Policy for information security incident managing (A.16)

Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. (A.16.1.1)

The unit management team is responsible for ensuring that information security incidents are reported to local IT support and are handled in accordance with the procedure described in 16.1.2.

Information security events shall be reported through appropriate management channels as quickly as possible. (A.16.1.2)

The AU Information Security Unit is responsible for establishing a documented procedure that includes the following elements as a minimum:

• Reporting procedure for security incidents, including contact information, electronic forms and guidelines for feedback to incident reporters.
• Adequate information for data subjects and relevant stakeholders both internally and externally about any security incidents.
• Obligations to involve relevant authorities and to report incidents via relevant management channels.
• Contingency plan for handling and approving external reports of information security incidents.
• Requirements for coordinating case management with the Data Protection Unit in connection with breaches of personal data security.

Additional procedural requirements are listed in the section below.

Employees and contractors using the organization's information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services. (A.16.1.3)

Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. (A.16.1.4)

According to the rules for information security, anyone affiliated with Aarhus University must report information security incidents or suspected information security incidents. Reports must be handled via the communication channels associated with the university's IT support.

The IT support team that processes the case must assess whether a reported event should be reported as a security incident to the AU Information Security Unit. The Data Protection Unit must be notified without delay if the Information Security Unit determines that the security incident involves personal data. After receiving a report on a suspected security incident, the Data Protection Unit must assess whether to also report the incident to the Danish Data Protection Agency.

Information security incidents shall be responded in accordance with documented procedures. (A.16.1.5)

Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.  (A.16.1.6)

Unit management teams with ownership of information assets must ensure that security incidents involving those assets are recorded and investigated to an appropriate extent. This includes logs of unauthorised access and attempts to gain unauthorised access to secure areas, IT systems and data that the system owner must describe in the system management agreement.

Units at Aarhus University that handle security incidents by virtue of their roles as information asset owners, system owners or as part of performing support/management activities, must include reporting significant incidents to the AU Information Security Unit in their annual planning cycle. In this context, IT systems that process sensitive data or are classified as type A or B should always be considered significant.

As part of its annual planning cycle, the AU Information Security Unit must review incidents, and on the basis of this, recommend additional appropriate organisational and technical measures.

The Information Security Unit must collect and present reported incidents with a view to organisational learning and improving the level of security at the university.

The organisation shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. (A.16.1.7)

If a security breach is likely to lead to legal consequences, adequate evidence must be collected and stored until no longer relevant. The collection of evidence requires the involvement of the Information Security Unit to ensure correct procedure is followed.

Link to procedure: Report security incident (au.dk)

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re. A. 16.1.4 Assessment and decision regarding information security incidents: According to the Rules for information security, anyone affiliated with Aarhus University must report information security incidents or suspected information security incidents.  ​​​​This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.   If you have other needs based on your risk assessment, this must be ensured locally.