Information governance incident management control procedure
Guidance on what constitutes an Information Governance incident and how this should be reported.
How to report an incident
Contents
Policy statement
This control procedure defines the university’s approach to information governance incidents and directly supports the following policy statement from the Information Security Policy:
“Guidance will be available on what constitutes an information security incident and how this should be reported. Actual or suspected breaches of information security must be reported and will be investigated. Appropriate corrective action will be taken and any learning built into controls.”
Audience
This procedure is intended to be read and understood by all users accessing university information in electronic or paper format, IT systems, networks or software using any university or personally owned device.
Control statements
In the event of an information governance incident, it is vital that appropriate corrective measures are taken to reduce the primary impact and minimise secondary risks resulting from the incident. It is also necessary to appropriately log incidents and learn from them so that preventative measures can be put in place to prevent similar incidents occurring again.
- Responsibilities
- Definition of an incident
- Reporting an incident
- Containment and recovery
- Closure meetings
- Contact with external agencies
Responsibilities
All users who access, use or manage university information are responsible for reporting information governance incidents. This includes concerns about security of an IT account, computer or university IT service, as well as loss or inappropriate disclosure of paper information, or weaknesses in a business process.
Information Asset Owners (IAOs) and Information Asset Managers (IAMs) have explicit responsibilities in reporting and following-up on incidents in their areas. (See section 4, below.)
Definition of an incident
An information governance incident is a suspected, attempted, successful, or imminent breach of security leading to the threat of or actual accidental, unlawful or unauthorised access to, use, disclosure, breach/loss, modification, or destruction of information, including personal information as defined by the UK’s data privacy regulations; interference with the operation of information systems; or a breach of information security policy or procedures, including the acceptable use of IT systems.
Examples include, but are not limited to:
- Loss or theft of data or equipment on which such data is stored (e.g. laptop, paper records)
- A system weakness (e.g. use of deprecated cryptographic protocols)
- Unauthorised access to data or information systems (e.g. resulting from sharing passwords or credential theft)
- Unauthorised disclosure of information (e.g. email or document sent to incorrect address or individual, attaching and sending an incorrect attachment)
- Disclosure of payment card information to unauthorised users or processes
- Malware infection
- Disruption to information systems or denial of service
Reporting an incident
All incidents should be reported promptly to the information governance team by completing the Assist form.
The notification should include as much detail as possible and you can find guidance on what to include here. This includes:
- Date and time of the incident.
- What information or systems are involved, including volume.
- What has happened.
- How did we find out about the incident.
- What containment and recovery actions, if any, have already occurred.
- Details of who to contact for further information.
An initial assessment will be made to establish the severity of the incident and who the lead investigating officer will be. The lead investigating officer will be determined on a case by case basis and the decision will be made through dialogue between the information security and legal teams.
All incidents will be logged to ensure appropriate oversight of the types and frequency of confirmed incidents for management and reporting purposes. The lead investigating officer will determine whether the incident has involved the loss of confidentiality, integrity and/or availability of university information, or whether it should be logged as a ‘near miss’.
Where necessary, incidents will be escalated to ensure appropriate oversight by senior management. Escalation may include informing members of the Information Governance Board or UEG. In these scenarios the Senior Information Risk Owner (SIRO) will act as the initial point of escalation to key staff outside the information governance team, likely to include UEG and PSLT members responsible for key stakeholder groups, and External Relations.
Containment and Recovery
For technical issues the information security team maintain a series of playbooks and procedures that deal with predictable scenarios, including phishing attacks and ransomware. They will also use the IT and Digital Major Incident Procedure as required.
The lead investigating officer along with relevant team members will determine the appropriate course of action needed to limit the impact of the incident. This might require isolating a compromised area of the network, shutting down critical equipment or contacting incorrect recipients to ask that they ignore and dispose of information accidentally compromised.
Appropriate steps will be taken to recover system or data losses to resume business as usual activity as soon as possible. This might involve attempting to recover lost equipment, using backup mechanisms to restore compromised or stolen data, or changing compromised passwords.
The incident response will involve the relevant Information Asset Owners (IAOs) and Information Asset Managers (IAMs), allowing an assessment of the risks to their business area and ensuring they can assist with the implementation of practical, corrective measures to contain an incident.
IAO and IAM involvement will be based on risk and meaningful actions that can be taken forward as the result of an incident. Risk will be assessed by the lead investigating officer using criteria which is consistent across the information governance teams. This criteria can be found in the information risk management policy and supplemented by specific data breach guidance held by the legal team.
Incident risk rating |
Proposed IAO/IAM involvement |
High risk |
Notify IAM and IAO of the incident and request involvement in the containment, recovery and closure of the incident. |
Medium risk |
Notify IAM of incident and request their involvement with follow up actions and confirmation they have taken place |
Low risk |
Notify IAM of incident and any immediate follow up action that have taken place |
Further review of incidents may require IAMs and/or IAOs to take preventative actions to protect against recurrence. IAMs and/or IAOs will work with the lead investigating officer to agree these measures, to ensure they are practical but achieve our goal of minimising further risk.
Such follow up actions may require staff to complete additional information governance training or the amendment to department or faculty processes. IAMs and/or IAOs shall be expected to oversee the completion of the actions and feed back to the lead investigating officer.
Biannual reporting of incidents will be highlighted to the Senior Information Risk Owner, IAOs and IAMs to ensure information risk is understood across the organisation and proactively managed.
Closure meetings
For medium or high-risk incidents, a closure meeting will be held between relevant information governance colleagues as determined by the investigation, and the relevant IAM and/or IAO. If the incident is assessed as high risk, the IAO must be included within the closure meeting.
The closure meeting will be used to:
-
Determine whether all actions have been completed.
-
Whether any subsequent actions are required.
-
Provide any updates on notifications to external parties or the data subjects.
-
Review how the incident was managed.
before the incident is formally closed within the incident log.
Contact with external agencies
Once an incident has been reported, consideration should be given to any external agencies or stakeholders that may need to be contacted.
If the incident involves the JANET network the information security team will report to the JANET Computer Security Incident Response Team (CSIRT). JISC can be contacted on 0300 999 2340 or by emailing [email protected]
The information security team will consider reporting the incident to the National Cyber Security Centre (NCSC) via their web form tool, who may be able to provide further incident response assistance including assisting with recovery https://www.ncsc.gov.uk/scheme/cyber-incidents
The information security team will consider reporting incidents involving criminal behaviour to the Police or Action Fraud
If a breach involving personal information has occurred which results in a risk to the rights and freedoms of data subjects it must be reported to the Information Commissioner’s Office within 72 hours. Support, engagement and cooperation of all incident stakeholders is essential to ensuring this reporting requirement can be met. The lead investigating officer should notify the Data Protection Officer of any Incidents which are believed to have reached this threshold. The Data Protection Officer is responsible for advising if the breach should be reported to the Information Commissioner’s Office and/or to the data subject, and what guidance should be provided.
If an incident leads to a ‘reportable event’ as per guidance from the Office for Students (OfS), the lead investigating officer shall work with the Data Protection Officer, Chief Information Security Officer, relevant IAOs, SIRO and University Chief Operating Officer to ensure that the OfS is notified of the event. Updates shall also be provided to the Information Governance Board and University Executive Group.
A reportable event is defined as: ‘any event or circumstance that, in the judgement of the OfS, materially affects or could materially affect the provider’s legal form or business model, and/or its willingness or ability to comply with its conditions of registration’.
If the incident involves personal information including financial data about students in receipt of US federal student loans, consideration will need to be given as to whether US Federal Regulatory agencies including the Federal Trade Commission need to be informed in line with the Financial Services Modernization Act of 1999. Legal and Information Security will work together to determine the need for reporting in these instances.
Compliance
Failure to comply with this procedure could result in action in line with the university’s disciplinary procedure or performance improvement procedure.
Compliance checks will be undertaken by the university’s information governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.
Related documents
This control procedure needs to be understood in the context of the other policies and procedures constituting the university’s Information Security Management System.
Browse Information Security policies and control procedures
Review
A review of this policy will be undertaken by the information security team annually or more frequently as required, and will be approved by the Information Governance Board.
Version: | 3.6 |
Release date: | 10/09/2024 |
Review date: | 10/08/2025 |