Information Resources Use and Security Policy

13.1. Incidents involving computer security will be managed by the Information Security Office and will be reported as required by federal or state law or regulation.

13.2. The Information Security Office is required to establish and follow Incident Management Procedures to ensure that each incident is reported, documented and resolved in a manner that restores operation quickly and if required, maintains evidence for further disciplinary, legal, or law enforcement actions.

13.3. All faculty members, staff, and/or students shall report promptly any unauthorized or inappropriate disclosure of Category-I Digital Data, including social security numbers, to: the University Information Security Officer (via security@utexas.edu or 512-475-9242); their supervisors; and/or the university's compliance hotline (via helpline@compliance.utexas.edu or 1-877-888-0002).

13.4. The University Information Security Officer shall report to the UT System CISO incidents involving computer security that compromise the security, confidentiality, or integrity of Category-I Digital Data or personal identifying information it maintains.

13.5. The university shall disclose, in accordance with applicable federal or state law, incidents involving computer security that compromise the security, confidentiality, and/or integrity of personal identifying information it maintains to Data Owners and any resident of Texas whose personal identifying information was, or is reasonably believed to have been, acquired without authorization.

13.5.1. Disclosure shall be made as quickly as possible upon the discovery or receipt of notification of the incident taking into consideration (a) the time necessary to determine the scope of the incident and restore the reasonable integrity of operations or (b) any request of a law enforcement agency that determines that the notification will impede a criminal investigation. The notification shall be made as soon as the law enforcement agency determines that it will not compromise the investigation.

13.6. The Information Security Office's Incident Management Procedures must incorporate the following:

13.6.1. The university will establish a Computer Incident Response Team (CIRT) that, in the event of a significant computer security incident, will initiate and follow the Incident Management Procedures. The members of this team will have defined roles and responsibilities that, based on the severity of the incident, may take priority over normal duties.

13.6.2. The University Information Security Officer will report the incident to the appropriate university, state, and federal agencies and departments as required by governing laws, rules, and procedures.

13.6.3. The University Information Security Officer, working with the selected Computer Incident Response Team members, will determine if a widespread university communication is required, the content of any such communication, and the method of distribution. The Office of the Vice President for Information Technology and/or the Office of the Vice President for Public Affairs will handle any communications to the general public.

13.6.4. The University Information Security Officer will be responsible for maintaining a chain of evidence on incidents it investigates, or participates in investigating, in case the incident needs to be referred to law enforcement or other legal proceedings.

13.6.5. The University Information Security Officer is responsible for determining the physical and electronic evidence to be gathered as part of the incident investigation, except in cases involving appropriate law enforcement personnel, where the University Police Department or other law enforcement agencies will make these determinations.

13.6.6. Technical staff members from the Computer Incident Response Team (CIRT), led by the University Information Security Officer, are responsible for ensuring that any damage from a security incident is repaired or mitigated and that the vulnerability is eliminated or minimized.

13.6.7. The University Information Security Officer is responsible for communicating new issues or vulnerabilities to vendors as needed, and for working with the vendors to eliminate or mitigate the vulnerabilities.

13.6.8. The University Information Security Officer is responsible for initiating, completing, and documenting the incident investigation with assistance from the Computer Incident Response Team. The University Police Department serves as liaison with law enforcement organizations.