Guideline for Reporting Information Security Incidents
I. Purpose
The purpose of this document is to provide guidance for reporting potential or real information security incidents in order to assure that every member of the UNC Charlotte community can identify a potential information security incident and follow established steps to report the incident through the appropriate channels.
II. Scope
This guideline is applicable to UNC Charlotte faculty, staff, students and all authorized users granted use of university information resources. Every authorized user of university information resources has a responsibility toward the protection of those resources.
III. Contacts
Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@charlotte.edu.
IV. Examples of Information Security Incidents
An information security incident is defined as an attempted or successful unauthorized access, use, disclosure, modification or destruction of information; interference with information technology operation; or violation of acceptable use policies. Examples of information security incidents include:
- Employee, student or other authorized user has the ability to view sensitive or confidential information on a university system that should not be available to them.
- Account issued to conduct University business (NinerNET, other enterprise system, third party access), appears to have been compromised as evidenced by changes to the account, files, or email that were not made by the owner of the account.
- Individual has discovered university information on a public website that appears to contain confidential or sensitive information.
- Compromise or attack of a computer or server has been detected.
- Card reader equipment appears to have been tampered with or stolen.
- Laptop containing sensitive or confidential information has been lost or stolen.
- Attempts to illicitly obtain a University account holder’s credentials in order to gain access to university resources.
- Provisioning of access to university system(s) or resources without proper authorization.
- An employee, student or other authorized user is sharing their login or password information.
V. Guidelines
UNC Charlotte faculty, staff, students, and all authorized users granted use of university information resources must notify OneIT immediately of any suspected or real information security incident. If it is unclear as to whether a situation should be considered an information security incident, OneIT should be contacted to evaluate the situation. OneIT will be responsible for documenting and recording all information security incidents reported or discovered on the UNC Charlotte network.
1. All information security incidents should be reported immediately to OneIT by one of the following methods:
- Send an email to SecurityIncident-group@charlotte.edu with as much information as you can provide including date, time, and the nature of the incident;
- Go to the Security Incident Response and Investigation webpage and submit an incident report form;
- Contact the IT Service Desk at 704-687-5500 and report the incident. IT Service Desk personnel will ensure the information you provide is directed to SecurityIncident-group@charlotte.edu.
2. If the potential information security incident involves a compromised computer system, leave the computer system on and as-is, with all current computer programs running and current state of network access. Do not shutdown the computer, restart the computer or remove the computer from the network until/unless directed to do so by the OneIT incident response team.
3. If the incident involves criminal activity, such as theft of a university resource or fraud, report it immediately to the UNC Charlotte Police and Public Safety Office.
4. Notify the Data Security Officer or Information Security Liaison for your college or department.
VI. Information Security Incident Response Team
When directed by the CIO and the Office of Legal Affairs, an Information Security Incident Response Team (ISIRT) will be convened and led by the CISO. The ISIRT will include appropriate representatives from some or all of the following offices:
- Office of OneIT
- Office of Legal Affairs
- Financial Services
- Human Resources
- Internal Audit
- University Communications
- Safety and Security
- Grants and Contracts Administration
- Police and Public Safety
- Data Security Officer or Information Security Liaison from the department or college impacted by the information security incident
- Vice Chancellor of the division impacted by the information security incident
- Chancellor’s Office
The ISIRT will plan and coordinate the activities of all the offices involved and will keep other relevant offices advised as appropriate. In carrying out this responsibility, the ISIRT will ensure that important operational decisions are elevated to the appropriate levels to protect the fundamental interests of UNC Charlotte and others impacted by the incident. OneIT will be responsible for documenting decisions made by the ISIRT.
The CISO will be responsible for writing the final report(s) that summarizes findings regarding the information security incident and, if appropriate, making recommendations for improvement of related information security practices and controls.
Related Resources
- University Policy 311 Information Security
- Standard for Managing Information Security Incidents
- ISO/IEC 27002
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
Revision History
Initially approved by Information Assurance Committee 12/18/14
Updated 11/04/21