Information Security Incident Management Standard

Title

University of North Carolina at Chapel Hill Information Security Incident Management Standard

Introduction

Purpose

Prompt, and consistent handling of Information Security Incidents helps the University minimize harm to people, property, operations, and institutional reputation. Goals of professional incident handling include: effective containment, timely recovery, evidence preservation, clear communication, and compliance with legal and contractual obligations.

This standard establishes the minimum expectations for reporting, escalating, and responding to unusual or unexpected activity related to information and technology resources at the University of North Carolina at Chapel Hill (“UNC-Chapel Hill” or “University”). It defines the roles and authorities of designated Information Security Incident Handlers authorized to perform security incident response on behalf of the University and roles and responsibilities of other members of the University Community. 

Scope

This Standard applies to all members of the University community, including students, faculty, staff, affiliates, contractors, and third parties who have a contractual or institutional obligation to report incidents or cooperate with response efforts in connection with: 

• University data, systems, networks, credentials, and services, whether hosted on-premises or in the cloud, by the University or a third party, and regardless of whether the University owns the data or is obligated to protect it under legal, regulatory, or contractual requirements. 
• Any device connected to the University network, regardless of ownership. Connecting a device to the University network constitutes acceptance of the requirements in this standard.  
• Concerning events that may indicate a possible Information Security Incident, including cases where the nature of the issue is unclear but may be related to information security. These events are covered by this Standard until a determination is made. 

Standard

If you believe that someone’s life may be in danger, call 911 at once!

Required Action 

If you experience unexpected, concerning, or unusual activity involving information or technology resources in scope that may be information security related, report it on the day of discovery to the Information Security Office. Do not attempt to investigate or resolve the issue on your own as unauthorized actions may destroy evidence, slow containment, or increase institutional risk. 

You must report by: 

• Calling the ITS Service Desk at (919) 962-HELP (4357) and requesting a critical incident be routed to the Information Security Office; or 
• Submitting a report via the "Report a Potential Cybersecurity Incident” form. 

Provide your contact information and remain available. An authorized Incident Handler may contact you shortly if further information is needed. 

While waiting for an Incident Handler: 

• Do not alter or investigate the system, device, or account involved. Leave everything as-is. 
• Do not communicate with any suspected attacker. 
• Do not share information about the incident externally or with others inside the University.

Your Responsibilities

As the person reporting: 

• Be ready to describe what you observed or experienced. You are not expected to know whether an Incident has occurred or is suspected. Your report of an unusual or concerning event will enable an authorized Incident Handler to assess the situation and determine whether it meets the criteria for investigation as a Suspected Incident. 
• Provide access to the system, device (including personal devices if applicable), or materials involved to authorized incident Handlers or as they direct. 
• Cooperate with authorized Incident Handler, including Information Security Office staff and designated campus partners. 
• If required, notify other required parties, such as local law enforcement, the Institutional Privacy Office, or the Institutional Review Board (IRB). The Incident Handler will advise you on when and how. 

If the Information Security Office determines that an Information Security Incident has occurred: 

• You may be asked to support analysis, containment, remediation, or notification efforts. 
• You must fully cooperate with all required University response activities until they are complete. 

Examples of What to Report 

You must report to the ISO any situation in which University accounts, data, systems, or credentials may be at risk. Examples include: 

• Lost or stolen devices containing University information, including personally owned laptops, phones, or tablets. 

• Unusual system or application behavior that could indicate malware or compromise, especially on computing devices with a Moderate or above protection obligation (e.g., handling Tier 2 or Tier 3 data). 

• Suspected account compromise, including unauthorized use of Onyen, Carolina Key, SSH keys, API credentials, or other University access methods. 

• Phishing attempts that may have succeeded.  

• Fraudulent financial activity, such as funds transferred to the wrong account or suspicious payment requests.

• Contractual or regulatory reporting obligations, notify the ISO during a report if you are under a contractual or regulatory reporting obligation that may require reporting if an information security incident has occurred. This includes research grants and data sharing agreements that require disclosure of suspected or confirmed information security incidents

• Suspicious screen-sharing or remote support activity that may have resulted in unauthorized access, even if it appeared to come from a trusted vendor. 

• Unexpected or repeated MFA prompts, which may indicate an attacker attempting to access your account. 

• Impersonation scams, such as gift card requests or financial demands that appear to come from University leadership or supervisors. 

• Threats involving University systems or data, including extortion, blackmail, or ransomware. 

• Incident reports from external parties, such as a vendor, contractor, or cloud service provider, notifying you of a data breach or suspected compromise involving University data or systems. 

Authority and Oversight 

The Chief Information Security Officer (CISO) and Chief Information Officer (CIO) serve as the University’s primary authorities on information security incidents. 

The CISO is responsible for: 

• Designating University employees as authorized to perform the incident response function. 
• Ensuring that incident response processes exist and are followed. 
• Coordinating the University's legal, contractual, and ethical obligations to respond to security incidents. 
• Directing any incident reporting to any third party that is required under law or contract (e.g. granting agencies). Reports must not be made outside of the University without this direction. Reports must not be made outside of the University without this direction.
• Representing the University with respect to cybersecurity incidents. 

Incident response activities are carried out by the Information Security Office or people formally designated by the CISO as Incident Handlers. The Incident Handlers may engage campus partners, such as: 

• Information Security Liaisons (ISLs), when explicitly directed and supported by the ISO. 
• Other units, such as the Office of University Counsel, the Institutional Privacy Office, and the Office of Emergency Management and Planning, as appropriate. 

ISLs have no investigative authority unless specifically tasked and directed by the Information Security Office under a coordinated response plan. 

Exceptions

You do not need to file a separate report under this standard if: 

• You have already reported the issue through another official University channel (e.g., Privacy Office, IRB, local law enforcement) and an Information Security Incident Handler has contacted you or been engaged as part of the response. 
• You received a generic phishing message and did not click on links, enter credentials, or take any compromising action. In this case, use the University's designated reporting method (see the Safe Computing website) and take no further action unless instructed. Note: This exception does not apply to targeted phishing, impersonation attempts, or incidents involving unauthorized account use. Note: This exception does not apply to targeted phishing, impersonation attempts, or incidents involving unauthorized account use.
• "Denial of Service" attacks: Professional IT staff with knowledge and expertise to do so are permitted to take steps to adjust host-based firewall rules, communicate with campus network/firewall IT staff, and take other routine steps to address the attack while waiting Incident Handler response to their report.

Definitions

See: Standard on Information Security Defined Terms for applicable definitions.

Related Requirements

Failure to follow this standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who do not adhere to this standard may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who do not adhere to this standard may face termination of their business relationships with UNC-Chapel Hill.  

External Regulations and Consequences

• N.C. General Statutes, Chapter 75, Article 2A - Identity Theft Protection Act
• U.S. Department of Health & Human Services, HIPAA Security Rule
• U.S. Public Law 106-102, Gramm-Leach-Bliley Act (GLBA); particularly the "Safeguards Rule"
• U.S. Department of Education, Family Educational Rights and Privacy Act (FERPA)
• N.C. General Statutes § 143B-920 - Reporting Stolen or Misused State Property to the SBI
• Federal Contracts Privacy Act of 1974
• Federal Information Security Management Act (FISMA)
• PCI Security Standards Council, Payment Card Industry Data Security Standards (PCI DSS)
  • American Express - Data Security Operating Policy
  • MasterCard - Account Data Compromise Event Management Best Practices
  • Visa - Responding to a Data Breach
  • Visa - What To Do If Compromised

University Policies, Standards, and Procedures

• Information Security Policy
• Data Network Policy
• Acceptable Use Policy
• Policy on Terms of Use for Administrative Systems
• Information Classification Standard 
• Information Security Liaison Standard 
• Safe Computing at UNC-Chapel Hill - Definition of Sensitive Information 
• Data Governance at UNC-Chapel Hill
• Protocol for Responding to Breaches of Protected Health Information (PHI)
• Policy on Reporting Actual, Attempted, or Suspected Misuse of University Resources
• Office of Human Research Ethics SOP 1401: Promptly Reportable Information
• Finance Procedure 603.2 - Procedure on Reporting Equipment Missing or Stolen During Normal Operations
• Finance Policy 107 - Customer Financial Record Safeguards
• Finance Policy 308 - Policy on Merchant Card Services
• Workplace Violence Policy
• Emergency Management Policy
• Other Resources for Reporting Concerns at UNC-Chapel Hill

Contact Information

Document History

• Effective Date and title of Approver: 6/30/2010 VC for Information Technology and CIO
• Revision and Review Dates, Change notes, title of Reviewer or Approver:
  • 9/19/14 Revised template, VC for IT and CIO
  • 10/13/2015 Review only, CISO
  • 10/17/2016 Review only, link added to references CISO
  • Retirement of Policy, superseded by Standard (see document change and date log in policy repository)
• Later document history maintained in the policy repository.