This control applies to all unit heads, information resource owners or custodians, and third parties who are responsible for Texas A&M information resource assets. This Control is intended to address those incident situations that escalate beyond the capability of one unit or department to handle effectively and/or have consequences potentially impacting resources outside of the unit or if a security incident is determined to be significant (e.g., disclosure of Critical or Confidential data). Common events like malware or other events that are detected, mitigated, and resources restored within a reasonable amount of time with locally available unit resources are not included in these procedures. University units are responsible for implementing an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

Documented incident handling procedures shall be developed within each unit that addresses:

• 1.1

  Implementing an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

• 1.2

  Coordinating incident handling activities with information system recovery and reconstitution planning activities; and;

• 1.3

  Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.