UVa Seal

Policy: Information Security Incident Reporting 


Date: 04/10/07 Policy ID: IRM-012 Status: Final

Policy Type: University
   
Contact Office: Chief Information Officer (Office of the)
   
Oversight Executive: Chief Information Officer
   
Applies To: All employees of the University, University-related foundations and others who have access to University data not routinely made available to the general public.
   
Table of Contents: Policy Statement
Procedures
   
Reason for Policy:  Establishes the requirement to report information security incidents to appropriate University officials so proper and timely response procedures can be initiated.  Such reporting ensures particularly serious incidents, such as violations of confidentiality or integrity of sensitive University data:
  • are documented and thoroughly and expertly investigated;
  • responses are handled in a consistent manner and in accordance with data disclosure notification laws requiring that the subject of data (e.g., a patient or research subject) be informed of the incident;
  • harmful effects are mitigated; and
  • measures to prevent recurrence are identified and implemented.
Reporting also enhances awareness of troublesome trends in security incidents that indicate the need for adjustments in the University’s overall security program.
   
Policy Summary: 
   
Definition of Terms in Statement: 

Electronic Devices: Electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones andother mobile devices, as well as servers, printers, copiers, routers, switches, firewall hardware, etc.

Electronic Media: All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).

Information Security Incident: Any event that, regardless of accidental or malicious cause, results in:
  • disclosure of University data to someone unauthorized to access it,
  • unauthorized alteration of University data,
  • loss of data for which the University is legally or contractually bound to protect or which support critical University functions,
  • disrupted information technology service levels,
or otherwise is a violation of the University’s information security policies (see Related Information section of this policy). Examples of such incidents include but are not limited to:
  • Malicious software installations on electronic devices that store University data not routinely made available to the general public, e.g., employee evaluations, or data the University is legally or contractually bound to protect, e.g., social security numbers, credit card numbers, patient data, certain research data, etc.
  • Loss or theft of electronic devices, electronic media, or paper records that contain University data not routinely made available to the general public or data the University is legally or contractually bound to protect.
  • Defacement of a University website.
  • Unauthorized use of an individual’s computing account.
  • Use of computing resources for unethical or unlawful purposes (incidents involving pornography should be reported directly to the University Audit Department).
  • Contact from the FBI, Secret Service or other law enforcement organizations regarding a University electronic device that may have been used to commit a computer crime.
Note:  To avoid inadvertent violations of state or federal law, neither individuals nor departments may release University information, electronic devices or electronic media to any outside entity, including law enforcement organizations, before making the notifications required by this policy.

BACK TO TOP

   
Policy Statement: 

All faculty and staff are required to promptly report information security incidents to appropriate University officials using the procedures referenced in this policy.
BACK TO TOP

   
Procedures: University Academic Division
Report incidents to the University’s Information Security, Policy, and Records Office via the online Security Incident Report form (preferred) or phone at (434) 924-4165. Reports should be made as soon as possible and no later than 24 hours from the time the incident is identified.

Upon receipt of the report, the Information Security, Policy, and Records Office will inform all appropriate University officials.  Since the involvement of law enforcement in lost or stolen equipment is especially time-critical, lost or stolen electronic devices and media must also be reported directly to the UVa Police Department.  If the incident did not occur in the Charlottesville-Albemarle area, it should be reported to the appropriate police jurisdiction instead. 

Medical Center
Report incidents to the Medical Center’s Information Security Office by calling the Computing Services Help Desk at (434) 924-5334. Additional information is provided in the Medical Center’s Incident Management Guideline.

Since the involvement of law enforcement in lost or stolen equipment is especially time-critical, lost or stolen electronic devices and media must also be reported directly to the UVa Police Department.  If the incident did not occur in the Charlottesville-Albemarle area, it should be reported to the appropriate police jurisdiction instead.

Health Services Foundation
Report incidents to the HSF HIPAA Security Desk at (434) 970-2484 or (434) 924-5334.

All Other Foundations
Use the University Academic Division procedure noted above.

U.Va. College at Wise and Related Foundations
Report incidents to the Security and Policy Coordinator by emailing abuse@uvawise.edu or calling (276) 376-4641. If the incident involves equipment theft, the person reporting the incident should also immediately contact the UVa-Wise Police Department at (276) 328-2677.  The Information Technology Security and Policy Coordinator will inform all other appropriate University officials.
BACK TO TOP

   
Related Information: 

Reporting Fraudulent Transactions Policy

For other related computing security policies in the Academic Division, refer to the Information Policy at UVa.

For other related computing security policies in the Medical Center, refer to Medical Center Policy 0163 Access to Computerized Medical Records and Institutional Computer Systems

Back to Definition

   
Policy Background: The University has a highly complex and resource rich information environment upon which there is increasing reliance to provide mission-critical academic, instructional and administrative functions. Compromise of the integrity, availability, or confidentiality of those resources can result in corruption or exposure of sensitive University data, staff productivity loss, financial loss, public embarrassment, and other serious adverse effects. Prompt reporting of incidents can help minimize such damage.
BACK TO TOP
   
Major Category: Information Resource Management
   
Category Cross Reference: 
   
   
Process: 
   
Next Scheduled Review: 04/10/13
   
Approved By, Date: Executive Vice President and Chief Operating Officer, 04/10/07
   
Revision History: Updated 11/3/10, 11/19/09.
   
Supersedes (previous policy):