Information Security Incident Reporting | Standard Practice Guides (2023)


Information Security Incident Reporting

Applies to: All Faculty and Staff

  1. Overview

    It is the policy of the University of Michigan to handle information security incidents so as to minimize their impact on the confidentiality, integrity, and availability of the university’s systems, applications, and data. An effective approach to managing such incidents also limits the negative consequences to both the university and individuals, and improves the university’s ability to promptly restore operations affected by such incidents.

    It is especially important that serious information security incidents that may result in disruptions to important business processes are promptly communicated to the appropriate university officials so that they are involved early in decision-making and communications. In addition, compliance with various federal and state regulations requires expeditious reporting of certain types of incidents.

    While information security incidents are not always preventable, appropriate procedures for incident detection, reporting and handling, combined with education and awareness of the U-M community, can minimize their frequency, severity, and potentially negative individual, operational, legal, reputational, and financial consequences

    The goals of establishing a successful incident management capability include:

    (Video) Security Awareness Training: Incident Reporting

    1. Mitigating the impact of IT security incidents.
    2. Identifying the sources and underlying causes of IT security incidents and unauthorized disclosures to aid in reducing their future likelihood of occurrence
    3. Protecting, preserving, and making usable all information regarding the incident or disclosure as necessary for forensic analysis and notification.
    4. Ensuring that all parties are aware of their responsibilities regarding IT system security incident handling.
    5. Protecting the reputation of the university.
  2. Definitions

    1. An information security incident is a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy, (as defined in Responsible Use of Information Resources (SPG601.07). Examples of information security incidents
      1. Computer system intrusion
      2. Unauthorized or inappropriate disclosure of sensitive institutional data
      3. Suspected or actual breaches, compromises, or other unauthorized access to U-M systems, data, applications, or accounts
      4. Unauthorized changes to computers or software
      5. Loss or theft of computer equipment or other data storage devices and media (e.g., laptop, USB drive, personally owned device used for university work) used to store private or potentially sensitive information
      6. Denial of service attack or an attack that prevents or impairs the authorized use of networks, systems, or applications
      7. Interference with the intended use or inappropriate or improper usage of information technology resources.

      While the above definition includes numerous types of incidents, the requirement for central security incident reporting, regardless of malicious or accidental origin, is limited to serious incidents as defined below.

      Occurrences such as incidental access by employees or other trusted persons where no harm is likely to result will usually not be considered information security incidents.

    2. A serious incident is an incident that may pose a substantial threat to university resources, stakeholders, and/or services. An incident is designated as serious if it meets one or more of the following criteria:
      1. Involves potential, accidental, or other unauthorized access or disclosure of sensitive institutional information (as defined below)
      2. Involves legal issues including criminal activity, or may result in litigation or regulatory investigation
      3. May cause severe disruption to mission critical services
      4. Involves active threats
      5. Is widespread
      6. Is likely to be of public interest
      7. Is likely to cause reputational harm to the university
    3. Sensitive information is defined in Institutional Data Resource Management Policy, (SPG601.12) as information whose unauthorized disclosure may have serious adverse effect on the university’s reputation, resources, services, or individuals. Information protected under federal or state regulations or due to proprietary, ethical, or privacy considerations will typically be classified as sensitive. Sensitive information includes personally identifiable information such as protected health information (PHI), Social Security numbers, credit card numbers, and any other information designated as sensitive by university data stewards.
  3. Scope

    This policy is platform and technology neutral, and applies to the entire university, including the Ann Arbor campus, Michigan Medicine, U-M Dearborn, U-M Flint, Athletics, and all affiliates. Specifically, the scope of this policy encompasses:

    1. Faculty, staff, and all units
    2. Third-party vendors who collect, process, share or maintain university institutional data, whether managed or hosted internally or externally;
    3. Personally owned devices of members of the U-M community that access or maintain sensitive institutional data.
  4. Policy

    1. All users of university IT resources must report all information security incidents to their IT security provider or security unit liaison.
    2. Any event that appears to satisfy the definition of a serious information security incident must be reported to Information Assurance (IA).
    3. It is expected that incident reporting, from identification to reporting to IA (if necessary), will occur within 24 hours.
    4. Some information security incidents may also be criminal in nature (e.g., threats to personal safety or physical property) and should immediately be reported to the U-M Division of Public Safety and Security concurrent with the incident notification described in section VII of this policy.
    5. To avoid inadvertent violations of state or federal law, individuals and departments may not release information, electronic devices, or electronic media to any outside entity, including law enforcement organizations, before making the notifications required by this policy.
      1. Information related to campus security information security incidents is classified as sensitive under SPG601.12.
      2. When university staff report, track, and respond to information security incidents, they must protect and keep confidential any sensitive information.
      3. Incident data retained for investigation will exclude any sensitive information that is not required for incident response, analysis, or by law, regulation, or university policy.
  5. Roles and Responsibilities

    1. The University Chief Information Security Officer is the ultimate authority for interpretation and implementation of this policy, as well as for coordinating serious information security incident communications. The Office of the University Chief Information Security Officer will retain relevant records and evidence pertaining to all serious incidents for a period of three years after the occurrence of the event. For incidents involving unauthorized disclosure of PHI, records will be retained for six years.
    2. Information Assurance (IA) will oversee, coordinate, and guide the incident management process to promote a consistent, efficient, and effective response, including compliance with applicable breach notification laws and regulations. IA staff serve as the information security provider for Information and Technology Services and all MiWorkspace units.

      In addition, IA shall:

      1. Convene, when appropriate, a multi-department Computer Security Incident Response Team (CSIRT).
      2. Collaborate and coordinate with other university offices including applicable compliance offices.
      3. Take appropriate steps to preserve forensic evidence.
      4. Lessons learned meetings will be conducted for all serious information security incidents to review the effectiveness of the incident handling process, prevent recurrence of similar incidents, and identify potential improvements to existing security controls and practices.
      5. Conduct ongoing information security incident reporting education and awareness for the U-M community.
    3. Users of University Information Technology Resources: All faculty, staff, and workforce members must report serious information security incidents to the ITS Service Center for MiWorkspace units and the ITS Service Center and their unit’s security unit liaison for non-MiWorkspace units within 24 hours of becoming aware of the incident.
    4. Security Unit Liaisons: The Security Unit Liaison is a staff member that has been designated by the unit dean or director to provide unit oversight of information security, communicate and coordinate related activities with Information Assurance (IA), evaluate and respond to non-serious incidents, and coordinate unit response to risk assessments and audit requests. Liaisons also develop and implement unit-level policies, procedures, communications, and educational awareness programs consistent with university-wide guidance.
      1. Security unit liaisons or their designees must report suspected serious incidents (reported to or identified by them) within the 24 hour timeframe. When an incident involves the types of sensitive information below, the liaisons must also report the incident to the following parties:
        1. If an incident involves protected health information (PHI), security unit liaisons must report the incident to Information Assurance (IA) at and the University HIPAA Officer at
        2. If an incident involves any human subject research information, security unit liaisons must report the incident to IA at and the Office of Research (UMOR) UMOR will report the incidents to the appropriate Institutional Review Board and the IRBs will alert research teams, as needed.
        3. If an incident involves both protected health and human subject research information, UMOR (, the University HIPAA Officer (, and IA ( should receive the report at the same time and work together on any required follow-up. UMOR will report the incidents to the appropriate IRB, and the IRBs will alert research teams, as needed.
        4. If an incident involves payment card information (PCI), a U-M merchant must report the incident to the Treasurer’s Office at and IA at
      2. Security unit liaisons and associated unit IT staff will appropriately support IA staff in incident handling and post-incident investigations and will evaluate and respond to information security incidents in accordance with university and unit policies and procedures.
      3. Security unit liaisons for non-MiWorkspace units will, as necessary, develop and implement unit-level policies, procedures, communications, and educational programs that are consistent with this university-wide incident reporting policy.
    5. The University HIPAA Officer, UMOR, and the Treasurer’s Office will inform IA of serious incidents reported to them.
    6. Third Party Vendors and Contractors: U-M has an ownership, stewardship,or custodial interest in all university data, regardless of how or where it is stored, transmitted, or processed. The reporting requirements of this policy apply to third parties that are contractually bound to limit the access, use, or disclosure of U-M information assets. These third party vendors or entities shall report potential or actual incidents to the university per the terms of their contract and/or the university’s data protection addendum.
  6. Violations and Sanctions

    Violations of this policy may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. Discipline (SPG201.12) provides for staff member disciplinary procedures and sanctions. Violations of this policy by faculty may result in appropriate sanction or disciplinary action consistent with applicable university procedures. If dismissal or demotion of qualified faculty is proposed, the matter will be addressed in accordance with the procedures set forth in Regents Bylaw 5.09. In addition to U-M disciplinary actions, individuals may be personally subject to criminal or civil prosecution and sanctions if they engage in unlawful behavior related to applicable federal and state laws.

  7. Reporting Incidents

    1. Information Assurance (IA) —
    2. Incidents involving PHI: University HIPAA Officer —
    3. Incidents involving human subject research: Office of Research — and Institutional Review Boards —; or
    4. Incidents involving payment card information (PCI): Treasurer’s Office —
    5. Incidents that may also be crimes or threats to personal safety: Division of Public Safety and Security — (734) 763-8391
  8. Related Policies

    1. Responsible Use of Information Resources (SPG601.07)
    2. Institutional Data Resource Management (SPG601.12)
    3. Information Security (SPG601.27)
    4. Report an IT Security Incident, Safe Computing

File Attachments

Printable PDF of SPG 601.25, Information Security Incident Reporting Policy

SPG Number


(Video) SOC 101: Real-time Incident Response Walkthrough

Date Issued

Last Updated

Next Review Date

Applies To

All Faculty and Staff


Office of the Vice President for Information Technology and Chief Information Officer

Primary Contact

Office of the Vice President for Information Technology and Chief Information Officer

(Video) Incident Response Steps and Activities

Related Policies

(Video) Incident Management Process: A Step by Step guide

Information Security

Institutional Data Resource Management Policy

Responsible Use of Information Resources

Related Links

Report an IT Security Incident, Safe Computing

(Video) Information Security Policies and Standards

General Information Technology Policies


What is NIST SP 800 61 incident handling guide? ›

NIST Special Publication 800-61, Computer Security Incident Handling Guide, assists organizations in mitigating the potential business impact of information security incidents by providing practical guidance on responding to a variety of incidents effectively and efficiently.

How should information security incident be reported? ›

Report actual or suspected IT security incidents as soon as possible so that work can begin to investigate and resolve them. If the incident poses any immediate danger, call 911 to contact law enforcement authorities immediately. You can also report IT security incidents within your unit or department.

What is the ISO 27035 standard? ›

The ISO/IEC 27035 Information Security Incident Management is an international standard that provides best practices and guidelines for conducting a strategic incident management plan and preparing for an incident response.

What are the 7 steps in incident response? ›

7 Phases of Incident Response
  1. Preparation. It's nearly impossible to create a well-organized response to a cybersecurity threat in the moment. ...
  2. Identification. All phases of an incident response plan are important, however, identification takes precedence. ...
  3. Containment. Don't panic! ...
  4. Eradication. ...
  5. Recovery. ...
  6. Learning. ...
  7. Re-testing.

What are the 5 pillars of NIST? ›

5 Domains of the NIST Security Framework. The five domains in the NIST framework are the pillars support the creation of a holistic and successful cybersecurity plan. They include identify, protect, detect, respond, and recover.

What are NIST guidelines? ›

NIST guidelines are often developed to help agencies meet specific regulatory compliance requirements. For example, NIST has outlined nine steps toward FISMA compliance: Categorize the data and information you need to protect. Develop a baseline for the minimum controls required to protect that information.

What are the 6 elements of an incident report? ›

It should include:
  • the names and positions of the people involved.
  • the names of any witnesses.
  • the exact location and/or address of the incident.
  • the exact time and date of the occurrence.
  • a detailed and clear description of what exactly happened.
  • a description of the injuries.
Aug 24, 2022

What are the three stages of reporting a security incident? ›

The incident response phases are: Preparation. Identification. Containment.

What does the ISO 27017 standard discuss? ›

ISO/IEC 27017 is an information security framework for organisations using (or considering) cloud services. Cloud service providers need to comply with this standard because it keeps their cloud service customers (and others) safer by providing a consistent and comprehensive approach to information security.

What are the 5 steps of the NIST framework for incident response? ›

What are the 5 steps in the NIST cybersecurity framework?
  • NIST 800-53. The NIST Special Publication 800-53 is a catalog of security and privacy controls specifically designed to apply to US Federal Government agencies. ...
  • Identify. ...
  • Protect. ...
  • Detect. ...
  • Respond. ...
  • Recover.

Is iso27002 a standard? ›

The ISO 27002 standard is a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management.

What are the 5 C's of incident command? ›

ICS divides an emergency response into five manageable functions essential for emergency response operations: Command, Operations, Planning, Logistics, and Finance and Administration. The basic structure of ICS is the same regardless of the type of emergency.

What are the 5 W's for an incident report? ›

Here is a PowerPoint slide deck describing the basics of Incident Reporting, . . . what, why, who, when, where and how.

What are the 4 phases of NIST? ›

The NIST incident response lifecycle breaks incident response down into four main phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.

What are NIST 800-53 requirements? ›

What is NIST 800-53? NIST SP 800-53 provides a list of controls that support the development of secure and resilient federal information systems. These controls are the operational, technical, and management standards and guidelines used by information systems to maintain confidentiality, integrity, and availability.

What are the NIST 800 standards? ›

The NIST 800-53 is a cybersecurity standard and compliance framework developed by the National Institute of Standards in Technology. It's a continuously updated framework that tries to flexibly define standards, controls, and assessments based on risk, cost-effectiveness, and capabilities.

What are the 5 stages of cybersecurity? ›

Phases of the Cybersecurity Lifecycle. As defined by the National Insitute of Standards and Technology (NIST), the Cybersecurity Framework's five Functions: Identify, Protect, Detect, Respond, and Recover, are built upon the components of the framework model.

What is the most common NIST standard? ›

One of the most widely used NIST security standard is the NIST Cybersecurity Framework (CSF). This internationally recognized framework offers voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.

Where can I find NIST standards? › is your pathway to standards solutions. The NIST Standards Coordination Office provides tools, programs, services, and educational resources about documentary standards and conformity assessment.

What is the difference between NIST and ISO 27001? ›

NIST CSF and ISO 27001 Differences

NIST was created to help US federal agencies and organizations better manage their risk. At the same time, ISO 27001 is an internationally recognized approach for establishing and maintaining an ISMS. ISO 27001 involves auditors and certifying bodies, while NIST CSF is voluntary.

What are the 8 components of a report? ›

The key elements of a report
  • Title page.
  • Table of contents.
  • Executive summary.
  • Introduction.
  • Discussion.
  • Conclusion.
  • Recommendations.
  • References.

What are the 8 basic elements of an incident response plan? ›

8 Essential Elements for an Incident Response Plan
  • A Mission Statement.
  • Formal Documentation of Roles and Responsibilities.
  • Cyberthreat Preparation Documentation.
  • An Incident Response Threshold Determination.
  • Management and Containment Processes.
  • Fast, Effective Recovery Plans.
  • Post-Incident Review.
Aug 2, 2022

What are the 4 types of incidents? ›

Another approach would be to have four types: Accident, Notifiable Accident, Incident and Notifiable Incident.

What are the five 5 requirements for effective report writing? ›

For reports to help your team in any situation, they have to be clear, concise, complete, consistent, and courteous. Well-written reports are worth their weight in gold. Whether they're designed to be read in meetings or alone, reports need to convey information in a way that's easy to read and understand.

What are 6 stages in the incident management? ›

Many organisations use NIST's Computer Security Incident Handling Guide as the basis of their incident response plan. It contains six phases: preparation, identification, containment, eradication, recovery and lessons learned.

What are the guidelines for reporting and completing an incident report? ›

Information required on an incident reporting form
  • Patient name and hospital number/date of birth.
  • Date and time of incident.
  • Location of incident.
  • Brief, factual description of incident.
  • Name and contact details of any witnesses.
  • Harm caused, if any.
  • Action taken at the time.

What are the four C's of security incident documentation? ›

Managing the four C's is a key ingredient and a definite requirement for success. These are command, control, communications and coordination.

What are 3 basic elements in an incident? ›

The Three Elements of Incident Response: Plan, Team, and Tools.

What are the 7 layers of security a cybersecurity report? ›

The OSI model's seven layers are the: Human Layer, Perimeter Layer, Network Layer, Endpoint Layer, Application Layer, Data Layer, and Mission Critical Layer.

What is the difference between ISO 27017 and 27018? ›

ISO 27017 certification demonstrates cloud service security to users, while ISO 27018 certification ensures that personal data is processed securely.

What is the difference between ISO 27002 and 27017? ›

(By the way, security controls in ISO 27002 and ISO 27001 are the same, only ISO 27002 explains them in greater detail – see this article: ISO 27001 vs. ISO 27002.) In other words, ISO 27017 suggests additional security controls for the cloud, where ISO 27002 does not adequately cover this area.

What are the basics of ISO standards? ›

ISO standards are internationally agreed by experts. Think of them as a formula that describes the best way of doing something. It could be about making a product, managing a process, delivering a service or supplying materials – standards cover a huge range of activities.

What is the NIST standard for incident response? ›

The NIST incident response process is a cyclical activity featuring ongoing learning and advancements to discover how to best protect the organization. It includes four main stages: preparation, detection/analysis, containment/eradication, and recovery.

What is the best incident response framework? ›

The NIST Cybersecurity Framework is one of the most popular methodologies for better understanding and managing cybersecurity risk. A component of their over-all framework is the NIST Incident Framework, which is one of the most widely-used incident response standards around the world.

What is the most recent NIST standard for incident response? ›

NIST SP 800-61.

What is the difference between ISO 27001 and 27701? ›

As we mentioned in a recent post, ISO 27701 is a privacy add-on to ISO 27001. Whereas ISO 27001 establishes a framework for an organization's ISMS, ISO 27701 expands the ISMS and creates a Privacy Information Management System (PIMS).

What is the difference between ISO 27001 and 27002 and 27003? ›

ISO 27002 focuses its guidance on “determining and implementing controls for information security risk treatment in an information security management system (ISMS) based on ISO 27001.” ISO 27003 focuses its guidance more broadly on the overall requirements for an ISMS, based on ISO 27001.

What is the difference between ISO 27000 and 27001? ›

ISO 27000 outlines the security techniques necessary to properly safeguard customer data. ISO 27001 is where those principles meet the real world. Businesses implement the requirements outlined in ISO 27000 standards and verify the effectiveness of their ISMS through an ISO 27001 audit.

What is NIST 800 60 used for? ›

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60 has been developed to assist Federal government agencies to categorize information and information systems.

What is NIST SP 800 standard? ›

The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST's cybersecurity activities. SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems.

What does NIST SP stand for? ›

NIST SP 800-63-3 under Special Publication (SP) Special Publication – a designation for NIST documents, sometimes supporting FIPS. Source(s): NIST SP 800-76-2 under SP. A type of publication issued by NIST.

What does incident response Guides do? ›

An incident response plan is a document that outlines an organization's procedures, steps, and responsibilities of its incident response program. Incident response planning often includes the following details: how incident response supports the organization's broader mission.


1. Day 08 CISM Live Class - Information Security Incident Management
(Abhay Pal Chauhan)
2. What Are Policies vs Standards vs Procedures vs Guidelines? // Free CySA+ (CS0-002) Course
(Jon Good)
3. Cyber Security :Security Incident Reporting Christopher Nelson
(Christopher Nelson)
4. Introduction to Incident Response | What is Incident Response in Cyber Security | Infosectrain
5. CSS2018LAS8: Incident Handling Process - SANS
(Public Sector Partners, Inc)
6. Incident reporting
(Barking, Havering and Redbridge University Hospitals NHS Trust)
Top Articles
Latest Posts
Article information

Author: Otha Schamberger

Last Updated: 17/05/2023

Views: 5798

Rating: 4.4 / 5 (55 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Otha Schamberger

Birthday: 1999-08-15

Address: Suite 490 606 Hammes Ferry, Carterhaven, IL 62290

Phone: +8557035444877

Job: Forward IT Agent

Hobby: Fishing, Flying, Jewelry making, Digital arts, Sand art, Parkour, tabletop games

Introduction: My name is Otha Schamberger, I am a vast, good, healthy, cheerful, energetic, gorgeous, magnificent person who loves writing and wants to share my knowledge and understanding with you.