IR-4 Incident Handling

Description

Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems.

Incident-related information can be obtained from a variety of sources including, for example:

  1. audit monitoring,
  2. network monitoring,
  3. physical access monitoring,
  4. user/administrator reports, and
  5. reported supply chain events.

Effective incident handling capability includes coordination among many organizational entities including, for example:

  1. mission/business owners,
  2. information system owners,
  3. authorizing officials,
  4. human resources offices,
  5. physical and personnel security offices,
  6. legal departments,
  7. operations personnel,
  8. procurement offices, and
  9. the risk executive (function).

Applicability

This Control applies to all unit heads, information resource owners or custodians, and third parties who are responsible for TAMU-CC information resource assets.

This Control is intended to address those incident situations that escalate beyond the capability of one unit or department to handle effectively and/or have consequences potentially impacting resources outside of the unit or if a security incident is determined to be significant (e.g., disclosure of restricted or confidential information).

Common events like malware or other events that are detected, mitigated, and resources restored within a reasonable amount of time with locally available unit resources are not included in these procedures.

University units are responsible for implementing an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

Implementation

TAMU-CC shall implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery as follows:

  1. Documented incident handling procedures shall be developed by TAMU-CC (or by TAMU-CC and each unit that has personnel that act as custodians for information resources;
  2. Coordinates incident handling activities with contingency planning activities; and
  3. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events