All executive branch agencies including institutions of higher education are required to report information security incidents to VITA except for the University of Virginia (UVA), Virginia Polytechnic Institute and State University (VPI), and the College of William and Mary. The Code of Virginia § 2.2-603. Section G, listed below, describes the reporting requirements agency's must follow.
§ 2.2-603. Authority of agency directors.
F. The director of every department in the executive branch of state government shall report to the Chief Information Officer as described in § 2.2-2005, all known incidents that threaten the security of the Commonwealth's databases and data communications resulting in exposure of data protected by federal or state laws, or other incidents compromising the security of the Commonwealth's information technology systems with the potential to cause major disruption to normal agency activities. Such reports shall be made to the Chief Information Officer within 24 hours from when the department discovered or should have discovered their occurrence.
The purpose of this section is to provide information that may be helpful in information security incident reporting. Information security incidents will happen and the ability to quickly identify and act in a coordinated manner can lessen the impact of an information security incident. The information security incident reporting form is an important first step in handling information security incidents in a coordinated response.
Information security incident refers to an adverse event in an information system, network, and/or workstation, or the threat of the occurrence of such an event.
An event is any observable occurrence in a system, network, and/or workstation. Although natural disasters and other non-security related disasters (power outages) are also called events, these reporting requirements are for IS security related events only. Events can many times indicate an information security incident is happening.
An information security incident should be reported if the following conditions are met and it resulted in:
Please note: An adverse event does not include situations such as unintentional visits to Web sites prohibited by Commonwealth/agency policy or law, or excessive use of a provided resource. These types of situations should be handled internally as personnel issues.
You should report events that have a real impact on your organization. An information security incident includes, but is not limited to the following events regardless of platform or computer environment:
Do not report routine probes, port scans, or other common events.
The following are clues that an information security incident may be in progress, or one may have already occurred. These indicators can have legitimate explanations and be part of day-to-day operations. The key in determining whether a suspected event is a legitimate event or is actually an information security incident is recognizing when things happen without an explanation, events that are contrary to your policies and procedures. The key word to using these indicators is "UNEXPLAINED."