Title
University of North Carolina at Chapel Hill Information Security Incident Management Standard
Introduction
Purpose
Prompt, and consistent handling of Information Security Incidents helps the University minimize harm to people, property, operations, and institutional reputation. Goals of professional incident handling include: effective containment, timely recovery, evidence preservation, clear communication, and compliance with legal and contractual obligations.
This standard establishes the minimum expectations for reporting, escalating, and responding to unusual or unexpected activity related to information and technology resources at the University of North Carolina at Chapel Hill (“UNC-Chapel Hill” or “University”). It defines the roles and authorities of designated Information Security Incident Handlers authorized to perform security incident response on behalf of the University and roles and responsibilities of other members of the University Community.
Scope
This Standard applies to all members of the University community, including students, faculty, staff, affiliates, contractors, and third parties who have a contractual or institutional obligation to report incidents or cooperate with response efforts in connection with:
- University data, systems, networks, credentials, and services, whether hosted on-premises or in the cloud, by the University or a third party, and regardless of whether the University owns the data or is obligated to protect it under legal, regulatory, or contractual requirements.
- Any device connected to the University network, regardless of ownership. Connecting a device to the University network constitutes acceptance of the requirements in this standard.
- Concerning events that may indicate a possible Information Security Incident, including cases where the nature of the issue is unclear but may be related to information security. These events are covered by this Standard until a determination is made.
Standard
If you believe that someone’s life may be in danger, call 911 at once!
Required Action
If you experience unexpected, concerning, or unusual activity involving information or technology resources in scope that may be information security related, report it on the day of discovery to the Information Security Office. Do not attempt to investigate or resolve the issue on your own as unauthorized actions may destroy evidence, slow containment, or increase institutional risk.
You must report by:
Provide your contact information and remain available. An authorized Incident Handler may contact you shortly if further information is needed.
While waiting for an Incident Handler:
- Do not alter or investigate the system, device, or account involved. Leave everything as-is.
- Do not communicate with any suspected attacker.
- Do not share information about the incident externally or with others inside the University.
Your Responsibilities
As the person reporting:
- Be ready to describe what you observed or experienced. You are not expected to know whether an Incident has occurred or is suspected. Your report of an unusual or concerning event will enable an authorized Incident Handler to assess the situation and determine whether it meets the criteria for investigation as a Suspected Incident.
- Provide access to the system, device (including personal devices if applicable), or materials involved to authorized incident Handlers or as they direct.
- Cooperate with authorized Incident Handler, including Information Security Office staff and designated campus partners.
- If required, notify other required parties, such as local law enforcement, the Institutional Privacy Office, or the Institutional Review Board (IRB). The Incident Handler will advise you on when and how.
If the Information Security Office determines that an Information Security Incident has occurred:
- You may be asked to support analysis, containment, remediation, or notification efforts.
- You must fully cooperate with all required University response activities until they are complete.
Examples of What to Report
You must report to the ISO any situation in which University accounts, data, systems, or credentials may be at risk. Examples include:
-
Lost or stolen devices containing University information, including personally owned laptops, phones, or tablets.
-
Unusual system or application behavior that could indicate malware or compromise, especially on computing devices with a Moderate or above protection obligation (e.g., handling Tier 2 or Tier 3 data).
-
Suspected account compromise, including unauthorized use of Onyen, Carolina Key, SSH keys, API credentials, or other University access methods.
-
Fraudulent financial activity, such as funds transferred to the wrong account or suspicious payment requests.
-
Contractual or regulatory reporting obligations, notify the ISO during a report if you are under a contractual or regulatory reporting obligation that may require reporting if an information security incident has occurred. This includes research grants and data sharing agreements that require disclosure of suspected or confirmed information security incidents
-
Incident reports from external parties, such as a vendor, contractor, or cloud service provider, notifying you of a data breach or suspected compromise involving University data or systems.
Authority and Oversight
The Chief Information Security Officer (CISO) and Chief Information Officer (CIO) serve as the University’s primary authorities on information security incidents.
The CISO is responsible for:
- Designating University employees as authorized to perform the incident response function.
- Ensuring that incident response processes exist and are followed.
- Coordinating the University's legal, contractual, and ethical obligations to respond to security incidents.
- Directing any incident reporting to any third party that is required under law or contract (e.g. granting agencies). Reports must not be made outside of the University without this direction. Reports must not be made outside of the University without this direction.
- Representing the University with respect to cybersecurity incidents.
Incident response activities are carried out by the Information Security Office or people formally designated by the CISO as Incident Handlers. The Incident Handlers may engage campus partners, such as:
- Information Security Liaisons (ISLs), when explicitly directed and supported by the ISO.
- Other units, such as the Office of University Counsel, the Institutional Privacy Office, and the Office of Emergency Management and Planning, as appropriate.
ISLs have no investigative authority unless specifically tasked and directed by the Information Security Office under a coordinated response plan.
Exceptions
You do not need to file a separate report under this standard if:
- You have already reported the issue through another official University channel (e.g., Privacy Office, IRB, local law enforcement) and an Information Security Incident Handler has contacted you or been engaged as part of the response.
- You received a generic phishing message and did not click on links, enter credentials, or take any compromising action. In this case, use the University's designated reporting method (see the Safe Computing website) and take no further action unless instructed. Note: This exception does not apply to targeted phishing, impersonation attempts, or incidents involving unauthorized account use. Note: This exception does not apply to targeted phishing, impersonation attempts, or incidents involving unauthorized account use.
- "Denial of Service" attacks: Professional IT staff with knowledge and expertise to do so are permitted to take steps to adjust host-based firewall rules, communicate with campus network/firewall IT staff, and take other routine steps to address the attack while waiting Incident Handler response to their report.
Definitions
See: Standard on Information Security Defined Terms for applicable definitions.
Related Requirements
Failure to follow this standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who do not adhere to this standard may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who do not adhere to this standard may face termination of their business relationships with UNC-Chapel Hill.
External Regulations and Consequences
University Policies, Standards, and Procedures
Contact Information
Document History
- Effective Date and title of Approver: 6/30/2010 VC for Information Technology and CIO
- Revision and Review Dates, Change notes, title of Reviewer or Approver:
- 9/19/14 Revised template, VC for IT and CIO
- 10/13/2015 Review only, CISO
- 10/17/2016 Review only, link added to references CISO
- Retirement of Policy, superseded by Standard (see document change and date log in policy repository)
- Later document history maintained in the policy repository.