Texas A&M University employs documented policies and procedures to mitigate an incident impacting university information resources.

The University provides training to personnel in their cybersecurity incident response roles and responsibilities.

The process for testing the effectiveness of the incident response capabilities.

The university employs documented procedures to handle incidents impacting university information resources.

Incident Monitoring consists of activities such as the review of: user account logs, application logs, data backup and recovery logs, automated intrusion detection system logs, etc.

This Control describes the requirements for appropriate reporting of information security incidents that are likely to expand beyond the capability of one unit's ability to manage effectively, or if a security incident is determined to be significant. An information security incident is considered significant if it meets one or more of the following criteria:

• involves actual or suspected unauthorized disclosure of data classified as confidential or higher
• involves unauthorized access or use of information resources
• involves consequential legal issues
• may cause disruption to high impact information resources or university-wide Essential IT services
• involves active threats
• is widespread
• is likely to raise public interest

Common events that are detected, mitigated, and restored within a reasonable amount of time, by locally available unit staff, are not considered significant under this control. Information resource users may not recognize that an information security incident has occurred. These issues are frequently difficult to identify and require analysis to determine if there has been an incident and the impact of the incident. Therefore, it is imperative that users report suspected incidents immediately.

The university Chief Information Security Officer (CISO) ensures that a cybersecurity incident response support team is available, integral to the university cybersecurity incident response capability that offers advice and assistance to owners, custodians, and users of information resources for the handling and reporting of cybersecurity incidents.

The purpose of this Control is to provide the basis of effective and appropriate response to incidents that threaten the confidentiality, integrity, and availability of university information resources. The Incident Response Plan provides the procedures for this response, and ensures roles and responsibilities are clearly defined.

Identifies roles and responsibilities for responding to information spills.