Security Incident Management Policy:  IH


The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents are some of the actions that can be taken to reduce the risk and drive down the cost of security incidents.


The purpose of this Incident Response Policy is to establish a framework for identifying, containing, mitigating, and reporting privacy and security Incidents in accordance with the Texas Administrative Code, Title 1, Chapter 202. This document sets forth the policy for incident management within SPC.


  • This policy applies to and must be complied with by all SPC Users.
  • The User agrees to abide by this policy while employed or contracted with the SPC.
  • Roles and responsibilities of each function pertaining to the protection of SPC- owned systems and data are documented in SPC policy.
  • The User is responsible for understanding the terms and conditions of this policy. Exemptions to this policy shall follow the process defined in SPC policy.
  • This policy is subject to change.
  • This policy applies to any computing device owned or leased by SPC. It also applies to any computing device regardless of ownership, which either is used to store SPC-owned Confidential or SPC-sensitive data or that, if lost, stolen, or compromised, and based on its privileged access, could lead to unauthorized data disclosure.



The Information Security Officer (ISO) is responsible for overseeing incident investigations in coordination with the Incident Response Team (IRT). The ISO shall recommend the IRT members to the Information Resources Manager (IRM) for approval. (TAC§202.76)


The highest priority of the ISO and IRT shall be to identify, contain, mitigate, and report privacy or security Incidents that fall under one or the following categories:

  • Propagation to external systems
  • Violation of applicable federal and/or state laws which will require involvement from law enforcement
  • Potential modification or disclosure of Confidential Information as defined in the Agency Data Classification Policy. 

The SPC ISO shall notify appropriate individuals (which must include the State CISO and the State Cybersecurity Coordinator) within 48 hours if it is believed that personal information owned by SPC has been used or disclosed by or for unauthorized persons or purposes. (TGC§2054.1125, TBC §521.053)

The ISO shall establish an Incident Criticality matrix. This matrix will define each level of escalation, detail the appropriate response for various incidents, and establish the appropriate team participants. (TAC§202.71-72

The ISO shall establish and document appropriate procedures, standards, and guidelines regarding Incidents. (TAC§202.71

The ISO is responsible for determining the physical and electronic evidence to be gathered as part of the incident investigation. Any electronic device containing data owned by SPC may be subject to seizure and retention by the ISO. 

The SPC Chief of Police, Information Security Officer, or SPC’s General Counsel (as appropriate) will work directly with law enforcement regarding any Incidents that may have violated federal or state laws. If an Incident is determined to be the result of a privacy violation by a User, the ISO shall notify the User’s supervisor and Human Resources of the violation(s), or the Inspector General’s Office, as applicable, for appropriate action. 

The ISO shall provide a summary report for each valid Security Incident to the IRM within five business days after the incident has been closed.



Management reserves the right to revoke access at any time for violations of this policy and for conduct that disrupts the normal operation of agency information systems or violates state or federal law. 

Any User who has violated SPC Security policies may be subject to disciplinary action, up to and including termination of employment or contract with DIR.

SPC will cooperate with appropriate law enforcement if any User may have violated federal or state law


Related Policies, References and Attachments:

An index of approved SPC-IS policies can be found on the SPC Information Technology Services Policies website at The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.
DIR Security Controls Catalog Control Group: IR-1


Approved by:  Executive Council, December 9, 2019

Next Review:   October 1, 2020