Contingency Management

Information security incident management

6.1

Data Custodians/Users shall report promptly any information technology related security incidents involving the loss or unauthorised disclosure of sensitive or confidential data/information, whether held in digital or hardcopy format, to both the respective Data Owners and the Data and Security Team of ITS in accordance to the relevant incident reporting and escalation procedure, which shall be set by ISDM Sub-com.

6.2

If there is a loss or unauthorised disclosure that involves personal data, whether digital or hardcopy, the Data Owner concerned shall ensure that the University Data Protection Officer will also be promptly informed in accordance with the relevant incident reporting and escalation procedure.

6.3

After an information security incident has been resolved or closed, [ITPC] through ISDM Sub-com shall commission the following review activities to be carried out by an appropriate party of the University and/or an independent party, as deemed necessary:

(a) Identifying the lessons learned from the information security incident; and
(b) Recommending required improvements as a result of the lessons learned.

Business Continuity / Disaster Recovery Management

6.4

Data Owners, working with respective Data Custodians, shall ensure that disaster Recovery/Business continuity plans and other methods of responding to an emergency or other occurrences of damage to systems containing institutional data are developed, implemented and maintained (including review and testing of such plans at an adequate frequency). These contingency plans shall be developed, implemented and maintained (including review and testing) based on relevant standards and/or guidelines and endorsed by [ITPC], and shall include, but are not limited to, data backup, system/disaster recovery, and emergency mode operations procedures. These plans shall also address testing of and revision to disaster recovery/business continuity procedures and a criticality analysis.