These procedures implement the mandatory reporting required by the Incident Reporting and Response Policy. The rationale is discussed in the background section of the policy.
Notation convention:
Data classifications are underlined. There is an important destinction between Restricted Data and Sensitive Data. The procedures for the two are significantly different. See the Data Classification Policy for the definition of each classification.
Decision criteria about the affected data are in italics. There is an important distinction between "reasonable to believe restricted data may have been accessible to unauthorized persons" and "reasonable to believe that sensitive data was accessed by unauthorized persons". The first indicates it was possibile, excluding unreasonable or unlikely cases that could result in access. The second indicates it was likely, excluding unreasonable or unlikely cases under which it was not accessed.
HIPAA incident reporting procedures
The UW-Madison implementation of HIPAA has special reporting procedures in order to cover incidents that are unique to HIPAA, and to assure that the university is able to comply with the HIPAA breach notification requirements.
If your unit is subject to HIPAA, please use the procedures in policy # 8.8 at https://compliance.wisc.edu/hipaa/.
Personally-owned devices used for university business
If you have UW-Madison restricted data or sensitive data on your personally-owned computers, devices, or media, the university needs to know about incidents involving that university data.
Reporting incidents involving UW-Madison restricted data and sensitive data is mandatory as described in the Incident Reporting and Response Policy. Please consider this carefully when deciding to use your personal equipment for university business.
Use the Incident Reporting and Response Procedures to report incidents involving personally-owned computers, devices or media that contain UW-Madison restricted data or sensitive data.
Data breach notifications from third parties>
If you receive a notice from a third party, such as a vendor, of a data breach involving software or a service used to store moderate or high risk data, you must forward that notification to cybersecurity@cio.wisc.edu> as soon as feasibly possible.
Mandatory procedures for each type of incident
The four cases in in this section correspond to the four cases in part (A) of the Information Incident Reporting and Response Policy.
Lost or stolen computers, devices or media:
if theft of computers, devices or media is observed or suspected:
Always report theft. Theft should be reported regardless of the type of data present.
Preserve physical evidence. Disturb as little as possible.
Contact law enforcement. If on campus, immediately contact UW Police, otherwise, immediately contact local law enforcement and follow up by informing UW police.
If theft is in progress, get to a safe place and dial 911.
Treat stolen items as "lost". After doing steps (1) to (3) above, continue by following the procedures in (b) below.
if loss of computers, devices or media is suspected:
If theft is observed or suspected, start by following the procedures in (a) above.
Immediately report the incident to your management or IT support staff. If none are available, call (don't email) the DoIT Help Desk. Use the procedures in (B)(2) below when reporting a loss to the DoIT Help Desk
For managers and IT support staff:
If it is reasonable to believe that restricted data or sensitive data was present in non-encrypted form on a lost or stolen device:
Immediately call (don't email) the DoIT Help Desk. Use the procedures in (B)(2) below.
Use remote wipe capability on mobile devices.
Incidents involving intrusion by malware or unauthorized access via the network into computers, devices, services, or other resources:
For faculty and staff: (other than IT support staff)
Preserve evidence. Do not use or turn off any related computer, device, service, or resource, nor dispose of any related media.
Report suspicious activity.
Report suspicious activity to IT support staff.
If no IT support staff are available, call (don't email) the DoIT Help Desk. Use the procedure in section (B) below.
For IT support staff:
Before taking any other action, check for restricted data.
Assume that restricted data may have been accessible to unauthorized persons, excluding unreasonable or very low probability cases that could result in access. The decision must be based upon what is known or discoverable without using the system. There are two possible decisions:
It is reasonable to believe that restricted data may have been accessible to unauthorized persons:
Preserve evidence.
Do not use the system to do a triage investigation. Investigating can easily destroy evidence. Special training and equipment is required.
Stop using the system. If this is not possible, minimize use.
Disconnect the system from the network. If this is not possible, isolate it to the extent practical, (e.g. by using a network firewall.)
Do not clean up the system. Wait until evidence is preserved by the Office of Cybersecurity or others authorized by the Vice Provost for Information Technology.
Call (don't email) the DoIT Help Desk. Use the procedure in (B)(2) below.
It is not reasonable to believe that restricted data was accessible to unauthorized persons, proceed as described in (A)(2)(b) below.
Check for sensitive data. (The procedure for restricted data is in (A)(2)(a) above.) If it is reasonable to believe that sensitive data (not restricted data) was accessed by unauthorized persons:
IT support staff may use the system to do a triage investigation in order to determine whether or not sensitive data was accessed by unauthorized persons.
While investigating, preserve as much evidence as possible.
If at any point it is discovered that restricted data may have been accessible to unauthorized persons, immediately stop investigating. Proceed as described in (A)(2)(a) above.
If warranted, call (don't email) the DoIT Help Desk as quickly as possible, but no later than three business days after discovery.
If physical intrusion into secure areas is observed or suspected:
Always report physical intrusion in to secure areas. Physical intrusion into secure areas should be reported regardless of the type of data present.
Preserve physical evidence. Disturb as little as possible.
If on campus, immediately contact UW Police, otherwise, immediately contact local law enforcement and follow up by informing UW police.
If a physical intrusion is in progress, get to a safe place and dial 911.
Physical intrusion could result in unauthorized access to one or more systems in the affected area. Continue by treating the incident under the genreal circumstances described in (A)(4) below.
For general circumstances where it is reasonable to believe that restricted data may have been accessible by unauthorized persons or sensitive data was accessed by unauthorized persons:
Use the procedure in (A)(2) above for each system for which it is reasonable to believe that system was involved in the incident.
There are a great many interconnected systems. As a practical matter, judging by the nature of the incident, form a reasonable estimate of which systems are involved.
Limit checking, triage, reporting and investigation to the estimated systems, unless there is evidence that indicates the incident affected additional systems.
Mandatory procedure for reporting an incident:
The earliest possible reporting is encouraged in order to minimize possible damage.
Preserve evidence:
Disturb as little as possible. Do not use or turn off any related computer, device, service, or resource, nor dispose of any related media. Preserve physical evidence of theft or physical intrusion.
Report the incident as quickly as possible:
if theft or physical intrusion is suspected: if on campus, immediately contact UW Police, otherwise, immediately contact local law enforcement and follow up by informing UW police:
Emergency: Dial 911 from any campus phone.
Non-emergency: (608) 264-2677 (264-COPS)
in all other cases: call (don't email) the DoIT Help Desk at (608) 264-HELP (4357).
Information Incident Reporting and Response Flowchart
The Incident Reporting and Response Procedures Flowchart illustrates the overall process of incident reporting and response.
The initial steps are performed by the department or other unit in which the incident occured. These are equivalent to the mandatory reporting procedures outlined in section A above.
The remaining steps illustrate the response process that occurs after an incident is reported.Template for local procedures (optional)
The Incident Reporting and Response Procedures Template is intended as a starting point for building local procedures. The template has a single page of instructions designed for faculty and staff (other than IT staff). The remaining pages are designed for IT staff.
The cover page has instructions for how to use the template.
Use of the template is not required by the policy.
Please address questions or comments to itpolicy@cio.wisc.edu.