IRM-012: Information Security Incident Reporting

Date: 04/10/2007 Status: Final
Last Revised: 04/28/2014
Policy Type: University
Oversight Executive: Chief Information Officer
Applies To: All employees of the University, University-Related Foundations and others who have access to University data not routinely made available to the general public.
Table of Contents:

Policy Statement
Procedures

Reason for Policy:

Establishes the requirement to report information security incidents to appropriate University officials so proper and timely response procedures can be initiated. Such reporting ensures particularly serious incidents, such as violations of confidentiality or integrity of sensitive University data:

  • are documented and thoroughly and expertly investigated;
  • responses are handled in a consistent manner and in accordance with data disclosure notification laws requiring that the subject of data (e.g., a patient or research subject) be informed of the incident;
  • harmful effects are mitigated; and
  • measures to prevent recurrence are identified and implemented.

Reporting also enhances awareness of troublesome trends in security incidents that indicate the need for adjustments in the University’s overall security program.

Definition of Terms in Statement:
  • Information Security Incident:

    Any event that, regardless of accidental or malicious cause, results in:

    • disclosure of University data to someone unauthorized to access it,
    • unauthorized alteration of University data,
    • loss of data for which the University is legally or contractually bound to protect or which support critical University functions,
    • disrupted information technology service levels,
    • or otherwise is a violation of the University’s information security policies.

    Examples of such incidents include but are not limited to:

    • Malicious software installations on electronic devices that store University data not routinely made available to the general public, e.g., employee evaluations, or data the University is legally or contractually bound to protect, e.g., social security numbers, credit card numbers, patient data, certain research data, etc.
    • Loss or theft of electronic devices, electronic media, or paper records that contain University data not routinely made available to the general public or data the University is legally or contractually bound to protect.
    • Defacement of a University website.
    • Unauthorized use of an individual’s computing account.
    • Use of computing resources for unethical or unlawful purposes (incidents involving pornography should be reported directly to the University Audit Department).
    • Contact from the FBI, Secret Service or other law enforcement organizations regarding a University electronic device that may have been used to commit a computer crime.

    Note: To avoid inadvertent violations of state or federal law, neither individuals nor departments may release University information, electronic devices or electronic media to any outside entity, including law enforcement organizations, before making the notifications required by policy IRM-012, Information Security Incident Reporting.

    • Electronic Devices:

      Electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones and other mobile devices, as well as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, etc.

    • Electronic Media:

      All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).

Policy Statement:

All faculty and staff are required to promptly report information security incidents to appropriate University officials using the procedures referenced in this policy.

Procedures:

University Academic Division:
Report incidents to the University’s Information Security, Policy, and Records Office via the online Security Incident Report form (preferred) or phone at (434) 924-4165. Reports should be made as soon as possible and no later than 24 hours from the time the incident is identified.

Upon receipt of the report, the Information Security, Policy, and Records Office will inform all appropriate University officials.  Since the involvement of law enforcement in lost or stolen equipment is especially time-critical, lost or stolen electronic devices and media must also be reported directly to the UVa Police Department. If the incident did not occur in the Charlottesville-Albemarle area, it should be reported to the appropriate police jurisdiction instead.

Medical Center:
Report incidents to the Medical Center’s Information Security Office by calling the Computing Services Help Desk at (434) 924-5334. Additional information is provided in the Medical Center’s Incident Management Guideline.

Since the involvement of law enforcement in lost or stolen equipment is especially time-critical, lost or stolen electronic devices and media must also be reported directly to the UVa Police Department. If the incident did not occur in the Charlottesville-Albemarle area, it should be reported to the appropriate police jurisdiction instead.

Health Services Foundation:
Report incidents to the HSF HIPAA Security Desk at (434) 970-2484 or (434) 924-5334.

All Other Foundations:
Use the University Academic Division procedure noted above.

U.Va. College at Wise and Related Foundations:
Report incidents to the Security and Policy Coordinator by emailing abuse@uvawise.edu or calling (276) 376-4641. If the incident involves equipment theft, the person reporting the incident should also immediately contact the UVa-Wise Police Department at (276) 328-2677. The Information Technology Security and Policy Coordinator will inform all other appropriate University officials.

Related Information:

GOV-002, Reporting Fraudulent Transactions Policy

For other related computing security policies:

Academic Division, refer to the Information Policy at UVa,
Medical Center Policy 0163 Access to Computerized Medical Records and Institutional Computer Systems.

Policy Background:

The University has a highly complex and resource rich information environment upon which there is increasing reliance to provide mission-critical academic, instructional and administrative functions. Compromise of the integrity, availability, or confidentiality of those resources can result in corruption or exposure of sensitive University data, staff productivity loss, financial loss, public embarrassment, and other serious adverse effects. Prompt reporting of incidents can help minimize such damage.

Major Category: Information Resource Management
Next Scheduled Review: 04/28/2017
Approved by, Date: Executive Vice President and Chief Operating Officer, 04/10/2007
Revision History: 4/28/14, 11/3/10, 11/19/09.