Security incident reporting policy

Policy overview

Aim 

This policy aims to ensure that we appropriately manage security incidents relating to our information and Information Communications Technology (ICT) 

What is a security incident?

A security incident is defined as any fact or event that results in the compromise, misuse, or loss of our:

  • information
  • ICT services
  • assets

A security incident can impact the confidentiality, integrity, and, or availability of information. 

Examples of security incidents include:

  • the loss or theft of information
  • unauthorised disclosure of, or access to, information
  • loss or theft of ICT, media, or devices
  • physical security breaches
  • deliberate or accidental breach of security policy
  • insecure disposal of information or ICT assets
  • malicious software infection
  • denial-of-service attack
  • website defacement
  • social engineering, for example a bogus contractor attempting to use a system

Security incidents

Near misses, suspected incidents, and security weaknesses

You must report near misses and suspected incidents in line with this policy.

A near miss is defined as:

  • any fact or event that has happened, or may have happened, but no compromise occurred.  

A suspected incident is defined as:

  • a situation where initial information is sparse, and it may be uncertain whether an actual incident has taken place.  A compromise of confidentiality, integrity and, or availability is nevertheless suspected.

You must report any observed or suspected information security weakness in systems, processes, or services in line with this policy.  Weaknesses must not be proved or tested by unauthorised persons as this may be construed as misuse.

Actions on identifying a security incident   

Remedial action must be taken as soon as possible to contain and rectify the security incident.  Action must be taken to minimise the impact of a security incident and to prevent it from worsening. 

All security incidents impacting ICT must be reported to the IT Service desk without delay:

  • by telephone 01522 555555
  • through the IT self-service portal

You must report all security incidents (both ICT and non-ICT) to the information assurance team without delay using the security incident reporting form.  

You must report all security incidents involving personal data as soon as possible to ensure we meet our legal obligations regarding personal data breaches.

Personal data breaches

Security incidents involving personal data, referred to as personal data breaches, attract several reporting obligations set out in data protection legislation.    

A personal data breach which is likely to result in a risk to the rights and freedoms of individuals must be reported to the Information Commissioner’s Office (ICO) no later than 72 hours from the point we become aware of the breach.

A personal data breach which is likely to result in a high risk to the rights and freedoms of individuals must be reported to the impacted individuals without undue delay.

Whether or not a breach meets either of these thresholds will be determined on a case-by-case basis as part of the security incident investigation process.

General principles

We encourage an open and transparent reporting system.

Individuals must report all security incidents accurately and without delay.  Individuals are required to assist in any investigation.

We will record all:

  • reported security incidents
  • potential security incidents
  • near misses
  • security weaknesses

We will investigate security incidents in a manner commensurate with the potential impact of the incident. Where we establish a root cause we will consider corrective action to help prevent similar incidents occurring. 

We will determine responsibility for the management of an incident after considering the following points:

  • the type of incident
  • the type of information involved
  • the level of impact or potential impact
  • the number and type of stakeholders and partnerships
  • the personal data involved
  • the source of the incident 

Line managers are responsible for action regarding staff failure to conform to our Code of conduct.

Reporting

We will consider all security incidents for onward reporting to internal and external stakeholders. We will also consider notification to individuals affected by a breach. 

Reporting requirements will be dictated by:

  • the severity of the security incident
  • any statutory or contractual requirements

 Examples include:

  • line managers
  • information asset owners
  • Caldicott Guardians
  • Senior Information Risk Owner
  • sharing partners and suppliers
  • law enforcement agencies
  • The Information Commissioner’s Office (ICO) 
  • members of the public
  • National Cyber Security Centre

The information assurance team will co-ordinate the reporting of security incidents.

Information security officers will co-ordinate the reporting of personal data breaches to the ICO.  They will ensure our data protection officer is advised.  Recommendations made by the ICO in response to reported incidents must be considered by relevant stakeholders and action taken where appropriate.

Further information

For further information or guidance please contact the Information Assurance team at IA@lincolnshire.gov.uk.