Original Issuance Date: September 14, 2016
Last Revision Date: April 22, 2020
Effective Date: June 1, 2020
1. Policy Purpose
The purpose of this policy is to establish the minimum requirements to report an Information Security (IS) incident throughout the University of Wisconsin (UW) System and the subsequent required actions by the institutions when an incident occurs.
2. Responsible UW System Officer
Associate Vice President (AVP) for Information Security
This policy applies to all UW System institutions, including central administration comprised of UW System Administration, UW Shared Services and UW Extended Campus. It applies to all IS incidents that threaten the confidentiality, integrity, and availability of UW System institutions’ electronic information assets, as well as their systems, networks, and media that collect, process, store, and deliver such information. It is applicable to all individuals and/or organizations that perform functions in support of the institutions.
The President of the University of Wisconsin System is empowered to establish information security polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. This policy is designed to help ensure effective and consistent information security incident response procedures throughout the UW System.
Low Risk Data: Data assets classified as being of low risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.
Moderate Risk Data: Data assets classified as being of moderate risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.
High Risk Data: Data assets classified as being of high risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification.
6. Policy Statement
A. Reportable Incidents
Any incident that meets medium or higher cyber incident severity criteria as outlined in the UW System IS Incident Response (IR) Plan must be reported. Qualifying incidents include, but are not limited to:
- Any incident involving unauthorized access, or the unauthorized modification or deletion, of higher or moderate risk data, including theft or loss of computers, devices or media (university-owned or personally owned) containing high or moderate risk data;
- Successful penetration of the network or widespread denial of service attack;
- Observed, or suspected, physical intrusion into secure areas storing high or moderate risk data;
- Widespread instances of malware not handled by applicable defensive software; and
- Any other incident involving the reasonable likelihood of compromise of high or moderate risk data or malicious cyber activity that could reasonably be expected to cause significant UW reputational harm.
B. Required Actions
This policy identifies the required actions when it is determined that an IS incident has likely occurred. Specific procedures are outlined in the UW System IR Plan. The UW System IR Plan will be exercised for any multi-institution IS incident and/or when UW System leads an enterprise-wide IS incident response.
- UW System employees who suspect that an incident has likely occurred, must report it to their organization’s Information Security lead and Chief Information Officer. Individuals involved in IS incidents must cooperate with investigation teams and provide access to all impacted UW System assets. Depending on the severity and breadth of the incident, investigation teams may be comprised of local IT personnel, UW System Administrative and/or UW Shared Services entities and/or local law enforcement. In situations involving personally owned device may be necessary to ensure university owned data have not been compromised.
- Verbal or written initial notification to the UW System AVP for Information Security is required within one (1) business day of discovery, if a confirmed incident meets reportable criteria outlined above. If the UW System AVP for Information Security is not available, notification must be made to the UW System Director of Information Security/Chief Information Security Officer (CISO). Required reporting elements, to the extend known, include:
- date of incident;
- date of discovery;
- type of incident (examples include but are not limited to fraud, data breach/exposure, theft, malware, phishing, etc);
- estimated number of individuals impacted and/or records exposed/breached; and
- a short description of what occurred.
- (See the IS IR Plan for a complete list of incident details to report.)
- Follow-up written notification to the UW System Office of Information Security is required within three (3) business days of discovery. Notification must include above reporting elements in addition to designation of an incident commander, periodicity of planned communication to UW System Administration, updated incident information, and next steps including any anticipated request for assistance.
- The Traffic Light Protocol (TLP) must be used for all written correspondence. See the link here for TLP details.
- Threat intelligence must be shared with other UW institutions as prescribed in the UW System IS IR Plan.
- Once the closure criteria outlined in the UW System IS IR Plan are met, institutions must communicate the closure date to the UW System Office of Information Security.
- Once an incident is closed, institutions must submit a Final Findings Report as prescribed in the UW System IS IR Plan.
- The UW System Office of Information Security must maintain a record of all confirmed IS incidents and their resolutions.
- Each Chancellor, or designee, and the UW System Vice President for Administration or central administration designee must review their organization’s IS incident events on a quarterly basis.
- Each Chancellor, or designee, and the UW System Vice President for Administration or central administration designee must conduct an annual IS IR tabletop exercise. A brief summary of the event, including lessons learned must be documented.
7. Related Documents
8. Policy History
Revision 3: April 22, 2020
Revision 2: January 9, 2019
Revision 1: July 31, 2017
First approved: September 14, 2016
9. Scheduled Review