Information Security Incident Management Policy v1.

Organisation Oxford Brookes University

Title Information Security Incident Management Policy

Creator Gareth Packham - Head of Information Management

Approvals Required 1. Information Security Working Group 2. CIO 3.

Version Version 1.0

Owner Chief Information Officer

Subject The formal approved information security incident

Review date and responsibility Annually by Head of Information Management

Revision History
Date Author Version Number Comments
14/09/16 Gareth Packham 0.1 (draft) Original draft
25/11/16 Gareth Packham 1.0 (live) Minor revisions following review
by Legal Services
1. Introduction and Scope

1.1 The University holds a large amount of information in a variety of media, physical and
otherwise (including photos and videos). This includes personal and sensitive
personal data, and also non-personal information which may be sensitive or
commercially confidential (e.g. financial data) and may be subject to legal obligations
of confidence, whether contractual or otherwise).

1.2 The University has legal responsibilities both under the Data Protection Act and in
respect of its own business (for example, under the common law of confidence) to
safeguard information in its control. Care should be taken to protect information, to
ensure its integrity and to protect it from loss, theft or unauthorised access.

1.3 In the event of an information security incident (also referred to as a ‘data breach’), it
is vital that appropriate action is taken to minimise associated risks. A risk analysis
should be performed, factors which need to be considered are:

● The number of individuals affected

1.4 Any member of staff, student, contractor or pseudo-employee discovering or

2. What is an information security incident?

2.1 An ​information security incident ​in an event whereby data held by the University, in
any format, is compromised by being lost, destroyed, altered, copied, transmitted,
stolen, used or accessed unlawfully or by unauthorised individuals whether
accidentally or on purpose. Some examples:

● Loss, or theft of equipment on which data is stored, e.g laptop or mobile phone
● Unauthorised access to data
● Human error, e.g. emails to wrong recipient; public posting of confidential
material online; incorrect sharing of Google documents
● Failure of equipment or power leading to loss of data
● Hacking attack
● Data maliciously obtained by way of social engineering (an attack in which a user
 is ‘tricked’ into giving a third party access, often by purporting to be someone
other than they actually are)

2.2 Information security incident reporting also includes instances of ‘near misses’ and
identification of vulnerabilities where IT Services considers there is a high likelihood
of an actual incident occurring.

3. Reporting of the breach

3.1 All Information security incidents should be reported immediately to The IT Service
Desk (via phone on ext. no. 3311, or the ServiceNow Portal), as the primary point of
contact.

3.2 The report should include full and accurate details of the incident, including who is
reporting the incident; what type of data is involved (not the data itself unless
specifically requested); if the data relates to people and if so, how many people are
involved.

3.3. The IT Services Information Management team is responsible for maintaining a

4. Investigation and Response

4.1 The Information Management team will consider the report, and where appropriate,
instigate a Response Team. IT Services will lead the Response team and
membership will depend on the type and severity of the incident. The response team
will be responsible for investigating the circumstances and effect of the information
security incident. An investigation will be started into material breaches within 24
hours of the breach being discovered, where practicable.

4.2 The investigation will establish the nature of the incident, the type of data involved,
whether the data is personal data relating to individuals or otherwise confidential or
valuable. If personal data is involved, associated individuals must be identified and, if
confidential / valuable data is concerned, what the legal and commercial
consequences of the breach may be.

4.3 The investigation will consider the extent of the sensitivity of the data, and a risk
assessment performed as to what might be the consequences of its loss. This will
include risk of damage and/or distress to individuals and the institution.

4.4 The response team is responsible for formally documenting the incident and
 associated response. This information will (as a minimum) be subject to review by
the Oxford Brookes University Information Security Working Group (ISWG) with
serious incidents reviewed by the Chief Information Officer and other senior
managers.

5. Containment and Recovery

5.1 The Response Team and IT Services Lead will determine the appropriate course of
action and the required resources needed to limit the impact of the breach. For
instance this may require isolating a compromised section of the network; alerting
relevant staff or contractors; changing access codes/locks or shutting down critical
equipment.

5.2 Appropriate steps will be taken to recover data losses and resume normal business
operation. This might entail attempting to recover any lost equipment, using backup
mechanisms to restore compromised or stolen data and changing compromised
passwords.

5.3 For incidents that involve a suspected or actual criminal offence all efforts will be
made to preserve evidence integrity.

6. Escalation & Notification

6.1 The details of the escalation and notification process are schematised in the
appendix. A summary of this process is provided below.

6.2 The information management team is responsible for initial assessment of an

6.3 This preliminary decision is then reviewed by the CIO and/or Director of IT Strategy,
Information Management and Business Partnerships.

6.4 If at this stage the incident is deemed serious then the University Senior
Management Team will be notified.

6.5 If a personal data breach has occurred of sufficient scale The Information
Management team will notify the Information Commissioner’s Office (ICO) within the
prescribed statutory time limits and manage all communications between the
University and the ICO.

6.6 ​If the breach is deemed of sufficient seriousness (in line with ICO guidance), and
 concerns personal data, notice of the breach will be made to affected individuals to
enable them to take steps to protect themselves. This notice will include a description
of the breach and the steps taken to mitigate the risks, and will be undertaken by the
Response Team. Liaison with the Police or other authorities may be required for
serious events.

7. Review

7.1 Once the incident is contained a thorough review of the event will be undertaken by
the Response Team, to establish the cause of the incident, the effectiveness of the
response and to identify areas that require improvement.

7.2 Recommended changes to systems, policies and procedures will be documented

7.3 All information security incidents will be subject to summary review by the ISWG so
that any weaknesses or vulnerabilities that may have contributed to the incident can
be identified, documented and resolved.
APPENDIX: Information Security Incident Escalation Process