Policy
Original Issuance Date: September 14, 2016
Last Revision Date: May 29, 2024
1. Policy Purpose
The purpose of this policy is to establish the minimum requirements to report an Information Security (IS) incident throughout the University of Wisconsin (UW) System and the subsequent required actions by the institutions when an incident occurs.
2. Responsible UW System Officer
Associate Vice President for Information Security
3. Scope and Institutional Responsibilities
This policy applies to all UW System institutions, including UW System Administration. It applies to all IS incidents that jeopardize the confidentiality, integrity, or availability of UW System institutions’ electronic information assets, as well as their systems, networks, and media that collect, process, store, and deliver such information. It is applicable to all individuals and/or organizations that perform functions in support of the institutions.
4. Background
The President of the University of Wisconsin System is empowered to establish information security polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. This policy is designed to help ensure effective and consistent information security incident response procedures throughout the UW System.
5. Definitions
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- Moderate Risk
- High Risk
6. Policy Statement
A. Reportable Incidents
Any incident that meets medium or higher cyber incident severity criteria as outlined in the UW System IS Incident Response (IR) Plan must be reported. Qualifying incidents include, but are not limited to:
- Any ransomware events resulting in the encryption of data or systems;
- Any incident involving unauthorized access, modification, or deletion of moderate or high risk data;
- The theft or loss of computers, devices, or media (university-owned or personally owned) containing high risk data;
- Successful penetration of a trusted network by an unauthorized actor;
- Vendor breaches for software or services used to process or store moderate or high risk data, wherein the institution received official breach notification correspondence from the vendor related to the breach;
- Denial of Service attacks that noticeably impact service availability;
- Observed or suspected physical intrusion into secure areas processing or storing moderate or high risk data;
- Widespread instances of malware not handled by applicable defensive software; and
- Any other incident involving the reasonable likelihood of compromise of moderate or high risk data or malicious cyber activity that could reasonably be expected to cause significant UW reputational harm.
B. Required Actions for Reportable Incidents
The following are required actions when it is determined that an IS incident has likely occurred. Specific procedures are outlined in the UW System IR Plan. The UW System IR Plan will be exercised for any multi-institution IS incident and/or when UW System leads an enterprise-wide IS incident response.
- UW System employees who suspect that an IS incident has likely occurred must report it to their organization’s Information Security lead and Chief Information Officer. Individuals involved in IS incidents must cooperate with investigation teams and provide access to all impacted UW System assets. Depending on the severity and breadth of the incident, investigation teams may be comprised of local IT personnel, representatives from UW System Administration, external forensic teams, and/or law enforcement. In situations involving personally owned information technology assets, cooperation and access to the personally owned device may be necessary to ensure university owned data has not been compromised.
- Notification to the UW System Office of Information Security is required within one (1) business day of discovery, if a confirmed incident meets reportable criteria outlined above. Notification must follow reporting protocols set forth by the UW System Office of Information Security as described in UW System Incident Reporting Protocol. Required reporting elements, to the extent known, include:
- Date of incident;
- Date of discovery;
- Type of incident (examples include but are not limited to fraud, data breach/exposure, theft, malware, phishing, etc.);
- Estimated number of individuals impacted and/or records exposed/breached; and
- A short description of what occurred.
See the IS IR Plan for a complete list of incident details to report.
III. Follow-up notification to the UW System Office of Information Security is required within three (3) business days of discovery. Notification must include above reporting elements in addition to designation of an incident commander, periodicity of planned communications to UW System Administration, updated incident information, and next steps including any anticipated request for assistance.
IV. The Traffic Light Protocol (TLP) must be used for all written correspondence. See the link here for TLP details.
V. Threat intelligence must be shared with other UW institutions as prescribed in the UW System IS IR Plan.
VI. Once the closure criteria outlined in the UW System IS IR Plan are met, institutions must communicate the closure date to the UW System Office of Information Security.
VII. Once an incident is closed, institutions must submit a Final Findings Report as prescribed in the UW System IS IR Plan.
VIII. The UW System Office of Information Security must maintain a record of all confirmed IS incidents and their resolutions.
IX. Each Chancellor, or designee, and the UW System Vice President for Finance and Administration or central administration designee must review their organization’s IS incident events on a quarterly basis.
C. Tabletop Exercises
Each Chancellor, or designee, and the UW System Vice President for Finance and Administration, or central administration designee, must conduct an annual IS IR tabletop exercise. A brief summary of the event, including lessons learned must be documented.
D. Foundation IR Plans
Each University of Wisconsin campus IS Designee is responsible for working with their associated Foundation(s) to establish and maintain a joint IR Plan. The plan must, at a minimum, clearly define roles and responsibilities between the institution and the Foundation(s) regarding who is responsible for remediating incidents.
7. Related Documents
Regent Policy Document 25-5, Information Technology: Information Security
UW System Administrative Policy 1031, Information Security: Data Classification
UW System Information Security Program
UW System Information Security Incident Response Plan
UW System Incident Reporting Protocol
8. Policy History
Revision 8: May 29, 2024
Revision 7: November 11, 2022
Revision 6: August 23, 2022
Revision 5: July 7, 2021
Revision 4: November 13, 2020
Revision 3: April 22, 2020
Revision 2: January 9, 2019
Revision 1: July 31, 2017
First approved: September 14, 2016
9. Scheduled Review
July 2026