Policy: Information Security Incident Reporting
|Date: 04/10/07||Policy ID: IRM-012||Status: Final|
|Contact Office:||Chief Information Officer (Office of the)|
|Oversight Executive:||Chief Information Officer|
|Applies To:||All employees of the University, University-related foundations and others who have access to University data not routinely made available to the general public.|
|Table of Contents:||Policy Statement
|Reason for Policy:|| Establishes the requirement to report information security incidents to appropriate University officials so proper and timely response procedures can be initiated. Such reporting ensures particularly serious incidents, such as violations of confidentiality or integrity of sensitive University data:
|Definition of Terms in Statement:||
Electronic Devices: Electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones andother mobile devices, as well as servers, printers, copiers, routers, switches, firewall hardware, etc.
Electronic Media: All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).Information Security Incident: Any event that, regardless of accidental or malicious cause, results in:
All faculty and staff are required to promptly report information security incidents to appropriate University officials using the procedures referenced in this policy.
|Procedures:||University Academic Division
Report incidents to the University’s Information Security, Policy, and Records Office via the online Security Incident Report form (preferred) or phone at (434) 924-4165. Reports should be made as soon as possible and no later than 24 hours from the time the incident is identified.
Upon receipt of the report, the Information Security, Policy, and Records Office will inform all appropriate University officials. Since the involvement of law enforcement in lost or stolen equipment is especially time-critical, lost or stolen electronic devices and media must also be reported directly to the UVa Police Department. If the incident did not occur in the Charlottesville-Albemarle area, it should be reported to the appropriate police jurisdiction instead.
Since the involvement of law enforcement in lost or stolen equipment is especially time-critical, lost or stolen electronic devices and media must also be reported directly to the UVa Police Department. If the incident did not occur in the Charlottesville-Albemarle area, it should be reported to the appropriate police jurisdiction instead.
Health Services Foundation
All Other Foundations
U.Va. College at Wise and Related Foundations
For other related computing security policies in the Medical Center, refer to Medical Center Policy 0163 Access to Computerized Medical Records and Institutional Computer Systems
|Policy Background:||The University has a highly complex and resource rich information environment upon which there is increasing reliance to provide mission-critical academic, instructional and administrative functions. Compromise of the integrity, availability, or confidentiality of those resources can result in corruption or exposure of sensitive University data, staff productivity loss, financial loss, public embarrassment, and other serious adverse effects. Prompt reporting of incidents can help minimize such damage.
BACK TO TOP
|Major Category:||Information Resource Management|
|Category Cross Reference:|
|Next Scheduled Review:||04/10/13|
|Approved By, Date:||Executive Vice President and Chief Operating Officer, 04/10/07|
|Revision History:||Updated 11/3/10, 11/19/09.|
|Supersedes (previous policy):|