Incident Notification Guidelines
These guidelines are effective April 15, 2022.
This document provides guidance to Texas A&M University System institutions and agencies for submitting incident notifications to the Texas A&M System Office of Cybersecurity.
Title 1 Texas Administrative Code §202.1 defines “security incident” as “an event which results in the accidental or deliberate unauthorized access, loss, disclosure, modification, disruption, or destruction of information or information resources.1” Texas A&M System cyber security control standard IR-6 requires system members to notify the System Office of Cybersecurity and consult with the System Chief Information Security Officer regarding information security incidents involving their information and information systems, whether managed by the agency/institution, contractor, or other source. This includes privacy incidents that do not impact information systems and any incidents involving industrial control systems or operational technology.
These guidelines support the Texas A&M System Office of Cybersecurity in executing its mission objectives and provide the following benefits:
Greater quality of information – Alignment with incident reporting and handling guidance from NIST 800-61 Revision 2 2 to introduce functional, informational, and recoverability impact classifications
Improved information sharing and situational awareness – Establishing a 4-hour notification time frame for all incidents to improve the System Office of Cybersecurity’s ability to understand cybersecurity events affecting the system and make timely required notifications to other system offices
Faster incident response times – Moving cause analysis to the closing phase of the incident handling process to expedite initial notification
System members must report information security incidents where the confidentiality, integrity, or availability of a major system-owned or -managed information system, or a system processing confidential information, is potentially compromised.
System members shall notify the System Office of Cybersecurity with the required data elements, as well as any other available information, within 12 hours of being identified by the member or the Security Operations Center (SOC).
System members determine which officials of the member institution are to be notified of an incident, but must include the following notifications within 24 hours of being identified by the member or the Security Operations Center (SOC):
Agency Director/University President or designee
Chief Information Officer (CIO) / Information Resources Manager (IRM)
Chief Information Security Officer (CISO) / Information Security Officer (ISO)
Chief Research Officer (CRO) (when the compromised/potentially compromised information includes research data)
Department Head / Information Resources Custodian of affected information resources
Notifications to affected third parties (e.g., vendors, partners) and affected individuals shall be made in accordance with Tex. Bus. & Comm. Code § 521.002 3 and guidance provided by the System Office of General Counsel.
In some cases, it may not be feasible to have complete and validated information for Submitting Incident Notifications prior to reporting. System members should provide their best estimate at the time of notification and report updated information as it becomes available. Events that have been found by the reporting system member not to impact confidentiality, integrity or availability may be reported voluntarily.
Submitting Incident Notifications
The information elements described in steps 1-5 below are required when notifying the System Office of Cybersecurity of an incident:
Identify the current level of impact on system member functions or services (Functional Impact)
Identify the type of information lost, compromised, or corrupted (Information Impact)
Estimate the scope of time and resources needed to recover from the incident (Recoverability)
Identify when the activity was first detected
Identify point of contact information for additional follow-up
Submit the notification to the System Office of Cybersecurity via the Information Security Incident Reporting Portal.
Impact Category Descriptions
The table below defines each impact category description and its associated severity levels. Use the tables below to identify impact levels and incident details.
Note: Incidents may affect multiple types of data; therefore, system members may select multiple options when identifying the information impact. The security categorization of information and information systems must be determined in accordance with Federal Information Processing Standards (FIPS) Publication 199.4 Specific thresholds for loss-of-service availability (e.g., all, subset, loss of efficiency) must be defined by the reporting organization. Contact the System Research Security Office for guidance on responding to classified data spillage.
|Impact Category||Category Severity Levels|
|Functional Impact - A measure of the impact to business functionality or ability to provide the services||NO IMPACT - Event has no impact
NO IMPACT TO SERVICES - Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers
MINIMAL IMPACT TO NON-CRITICAL SERVICES – Some small level of impact to non-critical systems and services
MINIMAL IMPACT TO CRITICAL SERVICES –Minimal impact but to a critical system or service, such as email or active directory
SIGNIFICANT IMPACT TO NON-CRITICAL SERVICES – A non-critical service or system has a significant impact
DENIAL OF NON-CRITICAL SERVICES – A non-critical system is denied or destroyed
SIGNIFICANT IMPACT TO CRITICAL SERVICES – A critical system has a significant impact, such as local administrative account compromise
DENIAL OF CRITICAL SERVICES/LOSS OF CONTROL – A critical system has been rendered unavailable
|Information Impact – Describes the type of information lost, compromised, or corrupted||NO IMPACT – No known data impact
SUSPECTED BUT NOT IDENTIFIED – A data loss or impact to availability is suspected, but no direct confirmation exists
PRIVACY DATA BREACH – The confidentiality of personally identifiable information (PII) or sensitive personal information (SPI) was compromised
PROPRIETARY INFORMATION BREACH – The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised
DESTRUCTION OF NON-CRITICAL SYSTEMS – Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system
CRITICAL SYSTEMS DATA BREACH - Data pertaining to a critical system has been exfiltrated
CORE CREDENTIAL COMPROMISE – Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated
DESTRUCTION OF CRITICAL SYSTEM – Destructive techniques, such as MBR overwrite; have been used against a critical system
|Recoverability – Identifies the scope of resources needed to recover from the incident||REGULAR – Time to recovery is predictable with existing resources
SUPPLEMENTED – Time to recovery is predictable with additional resources
EXTENDED – Time to recovery is unpredictable; additional resources and outside help are needed
NOT RECOVERABLE – Recovery from the incident is not possible (e.g., sensitive data exfiltrated and posted publicly)
Reporting Contact Information
Cybersecurity Operations Service Desk: (979) 234-0030 Opt. 5