UNIVERSITY of HOUSTON
MANUAL OF ADMINISTRATIVE POLICIES AND PROCEDURES
SECTION:
AREA:
Information TechnologySecurity
User Guidelines
Number:10.03.0305.02
SUBJECT: Information Security Incident Reporting and Investigation
Security Violations Reporting
I.
PURPOSE AND SCOPE
This policy provides an overview of official University of Houston directives and guidelines in the
event a potential security incident involving information resources danger to computer, network or
telecommunications security is identifieddiscovered, and the associated reporting obligations and
investigative process of various university areas. Illegal activities involving university information
resourcescomputers, networks, or telecommunications systems shall be are considered to be a
danger to those systems security incidents for the purposes of this policy.
II.
POLICY STATEMENT
The University of Houston relies heavily on computers, computer systems, computer networks,
related data files and the information derived from them to meet its operational, financial and
information requirements. A system of internal controls exists to safeguard the security,
confidentiality, integrity and confidentiality availability of these assets. All users of university
information resources, computer account owners, facility supervisors, and system administrators
and computer custodians share the responsibility for this security and for reporting potential
security incidents involving information resourcesdepending upon their functions, are subject to
this policy and the policies and guidelines referenced in this policy.
III.
DEFINITIONS
A.
Information resource: Procedures, equipment, and software that are employed,
designed, built, operated, and maintained to collect, record, process, store, retrieve,
display, and transmit information.
B.
Security incident: An event which results in accidental or deliberate unauthorized access,
loss, disclosure, modification, disruption, or destruction of information resources.
Definitions of terms used in this policy may be found in the Glossary of Information Technology
Terms located in the Information Technology MAPP section at
IV.
PROCEDUREPROVISIONS
A.
All security incidentsThreats to computing, network or telecommunications security,
whether actual or potential, or illegal activities involving the use of university information
resourcescomputer, network or telecommunications systems, mustshall be reported to
the University Information Technology (UIT) Security Department, Chief Information
Security Officer (CISO),security officer (or designee) or in his absence, to the Chief
Information Officer. Illegal activities may also be reported directly to a law enforcement
agency. University employees or students who report suspected criminal activity in good
faith are protected against any retaliation by the university for making such a report.
July 12, 1996; Revised November 30, 2006 April 29, 2011
Page 1 of 4
Information Security Incident Reporting and InvestigationSecurity Violations Reporting MAPP
10.05.0203.03
B.
The CISO willuniversity information security officer shall immediately evaluate the
situation and notify the appropriate persons or agencies. Depending upon the type and
suspected magnitude of the incident,violation any or all of the following individuals or
groups may be notified:









AssociateAssistant Vice President for Information Technology and Chief
Information Officer
College/Division Information Security Officer
Texas Department of Information Resources
Computer Emergency Response Team/Federal Bureau of Investigation
Facility Supervisors
UH Police Department of Public Safety (UHDPS)
UHS Internal Auditing Department
Dean of Students
U.S. Secret Service
The University of Houston Department of Public Safety mustshall also be notified if the
university is contacted by the above-listed agencies or any other law enforcement agency
in regard to a security incident.
CB.
Upon receipt of a report or discovery of a suspected security incidentviolations, the
CISOinformation security officer or designee will investigate and take immediate action
as appropriate to mitigate risk to university information resources. The investigation may
include the examination of files, passwords, accounting information, printouts, tapes and
other material that may aid investigation. The CISO or designee is responsible for
ensuring all items examined during the investigation are properly documented.
Examination of files must be authorized by the Chief Information Officer or designee.
D.
Upon request by an appropriate university official, users are expected to cooperate in any
investigation. Failure to do so may be grounds for cancellation or suspension of access
privileges or other disciplinary action. Selected access to computing servicesinformation
resources may also be temporarily suspended while investigations are being conducted.
EC.
The owners of any computer accountsinformation resource found to be compromised
must be notified and instructed to change their password(s) immediately changed. The
owner should scrutinize all files for integrity, providing relevant information about the
existence of security violations to the Information Security Officer or other investigating
personnelofficer.
FE.
In accordance with established university policies and applicable local, state and federal
laws regarding computer incidentsviolations, a user found to be abusing or misusing
university computer information resources is subject to immediate disciplinary action, up
to and including expulsion from the university or termination of employment, and legal
action.
1.
When disciplinary action regarding a student’s involvement is involved in an
information security incidentviolation could potentially be warranted, the Dean of
Students will be notifiedprovide additional guidelines for disciplinary actions.
2.
When disciplinary action regarding a faculty member’s involvementis involved in
an information security incidentviolation could potentially be warranted, the
faculty member’s supervisor and the Senior Vice President for Academic Affairs
will be notified. Disciplinary decisions resulting from an information security
July 12, 1996; Revised November 30, 2006 April 29, 2011
Page 2 of 4
Information Security Incident Reporting and InvestigationSecurity Violations Reporting MAPP
10.05.0203.03
incidentviolations by university faculty will be made in accordance with the
Faculty Handbook.
3.
V.
When disciplinary action regarding an staff employee’s involvement is involved in
an information security incidentviolation could potentially be warranted, the
employee’s supervisor, the Assistant Vice President Executive Director of Human
Resources, and the Executive Vice President for Administration and Finance will
be notified.
GENERAL PROVISIONS
Colleges and divisions will review their procedures annually and update them as appropriate.
VI.
VII.
REVIEW AND RESPONSIBILITIES:
Responsible Party:
Associate Vice President for Information Technology and
Chief Information Officer
Review:
Every three years, on or before June 1
APPROVAL
John Rudley
Executive Vice President for Administration and Finance
Donald J. Foss
Senior Vice President for Academic Affairs and Provost
Jay Gogue
President
President’s Date of Approval:
Effective Date: November 30, 2006
VIII.
REFERENCES
UH System Administrative Memorandum 07.A.03 - Notification of Automated System
Security Guidelines
Index Terms:
Abuse of computer equipment and systems
Computer equipment and systems
Computer user responsibilities
Misuse of computer equipment and systems
Reporting security violations
Security of computer equipment and systems
System security
July 12, 1996; Revised November 30, 2006 April 29, 2011
Page 3 of 4
Information Security Incident Reporting and InvestigationSecurity Violations Reporting MAPP
10.05.0203.03
REVISION LOG
Revision
Number
Approved
Date
Description of Changes
1
07/12/1996
Initial version
2
11/30/2006
Applied new MAPP template. The contents were updated
with housekeeping changes
3
TBD
Applied revised MAPP template and added new Revision
Log. Changed document name from Security Violations
Reporting to current title, and document number from
10.03.03 to 10.05.02. Removed references and index
terms. Other changes were editorial in nature to reflect
current operating requirements.
July 12, 1996; Revised November 30, 2006 April 29, 2011
Page 4 of 4