Incidental discovery is happening upon a vulnerability in an unplanned or circumstantial manner, not as part of a plan or intention to uncover or explore a vulnerability.
Individual-use electronic devices, as defined in the UVA Policy: IRM-003: Data Protection of University Information, are: electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones, and other mobile devices. For purposes of this policy, the term does not include shared purpose devices, such as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, clinical workstations, medical devices (e.g., EKG machines), etc.
Individual-use electronic media, as defined in the UVA Policy: IRM-003: Data Protection of University Information, are: all media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and any externally attached storage devices (e.g., thumb drives).
Any event that, regardless of accidental or malicious cause, results in:
- disclosure of University data to someone unauthorized to access it,
- unauthorized alteration of University data,
- loss of data which the University is legally or contractually bound to protect or which support critical University functions,
- disrupted information technology service,
- a violation of the University’s information security policies.
Examples of such incidents include, but are not limited to:
- Malicious software installations on electronic devices that store University data not routinely made available to the general public, e.g., employee evaluations, or data the University is legally or contractually bound to protect, e.g., social security numbers, credit card numbers, Protected Health Information (PHI), research data, etc.
- Loss or theft of electronic devices, electronic media, or paper records that contain University data not routinely made available to the general public or data the University is legally or contractually bound to protect.
- Defacement of a University website.
- Unauthorized use of a computing account.
- Use of information technology resources for unethical or unlawful purposes (incidents involving employees and pornography should be reported directly to University Human Resources).
- Contact from the FBI, Secret Service, Department of Homeland Security or other law enforcement organizations regarding a University electronic device that may have been used to commit a crime.
Information Technology (IT) resources, as defined in UVA policy, IRM-002: Acceptable Use of the University’s Information Technology Resources, are: All resources owned, leased, managed, controlled, or contracted by the University involving networking, computing, electronic communication, and the management and storage of electronic data including, but not limited to:
- Networks (virtual and physical), networking equipment, and associated wiring including, but not limited to: gateways, routers, switches, wireless access points, concentrators, firewalls, and Internet-protocol telephony devices;
- Electronic devices containing computer processors including, but not limited to: computers, laptops, desktops, servers (virtual or physical), smart phones, tablets, digital assistants, printers, copiers, network-aware devices with embedded electronic systems (i.e., “Internet of things”), and supervisory control and data acquisition (SCADA) and industrial control systems;
- Electronic data storage devices including, but not limited to: internal and external storage devices (e.g., solid state and hard drives, USB thumb drives, Bluetooth connected storage devices), magnetic tapes, diskettes, CDs, DVDs;
- Software including, but not limited to: applications, databases, content management systems, web services, and print services;
- Electronic data in transmission and at rest;
- Network and communications access and associated privileges; and
- Account access and associated privileges to any other IT resource.
Gathering information and initial fact-finding to determine whether an allegation or apparent instance of research misconduct warrants an investigation.
Intentional testing is purposeful actions undertaken to discover or reveal a vulnerability. It does not include exploiting or exploring a vulnerability.
Internal Use Data, as defined in the UVA Policy IRM-003: Data Protection of University Information, are: data that is a public record available to anyone in accordance with the Virginia Freedom of Information Act (FOIA) but is also not intentionally made public (see the definition of public data). Examples may include salary information, contracts, and specific email correspondence not otherwise protected by a FOIA exemption. For a complete list, see Code of Virginia § 2.2-3700 Virginia Freedom of Information Act.
The formal examination and evaluation of all relevant facts to determine if misconduct has occurred, and, if so, to determine the responsible person and the seriousness of the misconduct.
Report an Information
Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.