Report an Information Security or Privacy Incident
- APS 2.5, Information Security and Privacy Incident Management Policy
- Incident management infographic (pdf)
Administrative Policy Statement 2.5 states that UW employees shall report any potential event that adversely impacts the Confidentiality, Integrity, or Availability of Institutional Information, regardless of form (paper or electronic), Infrastructure Technology, or Information Systems.
- Reporting Incidents
- Do and Don’t
- What to report
- What happens in the incident management process
- Additional Information
|For potential incidents involving||Contact|
|All information, information systems, and infrastructure technology except for the areas specifically listed below||University Chief Information Security Officer
(206) 685-0116 or
|Protected health information (PHI) for Health Sciences Healthcare Components||Health Sciences Administration
(206) 543-7202 or
|PHI for UW Medicine Healthcare Components||UW Medicine Compliance
(206) 543–3098 or
|Human Subjects Information||Human Subjects Division
(206) 543-0098 or
|Export Administration Regulation and International Traffic and Arms Regulations||Office of Research
(206) 543-4043 or
This policy applies to:
- All areas of the University
- All workforce members
- All information except United States government classified information
- All mediums for storing or processing information regardless of who owns, operates, or manages the medium
- Ensure that all information security incidents are reported
- Immediately isolate the affected system to prevent further intrusion, release of data, etc.
- Document only information that has been substantiated
- Use the telephone to communicate
- Preserve all pertinent systems logs
- Identify all systems and departments that connect to the affected system
- Communicate that there is a potential incident to individuals not directly involved in the incident management process
- Delete, move, or alter files on the affected system
- Contact or retaliate against the attacker
- Conduct your own forensic analysis
- When did the event occur?
- How many records are involved?
- Was the data encrypted?
- What system(s), if any, are involved?
- What organization(s) or unit(s) are involved?
- Are there system logs that need to be preserved?
- Is the system deemed critical to operations?
- When applicable, inform your management or IT support person.
Each individual with delegated authority for incidents is responsible for developing, maintaining, and following an incident management process. Such processes must define procedures for preparing for an incident and address, at minimum, the following elements:
a. Assign Incident
The individual with delegated authority for incidents, or a designee, is responsible for managing the incident and consulting with or assembling subject matter experts or institutional officials as necessary.
b. Identification and Preservation of Evidence
The individual with delegated authority for incidents, or designee, is responsible for gathering initial information to determine if an incident has occurred. During this initial assessment the individual with delegated authority for incidents, or designee, must monitor and execute the steps needed to preserve evidence, forensic integrity, and chain of custody.
If an incident has occurred, the individual with delegated authority for incidents, or designee, must proceed with the subsequent sections of this policy and documented processes.
If an incident has not occurred, the individual with delegated authority for the incidents, or designee, must document the decision and assessment criteria used, and provide appropriate notification to involved parties.
c. Risk Assessment
The individual with delegated authority for incidents, or designee, is responsible for assessing the data involved, the risk to the institution, and the potential harm to the individuals the University serves. The individual with delegated authority for incidents, or designee, is responsible for engaging other areas of the University during the assessment process, as needed, to determine:
Potential legal, regulatory, financial, and reputational risks.
The stakeholders and other institutional partnerships that may be required for next steps based on the unique circumstances involved in the incident (e.g. technical, legal, public relations, patient relations, and research compliance).
Based on the risk assessment, the individual with delegated authority for incidents, or designee, is responsible for taking containment actions to stop harm caused by the incident, if any. This may mean temporarily taking systems, services, or websites off-line.
e. Communication and Notification
Communication and notification to persons or third parties affected by an incident will be made as directed by the individual with delegated authority for incidents, or designee, and are to be carried out in accordance with applicable legal, regulatory, or contractual requirements.
This includes, but is not limited to:
- Reporting to the Privacy Assurance and Systems Security Council (PASS Council) for risk oversight.
- Coordinating with the Office of the Chief Information Security Office (CISO) if the incident management vendor or Special Assistant Attorney General services are needed to assist with the incident.
- Informing Compliance and Risk Services of the incident and involvement of any expenses or third parties, such as the incident management vendor, Special Assistant Attorneys General, or other consultants.
- Reporting incidents, if required, to the Washington State Attorney General’s Office, the federal Office for Civil Rights, Defense Security Services, or other parties.
- Notifications to media through Media Relations and Communications, University websites, or other venues.
Efforts to address the weakness that caused the incident or mitigate the root cause of the incident may begin at any time, as appropriate, during the incident management process, provided evidence is preserved. The individual with delegated authority for incidents, or designee, may also require the departmental unit(s) involved in the incident to develop a remediation plan or present to the PASS Council the status of the remediation efforts.
Once evidence is preserved and the immediate actions have been taken to address the incident, the organizational area(s) involved in the incident may begin restoring the affected systems or services back to an operational state.
h. Records Management
For all incidents, the individual with delegated authority for incidents, or designee, must prepare a written summary that includes the pertinent details of the incident and serves as the final and official record for the University to be maintained according to the records retention schedule.