Security incidents
Near misses, suspected incidents, and security weaknesses
You must report near misses and suspected incidents in line with this policy.
A near miss is defined as:
- any fact or event that has happened, or may have happened, but no compromise occurred.
A suspected incident is defined as:
- a situation where initial information is sparse, and it may be uncertain whether an actual incident has taken place. A compromise of confidentiality, integrity and, or availability is nevertheless suspected.
You must report any observed or suspected information security weakness in systems, processes, or services in line with this policy. Weaknesses must not be proved or tested by unauthorised persons as this may be construed as misuse.
Actions on identifying a security incident
Remedial action must be taken as soon as possible to contain and rectify the security incident. Action must be taken to minimise the impact of a security incident and to prevent it from worsening.
All security incidents impacting ICT must be reported to the IT Service desk without delay:
- by telephone 01522 555555
- through the IT self-service portal
You must report all security incidents (both ICT and non-ICT) to the information assurance team without delay using the security incident reporting form.
You must report all security incidents involving personal data as soon as possible to ensure we meet our legal obligations regarding personal data breaches.
Personal data breaches
Security incidents involving personal data, referred to as personal data breaches, attract several reporting obligations set out in data protection legislation.
A personal data breach which is likely to result in a risk to the rights and freedoms of individuals must be reported to the Information Commissioner’s Office (ICO) no later than 72 hours from the point we become aware of the breach.
A personal data breach which is likely to result in a high risk to the rights and freedoms of individuals must be reported to the impacted individuals without undue delay.
Whether or not a breach meets either of these thresholds will be determined on a case-by-case basis as part of the security incident investigation process.