Information Security Incident Report Policy

<This policy has been superseded by policy INM 001. Please refer to the University IT and IS Policy for details.>

1. Policy statement

Any person who suspects, receives notification of, or discovers an information security incident in related to the Chinese University of Hong Kong must report promptly according to the procedures referenced in this policy document.

2. Definition of information security (IS) Incident

According to CERT Coordination Centre (www.cert.org), a good definition of an incident is: The act of violating an explicit or implied security policy.

However, the definition is a bit too general. Specific examples include but are not limited to:

• Leakage of sensitive and restricted information in electronic format.
• Attempts (either failed or successful) to gain unauthorized access to a system or its data.
• Unauthorized use of a system for the processing or storage of data.
• Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.

You are encouraged to report any activities that they feel meet these criteria for being an IS incident.

3. Reporting procedures

Please fill in the Information Security Incident Reporting Form,

• If the reported IS incident is highly sensitive and confidential, please report it to:
  • the Department Chairmen/School Directors/Unit Heads concerned, and
  • the Director of ITSC (IT-related incidents) or the Secretariat (non IT-related incidents) through confidential email: dir-itsc@cuhk.edu.hk / judys@uab.cuhk.edu.hk.
• Otherwise, please report it to infosec@cuhk.edu.hk.

Published on: Feb 2009
Last Update:  Jan 2016