Original Issuance Date: September 14, 2016
Last Revision Date: November 11, 2022
1. Policy Purpose
The purpose of this policy is to establish the minimum requirements to report an Information Security (IS) incident throughout the University of Wisconsin (UW) System and the subsequent required actions by the institutions when an incident occurs.
2. Responsible UW System Officer
Associate Vice President for Information Security
3. Scope and Institutional Responsibilities
This policy applies to all UW System institutions, including UW System Administration. It applies to all IS incidents that threaten the confidentiality, integrity, and availability of UW System institutions’ electronic information assets, as well as their systems, networks, and media that collect, process, store, and deliver such information. It is applicable to all individuals and/or organizations that perform functions in support of the institutions.
The President of the University of Wisconsin System is empowered to establish information security polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. This policy is designed to help ensure effective and consistent information security incident response procedures throughout the UW System.
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
- Low Risk
- Moderate Risk
- High Risk
6. Policy Statement
A. Reportable Incidents
Any incident that meets medium or higher cyber incident severity criteria as outlined in the UW System IS Incident Response (IR) Plan must be reported. Qualifying incidents include, but are not limited to:
- All ransomware incidents;
- Any incident involving unauthorized access, modification, or deletion of moderate or high risk data, including the theft or loss of computers, devices, or media (university owned or personally owned) containing moderate or high risk data;
- Successful penetration of a trusted network by an unauthorized actor;
- Vendor breaches for software or services used to process or store moderate or high risk data, wherein the institution received official breach notification correspondence from the vendor related to the breach;
- Widespread denial of service attack;
- Observed or suspected physical intrusion into secure areas processing or storing moderate or high risk data;
- Widespread instances of malware not handled by applicable defensive software;
- Any other incident involving the reasonable likelihood of compromise of moderate
or high risk data or malicious cyber activity that could reasonably be expected to cause significant UW reputational harm.
B. Required Actions
The following are required actions when it is determined that an IS incident has likely
occurred. Specific procedures are outlined in the UW System IR Plan. The UW System IR Plan will be exercised for any multi-institution IS incident and/or when UW System leads an enterprise-wide IS incident response.
- UW System employees who suspect that an IS incident has likely occurred must report it to their organization’s Information Security lead and Chief Information Officer. Individuals involved in IS incidents must cooperate with investigation teams and provide access to all impacted UW System assets. Depending on the severity and breadth of the incident, investigation teams may be comprised of local IT personnel, representatives from UW System Administration, external forensic teams, and/or law enforcement. In situations involving personally owned information technology assets, cooperation and access to the personally owned device may be necessary to ensure university owned data have not been compromised.
- Written initial notification to the Office of Information Security
(email@example.com) is required within one (1) business day of discovery, if a confirmed incident meets reportable criteria outlined above. Required reporting elements, to the extent known, include:
- Date of incident;
- Date of discovery;
- Type of incident (examples include but are not limited to fraud, data breach/exposure, theft, malware, phishing, etc.);
- Estimated number of individuals impacted and/or records exposed/breached; and
- A short description of what occurred.
- See the UW System IS IR Plan for a complete list of incident details to report.
- Follow-up written notification to the UW System Office of Information Security is required within three (3) business days of discovery. Notification must include above reporting elements in addition to designation of an incident commander, periodicity of planned communications to UW System Administration, updated incident information, and next steps including any anticipated request for assistance.
- The Traffic Light Protocol (TLP) must be used for all written correspondence. See the link here for TLP details.
- Threat intelligence must be shared with other UW institutions as prescribed in the UW System IS IR Plan.
- Once the closure criteria outlined in the UW System IS IR Plan are met, institutions must communicate the closure date to the UW System Office of Information Security.
- Once an incident is closed, institutions must submit a Final Findings Report as prescribed in the UW System IS IR Plan.
- The UW System Office of Information Security must maintain a record of all confirmed IS incidents and their resolutions.
- Each Chancellor, or designee, and the UW System Vice President for Finance and Administration or central administration designee must review their organization’s IS incident events on a quarterly basis.
C. Tabletop Exercises
Each Chancellor, or designee, and the UW System Vice President for Finance and Administration, or central administration designee, must conduct an annual IS IR tabletop exercise. A brief summary of the event, including lessons learned must be documented.
D. Foundation IR Plans
Each University of Wisconsin campus IS Designee is responsible for working with their associated Foundation(s) to establish and maintain a joint IR Plan. The plan must, at a minimum, clearly define roles and responsibilities between the institution and the Foundation(s) regarding who is responsible for remediating incidents.
7. Related Documents
8. Policy History
Revision 7: November 11, 2022
Revision 6: August 23, 2022
Revision 5: July 7, 2021
Revision 4: November 13, 2020
Revision 3: April 22, 2020
Revision 2: January 9, 2019
Revision 1: July 31, 2017
First approved: September 14, 2016
9. Scheduled Review