Office of the Chief Information Security Officer

Report an Information Security or Privacy Incident



Administrative Policy Statement 2.5 states that UW employees shall report any potential event that adversely impacts the Confidentiality, Integrity, or Availability of Institutional Information, regardless of form (paper or electronic), Infrastructure Technology, or Information Systems.



Report incidents to the appropriate Delegated Authority listed below


For potential incidents involving Contact
All information, information systems, and infrastructure technology except for the areas specifically listed below University Chief Information Security Officer
(206) 685-0116 or
ciso@uw.edu or
security@uw.edu
Protected health information (PHI) for Health Sciences Healthcare Components Health Sciences Administration
(206) 543-7202 or
hsaea@uw.edu
PHI for UW Medicine Healthcare Components UW Medicine Compliance
(206) 543–3098 or
comply@uw.edu
Human Subjects Information Human Subjects Division
(206) 543-0098 or
hsdinfo@uw.edu
Export Administration Regulation and International Traffic and Arms Regulations Office of Research
(206) 543-4043 or
export@uw.edu

Scope


This policy applies to:

  • All areas of the University
  • All workforce members
  • All information except United States government classified information
  • All mediums for storing or processing information regardless of who owns, operates, or manages the medium

Do and Don’t


 Do
 
  • Ensure that all information security incidents are reported
  • Immediately isolate the affected system to prevent further intrusion, release of data, etc.
  • Document only information that has been substantiated
  • Use the telephone to communicate
  • Preserve all pertinent systems logs
  • Identify all systems and departments that connect to the affected system

Don’t

  • Communicate that there is a potential incident to individuals not directly involved in the incident management process
  • Delete, move, or alter files on the affected system
  • Contact or retaliate against the attacker
  • Conduct your own forensic analysis

What to report


Please provide the following data when reporting an incident: 
 
  • When did the event occur?
  • How many records are involved?
  • Was the data encrypted?
  • What system(s), if any, are involved?
  • What organization(s) or unit(s) are involved?
  • Are there system logs that need to be preserved?
  • Is the system deemed critical to operations?
  • When applicable, inform your management or IT support person.

What happens in the incident management process?


Each individual with delegated authority for incidents is responsible for developing, maintaining, and following an incident management process. Such processes must define procedures for preparing for an incident and address, at minimum, the following elements:

a. Assign Incident

The individual with delegated authority for incidents, or a designee, is responsible for managing the incident and consulting with or assembling subject matter experts or institutional officials as necessary.

b. Identification and Preservation of Evidence

The individual with delegated authority for incidents, or designee, is responsible for gathering initial information to determine if an incident has occurred. During this initial assessment the individual with delegated authority for incidents, or designee, must monitor and execute the steps needed to preserve evidence, forensic integrity, and chain of custody.

If an incident has occurred, the individual with delegated authority for incidents, or designee, must proceed with the subsequent sections of this policy and documented processes.

If an incident has not occurred, the individual with delegated authority for the incidents, or designee, must document the decision and assessment criteria used, and provide appropriate notification to involved parties.

c. Risk Assessment

The individual with delegated authority for incidents, or designee, is responsible for assessing the data involved, the risk to the institution, and the potential harm to the individuals the University serves. The individual with delegated authority for incidents, or designee, is responsible for engaging other areas of the University during the assessment process, as needed, to determine:

Potential legal, regulatory, financial, and reputational risks.

The stakeholders and other institutional partnerships that may be required for next steps based on the unique circumstances involved in the incident (e.g. technical, legal, public relations, patient relations, and research compliance).

d. Containment

Based on the risk assessment, the individual with delegated authority for incidents, or designee, is responsible for taking containment actions to stop harm caused by the incident, if any. This may mean temporarily taking systems, services, or websites off-line.

e. Communication and Notification

Communication and notification to persons or third parties affected by an incident will be made as directed by the individual with delegated authority for incidents, or designee, and are to be carried out in accordance with applicable legal, regulatory, or contractual requirements.

This includes, but is not limited to:

  • Reporting to the Privacy Assurance and Systems Security Council (PASS Council) for risk oversight.
  • Coordinating with the Office of the Chief Information Security Office (CISO) if the incident management vendor or Special Assistant Attorney General services are needed to assist with the incident.
  • Informing Compliance and Risk Services of the incident and involvement of any expenses or third parties, such as the incident management vendor, Special Assistant Attorneys General, or other consultants.
  • Reporting incidents, if required, to the Washington State Attorney General’s Office, the federal Office for Civil Rights, Defense Security Services, or other parties.
  • Notifications to media through Media Relations and Communications, University websites, or other venues.

f. Mitigation

Efforts to address the weakness that caused the incident or mitigate the root cause of the incident may begin at any time, as appropriate, during the incident management process, provided evidence is preserved. The individual with delegated authority for incidents, or designee, may also require the departmental unit(s) involved in the incident to develop a remediation plan or present to the PASS Council the status of the remediation efforts.

g. Recovery

Once evidence is preserved and the immediate actions have been taken to address the incident, the organizational area(s) involved in the incident may begin restoring the affected systems or services back to an operational state.

h. Records Management

For all incidents, the individual with delegated authority for incidents, or designee, must prepare a written summary that includes the pertinent details of the incident and serves as the final and official record for the University to be maintained according to the records retention schedule.

Additional Information

See APS 2.5, Information Security and Privacy Incident Management Policy