not mobile

Information Technology Handbook

5.4 Incident Management

Print friendly Version date February 22, 2013

USG institution, USO, and GPLS management must investigate incidents involving loss, damage, misuse of information assets, or improper dissemination of information. All USG institutions, the USO, and the GPLS are required to report information security incidents consistent with the security reporting requirements as noted in Section 5.7 of this Handbook.

Proper incident management includes the formulation and adoption of a written incident management plan, which provides for the timely assembly of appropriate staff that is capable of developing a response to, appropriate reporting about, and successful recovery from a variety of incidents.

In addition, incident management includes the application of lessons learned from incidents, together with the development and implementation of appropriate corrective actions directed to preventing or mitigating the risk of similar occurrences in the future. All institution, USO, and GPLS incident management policies and plans must be on file at USG Information Security & ePrivacy. The USO and the USG CISO will file an electronic copy of the USG-USO Incident Response Plan with the State CISO and the Georgia Bureau of Investigation (GBI), per the State Incident Response Reporting Standard.

The process by which computer abuse cases are handled and escalated is shown in the Abuse Notification document posted on the Information Security website at: www.usg.edu/infosec/incident_management.

5.4.1 Information Security Incident Reporting Requirements

All USG institutions, the USO, and the GPLS must establish a Computer Security Incident Response (CSIR) plan to respond to and manage adverse activities or actions that threaten the successful conduct of teaching, instruction, research and operations in the USG. This plan should follow existing USG policies and standards, industry best practices, and International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) guidelines. This plan must be on file with USG Information Security & ePrivacy per the Reporting Requirements noted in Section 5.7 of this Handbook.

return to top


5.4.2 Criteria for Reporting Incidents

USG institution, USO, and GPLS management must promptly investigate incidents involving loss, damage, misuse of information assets, or improper dissemination of information. All USG institutions, the USO, and the GPLS are required to report information security incidents consistent with the security reporting requirements of this policy. Reports must be submitted to USG Information Security & ePrivacy per the Reporting Requirements noted in Section 5.7 of this Handbook.

return to top


5.4.3 Incident Follow-up Report

In addition, an incident follow-up report must be submitted that includes the application of lessons learned from incidents, together with the development and implementation of appropriate corrective actions directed to preventing or mitigating the risk of similar occurrences in the future. Reports must be submitted to USG Information Security & ePrivacy per the Reporting Requirements noted in Section 5.7 of this Handbook.

return to top


5.4.4 Incidents Involving Personal Information

Every USG institution, the USO, and the GPLS that collects, uses, or maintains records containing personal information shall establish and maintain in its incident management plan, procedures for ensuring that any breach of security involving personal information, regardless of its medium (e.g., paper, electronic, verbal) immediately trigger the incident response procedures. Procedures must be documented and address, at a minimum, the following:

  1. Incident Response Team. Procedures shall identify the positions responsible for responding to a breach of personal information. A response team must include, at a minimum, an escalation manager, the program manager of the program or office experiencing the breach, the ISO, the Senior Official for Privacy, the Public Information or Communications Officer, Legal Counsel, and a representative from the institution, USO, or GPLS IS organization. Some incidents will require the involvement of others not mentioned above. For example, if the source of the compromised information was a computer system or database, the USG CIO should also be involved in the response activity. If the incident involves unauthorized access, misuse, or other inappropriate behavior by an employee, or the security breach involves employee’s personal information, the institution, the USO, or the GPLS Personnel Officer or Human Resource Manager should be involved.

  2. Protocol for Internal Reporting. Procedures shall outline the method, manner, and progression of internal reporting to ensure that executive management is informed about breaches involving personal information; the institution, USO, or GPLS Incident Response Team is assembled; and, the incident is addressed immediately.

  3. Decision Making Criteria and Protocol for Notifying Individuals. Procedures shall include documentation of the methods and manner for determining when and how a notification is to be made. The procedures shall be consistent with and comply with USG policies and applicable state and federal laws. At a minimum, these procedures will address the following elements:

    • Whether the notification is required by law;
    • Whether the notification is required by USG or state or federal policy;
    • Timeliness of notification;
    • Source of notice;
    • Content of notice;
    • Approval of notice prior to release;
    • Method(s) of notification;
    • Preparation for follow-on inquiries;
    • Other actions that can be taken to mitigate harm to individuals; and,
    • Other situations when notification should be considered.
  4. Notice to Affected Individuals. Notice to individuals when a breach of notice-triggering data elements occurs, regardless of the media involved (electronic or paper), and in accordance with criteria set forth above.

  5. Breach Notification Trigger. The USG requires a notification be made to individuals when the breach involves unencrypted “Notice Triggering” personal information as defined in the section. Technically, the law is applicable to a breach involving computerized data. However, the USG has taken the position that a notification should be made when a breach of this same “Notice Triggering” data involves paper or other types of media, as the breach would expose individuals to the same financial/identity theft risk and concerns. Safeguarding all personal, confidential, or sensitive information, no matter the format, is essential to maintaining trust in USG. The objective is to make timely notification to individuals so that they may take appropriate steps to protect themselves.

For more information, refer to the USG Computer Security Incident Management Standard and the USG Incident Response and Reporting Standard below.

return to top


5.4.5 USG Computer Security Incident Management Standard

This section establishes a requirement that each USG institution, the USO, and the GPLS establish a process for detecting and responding to security incidents.

5.4.5.1 Purpose

The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Through implementing solid security policies, limiting access to networks and computers, improving user security awareness, and early detection and mitigation of security risks are some the preventative actions that can be taken to reduce the risk, frequency and the cost of security incidents, not all incidents can be prevented. Therefore, an incident response capability is necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services. This standard establishes the requirement for each USG institution, the USO, and the GPLS to establish an internal capability for handling computer security incidents.

5.4.5.2 Scope, Authority, Enforcement, Exceptions

5.4.5.3 Standard

Each USG institution, the USO, and the GPLS shall establish and document an internal information security incident management capability that provides for prevention, monitoring, detection, containment, response, recovery, reporting and escalation appropriate to the level of risk and threats to the participant organization.

USG institution, USO, and GPLS management must promptly investigate incidents involving loss, damage, misuse of information assets, or improper dissemination of information. All USG institutions, the USO, and the GPLS are required to report information security incidents according to the security reporting requirements in this standard.

5.4.5.4 Related Enterprise Policies, Standards, Guidelines

USG Incident Response and Reporting Standard

5.4.5.5 References

Please see NIST Document 800-61, Computer Security Incident Handling Guide: http://csrc.nist.gov/publications/nistpubs

5.4.5.6 Terms and Definitions

Incident Management is the process of detecting, mitigating, and analyzing threats or violations of security policies and controls and limiting their effect.

Computer Security Incident is a violation (breach) or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices, which may include, but are not limited to:

  • widespread infections from virus, worms, Trojan horse or other malicious code;
  • unauthorized use of computer accounts and computer systems;
  • unauthorized, intentional or inadvertent disclosure or modification of sensitive/critical data or infrastructure;
  • intentional disruption of critical system functionality;
  • intentional or inadvertent penetration of firewall;
  • compromise of any server, including Web server defacement or database server;
  • exploitation of other weaknesses, known or unknown;
  • child pornography;
  • attempts to obtain information to commit fraud or otherwise prevent critical operations or cause danger to state or system or national security and
  • violations of state or USG security policies or standards that threaten or compromise the security objectives of state or USG data, technology, or communications systems; and,
  • any violation of the “Appropriate Use Policy.”

return to top


5.4.6 USG Incident Response and Reporting Standard

This section sets minimum requirements for information security incident response and reporting.

5.4.6.1 Purpose

In support of the USG “Computer Security Incident Management” policy, each institution, the USO, and the GPLS must implement an information security incident handling capability. This standard establishes the minimum incident response and reporting requirements.

5.4.6.2 Scope, Authority, Enforcement, Exceptions

5.4.6.3 Standard

  1. Each USG institution, the USO, and the GPLS must implement an incident management capability including documented processes and procedures for monitoring, detection, data collection, analysis, containment, recovery, response, reporting and escalation.
  2. All incident response reporting and escalation procedures must be formally documented and approved by the USG CISO with review by the GBI as required by state law.
  3. Upon discovery of any incident that meets the defined criteria below:
    • The incident must be reported following the USG Information Security Incident Notification and Reporting Instructions found at the USG Information Security & ePrivacy web site: http://www.usg.edu/infosec
    • The report must be submitted to USG Information Security & ePrivacy within five (5) days of the participant organization becoming aware of an incident involving the theft of such information, including information stolen in conjunction with the theft of a computer or data storage device.
    • Each participant organization must train its employees on how to recognize and report incidents in accordance with the reporting and escalation procedures.
  4. Participant organizations must have a designated and recorded incident management point of contact.
  5. USG institutions must report all security incidents or events of interest affecting systems or data categorized as moderate or high for any of the security objectives of confidentiality, integrity, or availability to USG Information Security & ePrivacy through the ITS Helpdesk at 706-583-2001, or 1-888-875-3697 (Toll free within Georgia).

5.4.6.4 Related Enterprise Policies, Standards, Guidelines

USG Computer Security Incident Management Standard

5.4.6.5 References

USG Office of Information Security & ePrivacy: http://www.usg.edu/infosec/incident_management/

These documents can be found in PDF and zipped PDF formats at: http://csrc.nist.gov/publications/nistpubs

  • NIST SP 800-61, Computer Security Incident Handling Guide
  • NIST SP 800-83, Guide to Malware Incident Prevention and Handling
  • NIST SP 800- 28 Guidelines on Active Content and Mobile Code
  • NIST SP 800-19 Mobile Agent Security

5.4.6.6 Terms and Definitions

Incident Response Management - the process of detecting, mitigating, and analyzing threats or violations of security policies and limiting their effect.

Computer Security Incident - a violation (breach) or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices which may include, but are not limited to: widespread infections from virus, worms, Trojan horse or other malicious code; unauthorized use of computer accounts and computer systems; unauthorized, intentional or inadvertent disclosure or modification of sensitive/critical data or infrastructure; intentional disruption of critical system functionality; intentional or inadvertent penetration of firewall; compromise of any server, including Web server defacement; exploitation of other weaknesses; child pornography; attempts to obtain information to commit fraud or otherwise prevent critical operations or cause danger to state or national security; and violations of the state security policies or standards that threaten or compromise the security objectives of the state’s data, technology or communications systems.

Event of Interest - a questionable or suspicious activity that could threaten the security objectives for critical or sensitive data or infrastructure. They may or may not have criminal implications.

return to top