IRM-012: Information Security Incident ReportingDate: 04/10/2007 Status: Final
Establishes the requirement to report information security incidents to appropriate University officials so proper and timely response procedures can be initiated. Such reporting ensures particularly serious incidents, such as violations of confidentiality or integrity of sensitive University data:
- are documented and thoroughly and expertly investigated;
- responses are handled in a consistent manner and in accordance with data disclosure notification laws requiring that the subject of data (e.g., a patient or research subject) be informed of the incident;
- harmful effects are mitigated; and
- measures to prevent recurrence are identified and implemented.
Reporting also enhances awareness of troublesome trends in security incidents that indicate the need for adjustments in the University’s overall security program.
Information Security Incident:
Any event that, regardless of accidental or malicious cause, results in:
- disclosure of University data to someone unauthorized to access it,
- unauthorized alteration of University data,
- loss of data for which the University is legally or contractually bound to protect or which support critical University functions,
- disrupted information technology service levels,
- or otherwise is a violation of the University’s information security policies.
Examples of such incidents include but are not limited to:
- Malicious software installations on electronic devices that store University data not routinely made available to the general public, e.g., employee evaluations, or data the University is legally or contractually bound to protect, e.g., social security numbers, credit card numbers, patient data, certain research data, etc.
- Loss or theft of electronic devices, electronic media, or paper records that contain University data not routinely made available to the general public or data the University is legally or contractually bound to protect.
- Defacement of a University website.
- Unauthorized use of an individual’s computing account.
- Use of computing resources for unethical or unlawful purposes (incidents involving pornography should be reported directly to the University Audit Department).
- Contact from the FBI, Secret Service or other law enforcement organizations regarding a University electronic device that may have been used to commit a computer crime.
Note: To avoid inadvertent violations of state or federal law, neither individuals nor departments may release University information, electronic devices or electronic media to any outside entity, including law enforcement organizations, before making the notifications required by policy IRM-012, Information Security Incident Reporting.
Electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones and other mobile devices, as well as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, etc.
All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).
University Academic Division:
Report incidents to the University’s Information Security, Policy, and Records Office via the online Security Incident Report form (preferred) or phone at (434) 924-4165. Reports should be made as soon as possible and no later than 24 hours from the time the incident is identified.
Upon receipt of the report, the Information Security, Policy, and Records Office will inform all appropriate University officials. Since the involvement of law enforcement in lost or stolen equipment is especially time-critical, lost or stolen electronic devices and media must also be reported directly to the UVa Police Department. If the incident did not occur in the Charlottesville-Albemarle area, it should be reported to the appropriate police jurisdiction instead.
Report incidents to the Medical Center’s Information Security Office by calling the Computing Services Help Desk at (434) 924-5334. Additional information is provided in the Medical Center’s Incident Management Guideline.
Since the involvement of law enforcement in lost or stolen equipment is especially time-critical, lost or stolen electronic devices and media must also be reported directly to the UVa Police Department. If the incident did not occur in the Charlottesville-Albemarle area, it should be reported to the appropriate police jurisdiction instead.
Health Services Foundation:
Report incidents to the HSF HIPAA Security Desk at (434) 970-2484 or (434) 924-5334.
All Other Foundations:
Use the University Academic Division procedure noted above.
U.Va. College at Wise and Related Foundations:
Report incidents to the Security and Policy Coordinator by emailing firstname.lastname@example.org or calling (276) 376-4641. If the incident involves equipment theft, the person reporting the incident should also immediately contact the UVa-Wise Police Department at (276) 328-2677. The Information Technology Security and Policy Coordinator will inform all other appropriate University officials.
The University has a highly complex and resource rich information environment upon which there is increasing reliance to provide mission-critical academic, instructional and administrative functions. Compromise of the integrity, availability, or confidentiality of those resources can result in corruption or exposure of sensitive University data, staff productivity loss, financial loss, public embarrassment, and other serious adverse effects. Prompt reporting of incidents can help minimize such damage.