The policy defines four types of information incidents: (1) loss or theft, (2) intrusion by malware or unauthorized access via the network, (3) physical intrusion, and (4) all others. Each type has criteria that make a possible incident "reportable". The policy requires the reporting of reportable incidents, unless one of the exceptions applies. The Incident Reporting and Response Procedures are the implementation of the policy.
Applies to all users of UW-Madison information resources.
Users of UW-Madison information resources must report incidents involving possible unauthorized access to UW-Madison restricted data or sensitive data, using the mandatory portions of the Incident Reporting and Response Procedures.
Exceptions:
Under this policy it is not necessary to report:
Unauthorized access to restricted data and sensitive data can be detrimental to the affected individuals or the institution. There are laws and contracts that require the university to protect certain types of information from unauthorized access. Under some circumstances the institution is required to report the incident to the contractor, to the source of the information, or to the individuals who might be adversely affected. The institution needs to be informed of possible incidents in order to meet these obligations and take appropriate action to protect individuals and the institution from harm.
In order to respond appropriately, it is necessary to investigate possible incidents involving restricted data and sensitive data. A more rigorous investigation is required for incidents in which restricted data may have been accessible to unauthorized persons. Other special types of data covered by laws, contracts or policies may also require a rigorous investigation. Considerable expertise and specialized equipment is needed to rigorously preserve evidence and investigate. The Office of Cybersecurity and UW Police have the training and equipment necessary to determine to what extent it is reasonable to believe that unauthorized access has occurred.
All users of computers, devices, media, services, or other resources used for university business need to be aware of and alert to the signs of possible malware infection, unauthorized access via the network, theft or physical intrusion. Users need to know how to initially limit the damage and preserve evidence for later investigation. For example, leaving computers, devices, services or other resources connected to the Internet may allow unauthorized persons to access more information. Turning off or continuing to use computers, devices, services or other resources can destroy evidence. When a rigorous investigation is required, the affected computers, devices, services, physical sites or other resources need to be isolated to limit the damage and protect the evidence.
There are a variety of circumstances in which non-UW-Madison-owned computers, devices, media, services, or other resources are used for university business. Examples include cloud services, or personally owned computers, devices and media. UW-Madison has a stewardship or custodial interest in all university data, regardless of how or where it stored, transmitted or processed. For that reason, the reporting and response requirements extend to all non-UW-Madison-owned computers, devices, media, services or other resources that are used for university business.
Issued by the UW-Madison Vice Provost for Information Technology.
Failure to report as required may result in loss of access to UW-Madison information resources, or disciplinary action up to and including termination of employment.
Please address questions or comments to itpolicy@cio.wisc.edu.
10/10/2012