(a) Each institution of higher education shall assess the significance of a security incident based on the business impact on the affected resources and the current and potential technical effect of the incident, e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks. Security incidents shall be promptly reported to immediate supervisors and the institution of higher education Information Security Officer. Security incidents that require timely reporting to the department include those events that are assessed to:
- (1) Propagate to other state systems;
- (2) Result in criminal violations that shall be reported to law enforcement; or
- (3) Involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information as defined in §521.002(a)(2), Business and Commerce Code, and other applicable laws that may require public notification.
- (b) If criminal action is suspected (e.g., violations of Chapter 33, Penal Code (Computer Crimes) or Chapter 33A, Penal Code (Telecommunications Crimes)), the institution of higher education shall contact the appropriate law enforcement and investigative authorities immediately. Such security incidents shall be investigated and documented in a manner that restores operation promptly while meeting the legal requirements for handling of evidence.
- (c) Depending on the criticality of the incident, it will not always be feasible to gather all the information prior to reporting. In such cases, incident response teams should continue to report information to the department as it is collected. The department shall instruct institutions of higher education as to the manner in which they shall report such information to the department. Supporting vendors or other third parties that report security incident information to an institution of higher education shall submit such reports to the institution of higher education in the form and manner specified by the department, unless otherwise directed by the institution of higher education.
- (d) Summary reports of security-related events shall be sent to the department on a monthly basis no later than nine calendar day after the end of the month. Institutions of higher education shall submit summary security incident reports in the form and manner specified by the department. Supporting vendors or other third parties that report security incident information to an institution of higher education shall submit such reports to the institution of higher education in the form and manner specified by the department, unless otherwise directed by the institution of higher education.
Source Note:The provisions of this §202.76 adopted to be effective November 28, 2004, 29 TexReg 10703; amended to be effective September 17, 2009, 34 TexReg 6315.