UW-Madison - CIO - Incident Reporting and Response Procedures Flowchart

The flowchart illustrates the overall process of reporting and response.

Illustrates the entire reporting and response process. See the text description that follows the diagram.

General Description

There are five actors:

  • the Department,
  • the Office of Cybersecurity,
  • the CIO,
  • the Administrative Leadership Team (ALT), and
  • University Communications.

There four phases:

  1. Incident discovery and report.

    Done by the Department.

    A suspicious activity is observed. This might or might not lead to an incident report. There are two cases that require a report.

    • If restricted data may have been accessible to unauthorized persons, the incident must be reported.

    • If sensitive data was accessed by unauthorized persons, the incident must be reported.

  2. Investigation.

    Done by the Office of Cybersecurity, with assistance from the Department.

    The investigation determines whether or not leadership needs to make a decision about notification.

  3. Response.

    Done by the CIO, the Administrative Leadership Team (ALT), and University Communications, with assistance from the Department and the Office of Cybersecurity.

    The CIO organizes the ALT. The ALT reviews the investigation report and decides whether or not to notify the affected persons. If so, notification is done, with provision to respond to inquiries from the press and those who were notified.

    The ALT also evaluates and follows up on other obligations the university might have.

  4. Post-incident activities.

    The process always ends with post-incident activities by all who were involved up to that point.


Please address questions or comments to policy@cio.wisc.edu.


Incident Reporting and Response Policy- https://kb.wisc.edu/itpolicy/cio-incident-reporting-policy
Incident Reporting and Response Procedures - https://kb.wisc.edu/itpolicy/cio-incident-reporting-procedures
Incident Reporting and Response Procedures Flowchart – https://kb.wisc.edu/itpolicy/cio-incident-reporting-procedures-flowchart
Incident Reporting and Response Procedures Template (for local procedures) – https://kb.wisc.edu/itpolicy/cio-incident-reporting-procedures-template
IT Policy Glossary – https://kb.wisc.edu/itpolicy/glossary
Data Classification Policy – https://kb.wisc.edu/itpolicy/cio-data-classification-policy
Acceptable Use Policy – https://www.wisconsin.edu/regents/policies/acceptable-use-of-information-technology-resources/

Revised:    Mar 04, 2016
Maintained by: Office of the CIO, IT Policy
History at: https://kb.wisc.edu/itpolicy/cio-incident-reporting-history
Reference at: https://kb.wisc.edu/itpolicy/cio-incident-reporting-procedures-flowchart

Keywords:procedures process requirements procedure processes requirement requirements, executives it-security-staff it-staff managers information-technology security, cloud-services mobile-devices network personally-owned-devices security cloud cybersecurity devices mobile networking personal personally telecommunications, monitoring, monitoring-and-mitigation cdm mitigation monitoring restricted-data sensitive-data hipaa-data ferpa-data restricted-research-data sensitive-research-data restricted sensitive hipaa ferpa fisma research   Doc ID:59716
Owner:GARY D.Group:IT Policy
Created:2016-01-13 13:15 CSTUpdated:2017-04-14 14:24 CST
Sites:IT Policy
Feedback:  0   2