Cybersecurity Incident Response

1. Policy

Issued: May 3, 2019 
Last Revised: June 26, 2025 
Last Reviewed: June 26, 2025 

​​Applies to:​ Faculty (including part-time, adjunct and visiting faculty), postdoctoral scholars, staff and students (including graduate/undergraduate student workers and graduate assistants) employed by University of Southern California (“USC“ or the “University“) and including those working for the University’s health system (“USC Employees”); third parties including vendors, affiliates, consultants, and contractors when using USC-Owned Technology Resources; iVIP (guests with electronic access) as well as any other users of USC-Owned Technology Resources, including retirees, independent contractors, or others (e.g., temporary agency employees) who may be given access on a temporary basis to University systems. This policy continues to apply to individuals who are on sabbatical or other leaves, or who are visiting other institutions. 

2. Policy Purpose

This Cybersecurity Incident Response Policy describes University of Southern California (USC) expectations for management of a cybersecurity incident and the related minimum-security requirements.

3. Scope and Application

​​This policy identifies the minimum requirements for cybersecurity incident response for all USC departments, schools, and units (DSU) inclusive of Keck Medical affiliates, retirees, emeriti, consultants, etc. who have access to USC technology resources, including USC email, as well as any other users of the USC network infrastructure, including independent contractors or others (e.g., temporary agency employees) who may be given access on a temporary basis to University systems.  

4. Definitions

For more definitions and terms: USC Cybersecurity Policies Terms and Glossary 

TermDefinition
Availability Authorized users have access to the systems and the resources they need 
Confidentiality Data, objects and resources are safeguarded from unauthorized viewing and other access 
Covered Individuals People or entities specified by the scope of a policy 
Incident Response Plan A systematic and documented method of approaching and managing situations resulting from cybersecurity incidents or breaches 
Integrity Data is safeguarded from unauthorized changes to ensure that it is reliable and correct 
ITS Information Technology Services 
Local Technology Support Information technology support dedicated within a local department, school or unit 
Personally Identifiable Information (PII) Any data that could potentially identify a specific individual 
Protected Health Information (PHI) Also referred to as personal health information, generally refers to demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care 
Cybersecurity Incident Any cybersecurity event which has the potential to or has already resulted in unauthorized access, acquisition, manipulation, or destruction of data which compromises the Confidentiality, Integrity or Availability of university information assets, including those which may be handled, stored, or accessed by third party services, products or related processes 
System Owner The individual responsible for the overall procurement, development, integration, modification, operation, maintenance, and retirement of an information system. The System Owner is a key contributor in developing system design specifications to ensure the security and user operational needs are documented, tested, and Implemented 
USC-Owned Technology Resources Technology resources owned, licensed, or developed by USC, including but not limited to: network-based communication services (USC networks, email accounts, instant messaging platforms, and cloud-based repositories); USC-issued computers and electronic devices (desktops, laptops, mobile phones, tablets, servers, PDAs, and pagers) purchased or leased using university funds; and any USC-developed or licensed software. 

5. Policy Details

Objective 

​The objective of this policy is to ensure all Covered Individuals know what to do in the event of a cybersecurity incident. A “cybersecurity incident” is defined as any cybersecurity event which has the potential to or has already resulted in unauthorized access, acquisition, manipulation, or destruction of data which compromises the Confidentiality, Integrity or Availability of university information or information assets, including those which may be handled, stored, or accessed by third party services, products or related processes. 

Policy Requirements 

5.1 Incident Reporting 

  • ​5.1.1 Covered Individuals must immediately report both potential and suspected cybersecurity incidents. Covered Individuals will: 
  • ​5.1.1.1 Contact the System Owner, Local Technology Support, or USC Office of Cybersecurity via email (security@usc.edu) or telephone (213-740-5555) immediately. 
  • ​5.1.2 Local Technology Support will report all cybersecurity incidents to USC Office of Cybersecurity, as defined in the Incident Response Plan, to initiate incident investigations. Local units will not conduct independent investigations. 
  • ​5.1.3    All third-party cybersecurity incidents must be reported to the USC Office of Cybersecurity and Office of General Counsel. 

5.2 Incident Response Plan 

  • ​5.2.1 Relevant System Owners will work with USC Office of Cybersecurity to establish a Local Incident Response Procedure, which will include a report and response plan on the Confidentiality, Integrity and Availability of the data that may be breached, including but not limited to Personally Identifiable Information (PII), Protected Health Information (PHI), privacy data, and student records. 
  • ​5.2.2 The USC Cybersecurity Incident Response Plan will be maintained, updated, and tested at least annually for timely and effective handling of all cybersecurity incidents.  
  • ​5.2.2.1 All individual local cybersecurity incident response procedures will be maintained and updated at least annually. USC Office of Cybersecurity may request evidence of the local cybersecurity incident response procedures periodically. 

5.3 Incident Response 

  • ​5.3.1 Affected departments, schools and units, in coordination with the Office of Ethics and Compliance, Office of General Counsel and USC Office of Cybersecurity as required, will follow established procedures for the identification, collection, acquisition and preservation of information related to cybersecurity incidents. 
  • ​5.3.2 Affected departments, schools and units will adhere to the expected notification and response timelines, as outlined in the Cybersecurity Incident Response Plan (CIRP). 
  • ​5.3.3 Covered Individuals will work with USC Office of Cybersecurity on measures to contain, resolve and execute necessary actions related to cybersecurity incidents in a timely manner.  
  • ​5.3.4 System Owners and Local Technology Support will comply with evidence requests from USC Office of Cybersecurity, General Counsel and other USC Office of Cybersecurity authorized partners in a timely manner. At no time will Covered Individuals impede an investigation, as defined by the Acceptable Use Policy. 
  • ​5.3.5 All information pertaining to a cybersecurity incident investigation must be handled with discretion and disclosed to internal and external parties only on a need-to- know basis. All incident communications will be managed in coordination with USC Office of Cybersecurity, Office of General Counsel, and/or USC communications teams. 
  • ​5.3.6 Initial local cybersecurity incident response procedures will be documented using the USC Office of Cybersecurity template. 
  • ​5.3.7 All people supporting USC systems should complete “TrojanSecure: Information Security Incident Response” training module in TrojanLearn.usc.edu.​ 

6. Procedures

N/A

7. Forms

N/A

8. Responsibilities

POSITION or OFFICERESPONSIBILITIES
USC Office of Cybersecurity 1. Develop and review exceptions to the policy 
2. Monitor activity relative to the policy requirements as well as provide periodic communications and training designed to support the policy and related procedures, as needed 
USC Personnel 1. Understand and comply with this policy 
2. In any situations where it is not clear if the actions being contemplated are permitted, seek guidance from their supervisor or USC Office of Cybersecurity 
SVPs, Deans, Department Chairs and Supervisors/Managers of departments, schools, and units 1. Set expectations with USC Personnel to comply with this policy  

9. Related Information

Compliance Measurement 

The USC Office of Cybersecurity and the Office of Audit Services will collectively monitor compliance with this policy, USC’s cybersecurity policies and standards, and applicable federal and state laws and regulations using various methods, including but not limited to periodic policy attestations. Compliance with cybersecurity policies will be monitored regularly in conjunction with USC’s monitoring of its cybersecurity program. Audit Services will conduct periodic internal audits to ensure compliance.  

Exceptions 

Any requested exceptions to the policy will be submitted to secgovrn@usc.edu and evaluated in accordance with the decision criteria defined by the USC Office of Cybersecurity issues and exceptions management process.  

Non-Compliance 

Violation of this policy may lead to this being classified as a serious misconduct, which is grounds for discipline in accordance with the Faculty Handbook, staff employment policies, and the Student Handbook, as appropriate. Any disciplinary action under this policy will consider the severity of the offense and the individual’s intent and could include termination of access to the USC network, USC systems and/or applications, as well as employment actions up to and including termination, and student disciplinary actions up to and including expulsion. 

10. Contacts

​​Please direct any questions regarding this policy to:​ 

OFFICEPHONEEMAIL
USC Office of Cybersecurity  trojansecure@usc.edu 

Information TechnologyPublic Policy