officer or Information Security Liaison for your college or department.

VI.  Information Security Incident Response Team

When directed by the CIO and the Office of Legal Affairs, an Information Security Incident Response Team (ISIRT) will be convened and led by the CISO.  The ISIRT will include appropriate representatives from some or all of the following offices:

  1. ITS
  2. Office of Legal Affairs
  3. Controller’s Office
  4. Human Resources
  5. Internal Audit Department
  6. University Communications
  7. Risk Management, Safety and Security
  8. Grants and Contracts Administration
  9. Department of Police and Public Safety
  10. Data Security Officer or Information Security Liaison from the department or college impacted by the information security incident
  11. Vice Chancellor of the division impacted by the information security incident
  12. Chancellor’s Office

The ISIRT will plan and coordinate the activities of all the offices involved and will keep other relevant offices advised as appropriate.  In carrying out this responsibility, the ISIRT will ensure that important operational decisions are elevated to the appropriate levels to protect the fundamental interests of UNC Charlotte and others impacted by the incident. ITS will be responsible for documenting decisions made by the ISIRT.

The CISO will be responsible for writing the final report(s) to the appropriate UNC Charlotte office(s) which summarizes findings regarding the information security incident and, if appropriate, making recommendations for improvement of related information security practices and controls.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee   12/18/14
Updated   2/04/16