Reporting an Information Security Incident or Weakness
What is an information security incident or weakness?
An information security incident is an unexpected event that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, University information. It could be caused by loss/theft, insufficient control over access, equipment failure, human error, environmental causes such as fire, a hacking attack or deception. An information security weakness is where a threat to the security of this information has been identified but no loss has occurred.
- Sensitive personal data being made publicly available on a website
- Student contact details and financial details being accidentally emailed to inappropriate recipients
- Loss of an unencrypted memory stick containing University information
- Paper copies of meeting papers being left unattended in a public place
What must be reported?
- Information security incidents involving personal or commercially-sensitive information, e.g.
- Lost or stolen information and devices.
- Incorrectly sent personal information.
- Unauthorised access to information.
- Information security weaknesses that could lead to a loss of personal or commercially-sensitive information, e.g.
- Individual challenged for identity and refused access.
- Sensitive information left out when not in use.
Why should incidents and weaknesses be reported?
- Information security incidents may have statutory or contractual reporting requirements. Without timely visibility of the incident through reporting we may not be able to fulfil legal obligations. Additionally, the longer an incident goes unreported, the longer a vulnerability may remain unaddressed allowing the incident to escalate or for further incidents to occur.
- Understanding information security weaknesses allows us to develop and implement systems and processes that are more robust which prevent weaknesses becoming incidents.
Who should report?
- All employees, contractors and temporary workers.
- All students, when engaged on a programme of study or when working for the University in a paid or unpaid capacity.
- Third parties should report initially to their University contacts. It is the University contact that should then report within the University. Third parties should not report incidents directly using this process unless contractually bound.
When do I report incidents and weaknesses?
- Incidents and weaknesses should be reported as soon as possible after they are discovered.
Where do I report incidents and weaknesses?
- Where you think the incident is significant and requires immediate attention, telephone CIS Service Desk on Ext 41515 (or 0191 334 1515), including out of hours, otherwise use the self-service application.
- Report to CIS Service Desk using the online self-service capability. This link will open the form directly. Otherwise, use the 'User Accounts and Security' option to open a new call to report a 'Security Incident or Data Breach'. Avoid using the 'New Call' option from the initial page as this relates to IT/break/fix calls, not security incidents.
How do I report the incident or weakness?
- Only basic details are required to report the incident or weakness.
- Respond to the questions from the online form or Service Desk Analyst. If submitting via email, provide an outline of what has happened or has been observed.
- Do not include any personal data involved in the incident.
- Support any investigation arising as fully as possible. Information will be recorded in confidence and not retained within the workflow tool to preserve security and confidentiality.
What happens after the report is made?
- The Information Security Incident Response Team will make an initial assessment to determine the next steps.
- The severity of the incident will inform and direct the appropriate level of leadership involvement.
- An investigation may be conducted using a variety of techniques and tools, including interviews, site visits and forensic analysis.
- The outputs of the investigation may include corrective and preventive actions, formal reporting or other communications.