Reporting an IT Security Incident or Vulnerability
This Practice Directive describes the process used to report events which have the potential to negatively impact the confidentiality, integrity, or availability of SF State information assets. The reporting process described by this document is part of SF State’s structured approach (PDF) to managing incidents.
The incident response cycle begins when a suspicious event is observed. Individuals in functional campus areas must either contact their local IT service desk or (in their absence) communicate directly with the central ITS service desk to initiate the process of handling the incident. Depending on the nature of an incident (e.g. burglary, robbery) the end user may also need to contact Campus Police and file a report.
Information security incidents are considered high priority and take precedence over normal SF State business operations. Managers who supervise functional campus areas must be prepared to manage work priorities, applying their judgment to the scope and impact of an incident in accordance with direction provided by the Information Security Officer.
The Incident Response Roles and Responsibilities document (PDF) outlines the duties of the San Francisco State University community regarding the handling of information security incidents with an emphasis on decentralized IT support.
In cases where confidential (e.g. Level 1 or Level 2) data may be involved, the initial IT point of contact in the corresponding functional campus area must complete an Incident Response Form and escalate the issue to the ITS Security Team in accordance with the instructions on the Incident Response Form. Isolated, low impact, events that do not put confidential data at risk generally can be handled without using this form.
Responsibility for implementing this Practice Directive will rest with Information Technology Services (ITS). Submit any apparent violation of this Practice Directive to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to email@example.com.
Noncompliance with applicable policies and/or practices may result in suspension of network access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.