502: Incident Response and Escalation

Information Security Policies & Procedures Manual
Section 500: Security Operations
Effective: 01/11/2010


The purpose of documenting this procedure in the Information Security Manual is to clarify and formalize Security Operations and Procedures in the event of Information Security incidents.


The scope of these procedures is limited to Information Security Incidents.  Incidents overlapping with physical security, personnel action, or student conduct will be handled in accordance with established protocols and procedures; however, the CISO will be appraised to ensure that Information Security specific aspects of any incident are addressed.


In compliance with RFC2142, OSU maintains appropriate Email aliases for the reporting of various activities originating from hosts on OSU’s network.  The abuse@oregonstate.edu alias in particular is widely accepted across the internet, and specifically identified by OSU in our network registration, as the appropriate alias to notify when a breach is suspected or other Information Security Incidents are detected.  Network Engineering will maintain this Email alias; respond to and track all reports of Information Security Incidents; and will ask that responsible parties verify whether or not Personal Information, Protected Information, or Sensitive Information was involved.

In the case where Personal Information or Protected Information is involved, these incidents will be initially escalated to the attention of theChief Information Security Officer who will create an incident response report. 

Information Security Incidents involving Personal Information will be reviewed by legal counsel to ensure appropriate responses are taken in accordance with Oregon law, and a copy of the report will be shared with the appropriate Records Custodian(s), the University Provost, the Oregon University System Vice Chancellor for Finance and Administration, the Oregon University System Internal Audit Division, and University News and Communications Services as appropriate to deal with media implications.  

Information Security Incidents involving Protected Information will be reviewed by the appropriate Records Custodian(s) along with a copy of the incident report to be shared as deemed appropriate by the Records Custodian(s). 

Information Security Incidents involving Sensitive Information will be logged and noted in the annual Information Security Report.