Reporting an Information Security Incident Standard

Table of Contents

1.  Purpose and Background
2.  Standard
     a) Reporting an Incident
3.  Definitions
4.  Related Links
5.  Exceptions

[Return to Library]

1. Purpose and Background

The University of Virginia’s Information Security of University Technology Resources policy establishes the requirement to report information security incidents to appropriate University officials so proper and timely response procedures can be initiated.  Such reporting addresses particularly serious incidents, such as violations of confidentiality or integrity of sensitive University data, in order to:

  • document and investigate incidents;
  • address in a consistent manner and in accordance with data disclosure notification laws which require that the subject of data (e.g., a patient or research subject, credit cardholder) be informed of the incident;
  • mitigate any harmful effects of the incident; and
  • identify and implement measures to prevent recurrence of the incident.

Reporting also enhances awareness of troublesome trends in security incidents that indicate the need for adjustments in the University’s overall security program. This standard applies to all users of University Information Technology (IT) resources.

[Table of Contents]

2. Standard

Reporting an Incident

All users of University IT resources are required to report information security incidents to appropriate University officials within one (1) hour from the time the incident is identified, following the procedures outlined in Reporting an Information Security Incident Procedures document.  Of particular concern are incidents involving a device hosting sensitive and legally protected data. Lost or stolen electronic devices and media must also be reported directly to the UVa Police Department. If the incident did not occur in the Charlottesville-Albemarle area, it should be reported to the appropriate police jurisdiction. Note: Non-Information Security Office personnel overseeing or owning technology resources who are notified of a potential information security incident must notify the appropriate security office via the online form and should follow the instructions provided in Information Security Incident Report Guidance for Technology Professionals.

The University Information Security and the Health IT Security offices are responsible for responding to information security incidents. In addition to following up on reported incidents, these offices may monitor IT resources for potentially malicious and/or harmful activity and take action deemed necessary based on detected activity or in order to enforce a University policy. Upon receipt of the report, the appropriate security office will inform all appropriate University officials as necessary.

[Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Officer