Information Security Incident Reporting Policy

Applies to: All Faculty and Staff
  1. Purpose

    This policy serves to minimize the negative consequences of information security incidents and to improve the University’s ability to promptly restore operations affected by such incidents. It ensures incidents are promptly reported to the appropriate University officials, that they are consistently and expertly responded to, and that serious incidents1 are properly monitored.

  2. Policy

    1. Users of University Information Resources:
      1. Users of University information technology resources must promptly report all information security incidents to their unit information security coordinator.
    2. Information Security Coordinators:
      1. Except as noted below, Information security coordinators must promptly report all serious incidents (which are reported to them or identified by them) to the Information Technology Security Services (ITSS).
        1. If an incident involves any protected health information (PHI), information security coordinators must report the incident to the University HIPAA Officer.
        2. If an incident involves any human subject research information and has not already been reported to the University HIPAA Officer, information security coordinators must report the incident to the Office of the Vice President for Research (OVPR).
      2. The University HIPAA Officer and OVPR will inform ITSS of serious incidents reported to them, except for those incidents that involve unethical or unacceptable behavior as described in SPG 601.07.
      3. Incidents must be reported by users or by information security coordinators as soon as possible, but no later than within 24 hours from the time an incident is identified or initially reported.
      4. Information security coordinators will evaluate and respond to information security incidents in accordance with University and unit policies and procedures, including the Information Security Incident Management Guidelines2.
      5. Information security coordinators will develop and implement unit-level policies, procedures, communications, and education programs that are consistent with University-wide policies and procedures.
    3. Privacy and Confidentiality of Sensitive Information:
      1. When University staff report, track, and respond to information security incidents, they must protect and keep confidential any sensitive information.
      2. Tracked incident data will exclude any sensitive information that is not required for incident response, analysis, or by law, regulation, or University policy.
  3. Definitions

    1. An information security incident is defined as an attempted or successful unauthorized access, use, disclosure, modification or destruction of information; interference with information technology operation; or violation of explicit or implied acceptable usage policy (as defined in SPG 601.07). Examples of information security incidents include (but are not limited to):
      1. Computer security intrusion
      2. Unauthorized use of systems or data
      3. Unauthorized change to computer or software
      4. Loss or theft of equipment used to store private or potentially sensitive information
      5. Denial of service attack
      6. Interference with the intended use of information technology resource
      7. Compromised user account

      While this definition covers numerous potential and actual incidents, the requirement for central incident reporting is aimed at serious incidents as defined below.

    2. A serious incident is an incident that may pose a threat to University resources, stakeholders, and/or services. Specifically, an incident is designated as serious if it meets one or more of the following criteria:
      1. Involves potential unauthorized disclosure of sensitive information (as defined below)
      2. Involves serious legal issues
      3. May cause severe disruption to critical services
      4. Involves active threats
      5. Is widespread
      6. Is likely to raise public interest
    3. Sensitive information is defined in SPG 601.12 as information whose unauthorized disclosure may have serious adverse effect on the University’s reputation, resources, services, or individuals. Information protected under federal or state regulations or due to proprietary, ethical, or privacy considerations will typically be classified as sensitive. Sensitive information includes personally identifiable information such as protected health information (PHI), social security number, credit card numbers, and any other information designated as sensitive by the University Data Stewards.
    4. Information security coordinator is a University department, a departmental unit or an individual staff person or faculty member that has been designated by the unit dean or director to act as the unit information security coordinator. The information security coordinator may be the unit information technology service provider, the unit security officer, or any other individual or department within or outside a given University unit that is so designated by the unit.
  4. Contacts


    1. If the unit information security coordinator is not known, reporting to ITSS is required.
    2. The University HIPAA Officer is the designated information security coordinator and security officer for the Health System.
  5. References

1  Words that appear in italics are defined in Section III, Definitions.

1  See section V, References.

Printable PDF of SPG 601.2532.24 KB
Details Column 1
SPG number: 
Date issued: 
July 10, 2006
Next review date: 
July 10, 2010
Applies to: 
All Faculty and Staff
Office of the Executive Vice President and Chief Financial Officer, the Office of the Provost and Executive Vice President for Academic Affairs, and the Office of the Executive Vice President for Medical Affairs
Primary contact: 
Office of the Executive Vice President and Chief Financial Officer, the Office of the Provost and Executive Vice President for Academic Affairs, and the Office of the Executive Vice President for Medical Affairs