Incident Reporting and Response

Layout for printing

Policy Number:

UW-509

Responsible Office:

Division of Information Technology (DoIT)

University Policy

Rationale/​Purpose:

This policy defines four types of information incidents: (1) loss or theft, (2) intrusion by malware or unauthorized access via the network, (3) physical intrusion, and (4) all others. Each type has criteria that make a possible incident "reportable." The policy requires the reporting of reportable incidents unless one of the exceptions applies. The Incident Reporting and Response Procedures are the implementation of the policy.

Scope:

Applies to all users of UW–Madison information resources.

Policy:

1. Policy

   1. Users of UW–Madison information resources must report incidents involving possible unauthorized access to UW–Madison restricted data or sensitive data, using the mandatory portions of the Incident Reporting and Response Procedures.
      1. Reportable incidents include:
         1. Loss or theft of computers, devices, or media where it is reasonable to believe that restricted data or sensitive data was present at the time of loss and unauthorized persons could access that data (for example, the information was not encrypted).
         2. Intrusion by malware or unauthorized access via the network into computers, devices, services, or other resources, where it is reasonable to believe that either:
            • Restricted data may have been accessible to unauthorized persons; or
            • Sensitive data was accessed by unauthorized persons.
         3. Unauthorized entry into offices or work areas, where it is reasonable to believe that restricted data may have been accessible to unauthorized persons, or sensitive data was accessed by unauthorized persons.
         4. Any other circumstances where it is reasonable to believe that restricted data may have been accessible to unauthorized persons or sensitive data was accessed by unauthorized persons.
      2. Special cases:
         1. The reporting and response requirements also include any circumstances where non-UW–Madison-owned computers, devices, media, services, or other resources are used for university business. Ownership of the resource does not affect the requirement to report and respond to incidents involving UW–Madison restricted data or sensitive data.
         2. Due to legal, contractual, or other policy requirements, it may be necessary for the university to require IT professionals or other qualified staff to isolate computers, devices, services, or other resources in order to preserve evidence. The Incident Reporting and Response Procedures describe some of the circumstances in which isolation is mandatory.
         3. There may be additional reporting and response requirements for special types of data covered by laws, contracts, or other policies, or to meet other legal or contractual requirements.
      3. Exceptions:
         1. Under this policy it is not necessary to report:
            • Incidental access by employees or other trusted persons where no harm is likely to result; or
            • incidents in which the only restricted data or sensitive data involved was from de minimis personal use (as permitted by the responsible use of information technology policy.)

2. Background

   1. University obligations:
      1. Unauthorized access to restricted data and sensitive data can be detrimental to the affected individuals or the institution. There are laws and contracts that require the university to protect certain types of information from unauthorized access.
      2. Under some circumstances, the institution is required to report the incident to the contractor, to the source of the information, or to the individuals who might be adversely affected. The institution needs to be informed of possible incidents in order to meet these obligations and take appropriate action to protect individuals and the institution from harm.
   2. Required investigations:
      1. In order to respond appropriately, it is necessary to investigate possible incidents involving restricted data and sensitive data.
      2. A more rigorous investigation is required for incidents in which restricted data may have been accessible to unauthorized persons.
      3. Other special types of data covered by law, contracts, or policies may also require a rigorous investigation.
      4. Considerable expertise and specialized equipment are needed to rigorously preserve evidence and investigate. The Office of Cybersecurity and UW–Madison Police have the training and equipment necessary to determine to what extent it is reasonable to believe that unauthorized access has occurred.
   3. Preservation of evidence:
      1. All users of computers, devices, media, services, or other resources used for university business need to be aware of and alert to the signs of possible malware infection, unauthorized access via the network, theft, or physical intrusion.
      2. Users need to know how to initially limit the damage and preserve evidence for later investigation. For example, leaving computers, devices, services or other resources connected to the internet may allow unauthorized persons to access more information.
      3. Turning off or continuing to use computers, devices, services or other resources can destroy evidence. When a rigorous investigation is required, the affected computers, devices, services, physical sites, or other resources need to be isolated to limit the damage and protect the evidence.
   4. Non-UW–Madison-owned resources:
      1. There are a variety of circumstances in which non-UW–Madison-owned computers, devices, media, services, or other resources are used for university business. Examples include cloud services or personally-owned computers, devices, and media. UW–Madison has a stewardship or custodial interest in all university data, regardless of how or where it is stored, transmitted, or processed. For that reason, the reporting and response requirements extend to all non-UW–Madison-owned computers, devices, media, services, or other resources that are used for university business.

3. Enforcement

   1. Failure to report as required may result in loss of access to UW–Madison information resources or disciplinary action up to and including termination of employment.

Related UW-Madison Policies:

UW-504 Data Classification Policy

UW-509 Incident Reporting and Response Policy

Related UW–Madison Documents, Web Pages, or Other Resources:

Incident Reporting and Response Procedures

Incident Reporting and Response Procedures Flowchart

Incident Reporting and Response Procedures Template (for local procedures)

IT Policy Glossary

External References:

Regent Policy Document 25-3, Acceptable Use of Information Technology Resources

Policy Administration

Approval Authority:

Chief Information Officer & Vice Provost for Information Technology

Policy Manager:

Assistant Director, Cybersecurity Program and Business Services

Contact:

IT Policy Writer and Analyst, Office of CyberSecurity; IT Policy Website Link -- Sara Tate-Pederson, itpolicy@cio.wisc.edu, (608) 263-5370

Effective Date:

06-01-2009

Revised Dates:

10-10-2012

Reviewed Dates:

01/01/2018

Retrieved:

09-25-2022 11:45:41