Original Issuance Date: September 14, 2016
Last Revision Date: July 31, 2017
1. Policy Purpose
The purpose of this policy is to require the creation of an information security incident response procedure at each University of Wisconsin System institution. This policy facilitates the consistent implementation of the procedures necessary to detect and react to information security incidents, determine their scope and risk, respond appropriately to the incident, mitigate the risks, communicate the results to all stakeholders, and reduce the likelihood of the incident from reoccurring. This policy identifies those elements that should be contained in the information security incident response procedures. This policy also defines the requirements for notification of incident information between UW System institutions and UW System Administration.
2. Responsible UW System Officer
UW System Chief Information Officer (CIO)
This policy applies to all information not classified as low risk data regardless of form at each UW System institution. This policy also includes requirements for procedures for other computer system and network related incidents that do not involve the potential unauthorized disclosure or use of information.
The President of the University of Wisconsin System is empowered to establish information security polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. This policy is designed to help ensure effective and consistent information security incident response procedures throughout the University of Wisconsin System.
Low Risk Data: Data assets classified as being of low risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.
Moderate Risk Data: Data assets classified as being of moderate risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.
High Risk Data: Data assets classified as being of high risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification.
Institutions: All four-year UW System campuses, UW Colleges, the University of Wisconsin- Extension, and UW System Administration.
6. Policy Statement
This policy requires that any individual, who suspects that an information security incident has likely occurred, shall report it using the appropriate institutional procedures. Personnel involved in information security incidents shall cooperate with investigation teams and provide access to UW System assets. Where personally owned information technology assets are involved, cooperation and access is necessary to ensure no institutionally owned data is compromised.
This policy requires the creation of an information security incident response procedure at each UW System institution. These information security incident response procedures shall contain the following:
i. Procedures detailing the implementation of tools, process and staff to monitor assets for indicators of compromise and signatures for misconfigured or vulnerable systems
ii. Procedures for submitting information of a potential incident to appropriate incident response personnel
iii. Identification of specific position(s) and/or team(s), and their roles and responsibilities, for those involved in incident response. This may include management, departmental representatives, information technology response staff, institutional risk management, university communications, and legal advice
iv.Identification of documentation to be collected during the response to the incident
v. Integration with other institutional business continuity and disaster recovery programs
vi. A requirement for annual testing of the incident response procedure
B. Detection and Analysis
i. Procedures for initial investigation and assignment of severity for a potential incident
ii. Procedures for investigation of a suspected incident
C. Containment, Eradication and Recovery
i. Procedures to identify actions to be taken in response to an incident, including but not limited to:
- Isolating compromised systems and coordinating the remediation
- Blocking of potential hostile network traffic
- Communicating to members of the institution’s information technology community the indicators of misconfigured or vulnerable assets
ii. Procedures that identify an appropriate escalation path for the incident based on severity.
iii. Procedures for collecting and managing information during the event lifecycle.
iv. Procedures for meeting the requirements for internal notification and legal requirements for external reporting and meeting notification periods.
v. Procedure for notifying the UW System CIO. Notification to the UW System CIO is required within one business day if a confirmed incident involves the reasonable likelihood of a compromise of high or moderate risk data. If the UW System CIO is not available, notification should be made to the UW System Chief Information Security Officer (CISO). If the CISO is not available, notification should be made to the UW System Help Desk.
i. Procedures to collect and communicate information about an event to improve protection of the institution’s infrastructure
ii. Procedures to mitigate a reoccurrence of the event or incident
iii. Procedures for close-out of incidents
iv. Procedures for the tracking and management of incident related information. Institutions must update the UW System CIO of the resolution of the incident
The UW System CIO will maintain a record of all confirmed incidents and their resolutions.
Each Chancellor or designee shall annually review and approve their institution’s information incident response procedure. The UW System President or designee shall annually review and approve UW System Administration’s information security incident response procedure.
7. Related Documents
8. Policy History
Revision 1: July 31, 2017
First approved: September 14, 2016
9. Scheduled Review