Table of Contents
1. Purpose and Background
The University of Virginia’s Information Security of University Technology Resources policy establishes the requirement to report information security incidents to appropriate University officials so proper and timely response procedures can be initiated. Such reporting addresses particularly serious incidents, such as violations of confidentiality or integrity of sensitive University data, in order to:
- document and investigate incidents;
- address in a consistent manner and in accordance with data disclosure notification laws which require that the subject of data (e.g., a patient or research subject, credit cardholder) be informed of the incident;
- mitigate any harmful effects of the incident; and
- identify and implement measures to prevent recurrence of the incident.
Reporting also enhances awareness of troublesome trends in security incidents that indicate the need for adjustments in the University’s overall security program. This standard applies to all users of University Information Technology (IT) resources.
Reporting an Incident
All users of University IT resources are required to report information security incidents to appropriate University officials within one (1) hour from the time the incident is identified, following the procedures outlined in Reporting an Information Security Incident Procedures document. Of particular concern are incidents involving a device hosting sensitive and legally protected data. Lost or stolen electronic devices and media must also be reported directly to the UVa Police Department. If the incident did not occur in the Charlottesville-Albemarle area, it should be reported to the appropriate police jurisdiction. Note: Non-Information Security Office personnel overseeing or owning technology resources who are notified of a potential information security incident must notify the appropriate security office via the online form and should follow the instructions provided in Information Security Incident Report Guidance for Technology Professionals.
The University Information Security and the Health IT Security offices are responsible for responding to information security incidents. In addition to following up on reported incidents, these offices may monitor IT resources for potentially malicious and/or harmful activity and take action deemed necessary based on detected activity or in order to enforce a University policy. Upon receipt of the report, the appropriate security office will inform all appropriate University officials as necessary.
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Information Security of University Technology Resources (IRM-004)
- Reporting an Information Security Incident Procedures
- Information Security Incident Response Guidelines for IT Professionals
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.