UW-Madison - CIO - Incident Reporting and Response Policy

Applies to all users of UW-Madison information resources.

The policy defines four types of information incidents: (1) loss or theft, (2) intrusion by malware or unauthorized access via the network, (3) physical intrusion, and (4) all others. Each type has criteria that make a possible incident "reportable". The policy requires the reporting of reportable incidents, unless one of the exceptions applies.

The Incident Reporting and Response Procedures are the implementation of the policy.


Policy

Users of UW-Madison information resources must report incidents involving possible unauthorized access to UW-Madison restricted data or sensitive data, using the mandatory portions of the Incident Reporting and Response Procedures.

  1. Reportable incidents include:

    1. loss or theft of computers, devices or media, where it is reasonable to believe that restricted data or sensitive data was present at the time of loss and unauthorized persons could access that data (for example, the information was not encrypted);

    2. intrusion by malware or unauthorized access via the network into computers, devices, services or other resources, where it is reasonable to believe that either:

      1. restricted data may have been accessible to unauthorized persons, or
      2. sensitive data was accessed by unauthorized persons;
    3. unauthorized entry into offices or work areas, where it is reasonable to believe that restricted data may have been accessible to unauthorized persons, or sensitive data was accessed by unauthorized persons; or

    4. any other circumstances where it is reasonable to believe that restricted data may have been accessible to unauthorized persons, or sensitive data was accessed by unauthorized persons.

  2. Special cases:

    1. The reporting and response requirements also include any circumstances where non-UW-Madison-owned computers, devices, media, services or other resources are used for university business. Ownership of the resource does not affect the requirement to report and respond to incidents involving UW-Madison restricted data or sensitive data.

    2. Due to legal, contractual or other policy requirements it may be necessary for the university to require IT professionals or other qualified staff to isolate computers, devices, services or other resources in order to preserve evidence. The Incident Reporting and Response Procedures describe some of the circumstances in which isolation is mandatory.

    3. There may be additional reporting and response requirements for special types of data covered by laws, contracts, or other policies, or to meet other legal or contractual requirements.

  3. Exceptions:

    Under this policy it is not necessary to report:

    1. incidental access by employees or other trusted persons where no harm is likely to result, or

    2. incidents in which the only restricted data or sensitive data involved was from de minimis personal use (as permitted by the Responsible Use policy.)

Background

University obligations:

Unauthorized access to restricted data and sensitive data can be detrimental to the affected individuals or the institution. There are laws and contracts that require the university to protect certain types of information from unauthorized access. Under some circumstances the institution is required to report the incident to the contractor, to the source of the information, or to the individuals who might be adversely affected. The institution needs to be informed of possible incidents in order to meet these obligations and take appropriate action to protect individuals and the institution from harm.

Required investigations:

In order to respond appropriately, it is necessary to investigate possible incidents involving restricted data and sensitive data. A more rigorous investigation is required for incidents in which restricted data may have been accessible to unauthorized persons. Other special types of data covered by laws, contracts or policies may also require a rigorous investigation. Considerable expertise and specialized equipment is needed to rigorously preserve evidence and investigate. The Office of Cybersecurity and UW Police have the training and equipment necessary to determine to what extent it is reasonable to believe that unauthorized access has occurred.

Preservation of evidence:

All users of computers, devices, media, services, or other resources used for university business need to be aware of and alert to the signs of possible malware infection, unauthorized access via the network, theft or physical intrusion. Users need to know how to initially limit the damage and preserve evidence for later investigation. For example, leaving computers, devices, services or other resources connected to the Internet may allow unauthorized persons to access more information. Turning off or continuing to use computers, devices, services or other resources can destroy evidence. When a rigorous investigation is required, the affected computers, devices, services, physical sites or other resources need to be isolated to limit the damage and protect the evidence.

Non-UW-Madison-owned resources:

There are a variety of circumstances in which non-UW-Madison-owned computers, devices, media, services, or other resources are used for university business. Examples include cloud services, or personally owned computers, devices and media. UW-Madison has a stewardship or custodial interest in all university data, regardless of how or where it stored, transmitted or processed. For that reason, the reporting and response requirements extend to all non-UW-Madison-owned computers, devices, media, services or other resources that are used for university business.

Authority

Issued by the UW-Madison Vice Provost for Information Technology.

Enforcement

Failure to report as required may result in loss of access to UW-Madison information resources, or disciplinary action up to and including termination of employment.

Contact

Please address questions or comments to policy@cio.wisc.edu.

References

Incident Reporting and Response Policy- https://kb.wisc.edu/itpolicy/cio-incident-reporting-policy
Incident Reporting and Response Procedures - https://kb.wisc.edu/itpolicy/cio-incident-reporting-procedures
Incident Reporting and Response Procedures Flowchart – https://kb.wisc.edu/itpolicy/cio-incident-reporting-procedures-flowchart
Incident Reporting and Response Procedures Template (for local procedures) – https://kb.wisc.edu/itpolicy/cio-incident-reporting-procedures-template
IT Policy Glossary – https://kb.wisc.edu/itpolicy/glossary
Data Classification Policy – https://kb.wisc.edu/itpolicy/cio-data-classification-policy
Acceptable Use Policy – https://www.wisconsin.edu/regents/policies/acceptable-use-of-information-technology-resources/


Effective:   Jun 01, 2009
Revised:    Aug 10, 2012 RevA
Reviewed:  Jan, 2016
Review by: Jan, 2018 (two years)
Maintained by: Office of the CIO, IT Policy

History at: https://kb.wisc.edu/itpolicy/cio-incident-reporting-history
Reference at: https://kb.wisc.edu/itpolicy/cio-incident-reporting-policy



Keywords:policies definitions policy requirements definition requirement requirements, administrators executives faculty it-security-staff it-staff managers supervisors administration information-technology security, cloud-services mobile-devices network personally-owned-devices security cloud cybersecurity devices mobile networking personal personally telecommunications, monitoring, monitoring-and-mitigation cdm mitigation monitoring restricted-data sensitive-data hipaa-data ferpa-data restricted-research-data sensitive-research-data restricted sensitive hipaa ferpa fisma research   Doc ID:59313
Owner:GARY D.Group:IT Policy
Created:2016-01-05 11:47 CSTUpdated:2017-04-14 14:27 CST
Sites:IT Policy
CleanURL:https://kb.wisc.edu/itpolicy/cio-incident-reporting-policy
Feedback:  0   0