- (a) Security incidents shall be promptly investigated and documented. Security incidents shall be reported to the department within twenty-four hours if the institution determines that there is a substantial likelihood that such incidents are critical in nature and could be propagated to other state systems beyond the control of the institution of higher education.
- (b) If criminal action is suspected, the institution of higher education must contact the appropriate law enforcement and investigative authorities immediately.
(c) Each institution of higher education shall provide summary reports to the department that contain information concerning violations of security policy of which the institution of higher education has become aware. An institution of higher education shall not be required to report security incidents unless it reasonably believes such incidents may involve criminal activity under Texas Penal Code Chapters 33 (Computer Crimes) or 33A (Telecommunications Crimes). Reports should include:
(1) Type of activity, including but not limited to:
- (A) Unwanted disruption or denial of service;
- (B) Unauthorized use of a system for the processing or storage of data; and
- (C) Changes made to system hardware, firmware, data or software without the institution of higher education's effective consent.
- (2) Time elapsed between initial detection of incident and containment of the security breach or full restoration of adversely affected functions, whichever is later;
- (3) Description of the institution of higher education's response to the incident; and
- (4) Estimated total cost incurred by the institution of higher education in containing the security incident or restoring adversely affected functions.
- (d) Reports must be sent to the department on a monthly basis no later than the ninth (9th) calendar day after the end of the month. Information shall be reported in the form and manner specified by the department.
- (e) The department shall establish internal security procedures regarding the receipt and maintenance of information pertaining to security incidents. The department shall instruct institutions of higher education as to the manner in which they must report such information.
Source Note:The provisions of this §202.76 adopted to be effective November 28, 2004, 29 TexReg 10703.