Security Incident Management Responsibilities
Computer Security Incident Management at UGA
Commentary on reporting, containing, and recovering from data disclosures and security breaches at the University
Computer security incidents
The University deploys safeguards throughout the University environment to protect systems and data as part of a program to protect non-public and confidential information about UGA students, staff, customers, etc. Unfortunately, these preventative safeguards sometimes fail--hackers break into systems, computers are infected with viruses and malware, cyber attacks disrupt or deface systems, and confidential data is inadvertently disclosed to the public or to the unauthorized individuals. These kinds of failures of computer security or data privacy are referred to as computer security incidents.
Incident management
When computer security incidents do occur, they should be handled responsibly. Responsible incident handling involves making sure incident response procedures are followed in order to contain or eradicate any threats or issues, diligently investigating and reporting the incident, taking appropriate steps to recover from the incident, and, if deemed necessary at any point, taking appropriate steps to escalate issues to senior management, law enforcement, or other key stakeholders .
University responsibilities for managing incidents
The University System of Georgia (USG) Cybersecurity Incident Reporting webpage requires that the University establish and document information security incident management capabilities consistent with the security reporting requirements as noted in Section 5.3 and 5.10 of the USG Information Technology Handbook.
Some laws, regulations and contractual requirements that apply to parts of the University, including HIPAA and PCI Data Security Standards, also require similar incident response capabilities and procedures.
Incident Response Team
Currently, UGA meets these responsibilities with the UGA Incident Response Team. The team is composed primarily of members of the Office of Information Security, but, depending on the nature or the severity of a particular incident, the team may also to include members from the Office of Legal Affairs, External Affairs, and management and/or IT staff from any affected UGA departments/units.
The team follows established and documented procedures for responding to any particular incident, and ensures that appropriate investigation, reporting, recovery, and escalation steps are taken after an incident has been contained.
Department/unit/college responsibility for reporting computer security incidents to the UGA Incident Response team
The University's position has been that, in order to ensure compliance with USG policies, regulations, etc. and to ensure incidents are handled responsibly, departments should report computer security incidents to the Incident Response Team.
After an incident has been reported by a department, the Incident Response Team will collaborate with that department to contain the incident. This may include temporarily incorporating staff or management from the department into the Incident Response Team.
How to report computer security incidents to the UGA Incident Response team
Procedures for reporting an incident and taking initial containment steps can be found at the Report an Incident page.