Security Incident Reporting Instructions:
TAC §202 requires each state agency and institution of higher education to provide timely reporting of certain types of security incidents to DIR which, depending on the threat or level of risk to the State, could mean emergency reporting. Timely reporting is required (preferably within 24 hours) for incidents that may:
- Propagate to other state systems; (emergency reporting)
- Result in criminal violations that shall be reported to law enforcement; or
- Involve the unauthorized disclosure or modification of confidential information, e.g. sensitive personal information
IMPORTANT: For emergency reporting of security incidents meeting the above criteria, please call DIR’s Computer Security Incident Response Team (CSIRT) at (512) 350-3282. The phone is answered 24 hours a day, 7 days a week. This number is NOT to be used for SIRS related inquiries or questions.
Texas Administrative Code (TAC) Chapter §202.26 and §202.76 address security incident and event reporting requirements for state agencies and institutions of higher education (IHE), respectively. Each agency/IHE is responsible for assessing the significance of a security incident within their organization and for providing a report to DIR based on the business impact on affected resources and the current and potential technical effect of the incident (e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks).
Please use the form below to record the applicable details of a reportable security incident and follow the form submission instructions provided at the end of the document.
Download the Security Incident Reporting Form – DOC (142 KB) - Updated May 2013
Notifications by email or telephone should be followed up with the submission of the form.
In addition to the timely reporting requirements, agencies and IHEs are also required to provide monthly summary reports of all security-related events (not just incidents) no later than nine (9) calendar days after the end of each month. DIR has specified that monthly reports are to be submitted using DIR’s secure Security Incident Reporting System (SIRS). In addition to summary security incident and event information, the SIRS also has required fields for updating security infrastructure inventories, such as firewall, IDS/IPS and other systems, and Information Security Officer contact data.
SIRS reporting guidance, training, or instructions may be obtained upon request to the DIR Security Division.
Depending on the criticality of the incident, it will not always be feasible to gather all the information prior to reporting to DIR. In such cases, incident response teams should make an initial report and then continue to report information to the DIR as it is collected. All security incident reports provided to DIR in response to TAC 202 requirements will be classified and handled as Confidential per Chapter 2059.055 Texas Government Code (TGC) and Chapter 552.139 Texas Business and Commerce Code.
If criminal action is suspected, (e.g., violations of Chapter 33, Penal Code, Computer Crimes, or Chapter 33A, Penal Code, Telecommunications Crimes), the Agency/IHE is also responsible for contacting the appropriate law enforcement and investigative authorities.