Commentary on reporting, containing, and recovering from data disclosures and security breaches at the University
The University deploys safeguards throughout the University environment to protect systems and data as part of a program to protect non-public and confidential information about UGA students, staff, customers, etc. Unfortunately, these preventative safeguards sometimes fail--hackers break into systems, computers are infected with viruses and malware, cyber attacks disrupt or deface systems, and confidential data is inadvertently disclosed to the public or to the unauthorized individuals. These kinds of failures of computer security or data privacy are referred to as computer security incidents.
When computer security incidents do occur, they should be handled responsibly. Responsible incident handling involves making sure incident response procedures are followed in order to contain or eradicate any threats or issues, diligently investigating and reporting the incident, taking appropriate steps to recover from the incident, and, if deemed necessary at any point, taking appropriate steps to escalate issues to senior management, law enforcement, or other key stakeholders .
The University System of Georgia Computer Security Incident Management Policy requires that the University establish and document information security incident management capabilities. These capabilities should include the ability to contain incidents, and should provide for prompt investigation, reporting, and, if necessary, escalation of any incidents involving losses/damages, misuse of systems, or unauthorized access to information.
Some laws, regulations and contractual requirements that apply to parts of the University, including HIPAA and PCI Data Security Standards, also require similar incident response capabilities and procedures.
Currently, UGA meets these responsibilities with the UGA Incident Response Team. The team is composed primarily of members of the Office of Information Security, but, depending on the nature or the severity of a particular incident, the team may also to include members from the Office of Legal Affairs, External Affairs, and management and/or IT staff from any affected UGA departments/units.
The team follows established and documented procedures for responding to any particular incident, and ensures that appropriate investigation, reporting, recovery, and escalation steps are taken after an incident has been contained.
The University's position has been that, in order to ensure compliance with USG policies, regulations, etc. and to ensure incidents are handled responsibly, departments should report computer security incidents to the Incident Response Team.
After an incident has been reported by a department, the Incident Response Team will collaborate with that department to contain the incident. This may include temporarily incorporating staff or management from the department into the Incident Response Team.
Procedures for reporting an incident and taking initial containment steps can be found at the Report an Incident page.