Policy

Original Issuance Date:                September 14, 2016

Last Revision Date:                        May 29, 2024

1. Policy Purpose

The purpose of this policy is to establish the minimum requirements to report an Information Security (IS) incident throughout the University of Wisconsin (UW) System and the subsequent required actions by the institutions when an incident occurs.

2. Responsible UW System Officer

Associate Vice President for Information Security

3. Scope and Institutional Responsibilities

This policy applies to all UW System institutions, including UW System Administration. It applies to all IS incidents that jeopardize the confidentiality, integrity, or availability of UW System institutions’ electronic information assets, as well as their systems, networks, and media that collect, process, store, and deliver such information. It is applicable to all individuals and/or organizations that perform functions in support of the institutions.

4. Background

The President of the University of Wisconsin System is empowered to establish information security polices under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. This policy is designed to help ensure effective and consistent information security incident response procedures throughout the UW System.

5. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

  • Moderate Risk
  • High Risk

6. Policy Statement

A. Reportable Incidents

Any incident that meets medium or higher cyber incident severity criteria as outlined in the UW System IS Incident Response (IR) Plan must be reported. Qualifying incidents include, but are not limited to:

  1. Any ransomware events resulting in the encryption of data or systems;
  2. Any incident involving unauthorized access, modification, or deletion of moderate or high risk data;
  3. The theft or loss of computers, devices, or media (university-owned or personally owned) containing high risk data;
  4. Successful penetration of a trusted network by an unauthorized actor;
  5. Vendor breaches for software or services used to process or store moderate or high risk data, wherein the institution received official breach notification correspondence from the vendor related to the breach;
  6. Denial of Service attacks that noticeably impact service availability;
  7. Observed or suspected physical intrusion into secure areas processing or storing moderate or high risk data;
  8. Widespread instances of malware not handled by applicable defensive software; and
  9. Any other incident involving the reasonable likelihood of compromise of moderate or high risk data or malicious cyber activity that could reasonably be expected to cause significant UW reputational harm.

B. Required Actions for Reportable Incidents

The following are required actions when it is determined that an IS incident has likely occurred. Specific procedures are outlined in the UW System IR Plan. The UW System IR Plan will be exercised for any multi-institution IS incident and/or when UW System leads an enterprise-wide IS incident response.

  1. UW System employees who suspect that an IS incident has likely occurred must report it to their organization’s Information Security lead and Chief Information Officer. Individuals involved in IS incidents must cooperate with investigation teams and provide access to all impacted UW System assets. Depending on the severity and breadth of the incident, investigation teams may be comprised of local IT personnel, representatives from UW System Administration, external forensic teams, and/or law enforcement. In situations involving personally owned information technology assets, cooperation and access to the personally owned device may be necessary to ensure university owned data has not been compromised.
  2. Notification to the UW System Office of Information Security is required within one (1) business day of discovery, if a confirmed incident meets reportable criteria outlined above. Notification must follow reporting protocols set forth by the UW System Office of Information Security as described in UW System Incident Reporting Protocol. Required reporting elements, to the extent known, include:
    1. Date of incident;
    2. Date of discovery;
    3. Type of incident (examples include but are not limited to fraud, data breach/exposure, theft, malware, phishing, etc.);
    4. Estimated number of individuals impacted and/or records exposed/breached; and
    5. A short description of what occurred.

See the IS IR Plan for a complete list of incident details to report.

III.  Follow-up notification to the UW System Office of Information Security is required within three (3) business days of discovery. Notification must include above reporting elements in addition to designation of an incident commander, periodicity of planned communications to UW System Administration, updated incident information, and next steps including any anticipated request for assistance.

IV.   The Traffic Light Protocol (TLP) must be used for all written correspondence. See the link here for TLP details.

V.   Threat intelligence must be shared with other UW institutions as prescribed in the UW System IS IR Plan.

VI.   Once the closure criteria outlined in the UW System IS IR Plan are met, institutions must communicate the closure date to the UW System Office of Information Security.

VII.   Once an incident is closed, institutions must submit a Final Findings Report as prescribed in the UW System IS IR Plan.

VIII.  The UW System Office of Information Security must maintain a record of all confirmed IS incidents and their resolutions.

IX.   Each Chancellor, or designee, and the UW System Vice President for Finance and Administration or central administration designee must review their organization’s IS incident events on a quarterly basis.

C. Tabletop Exercises

Each Chancellor, or designee, and the UW System Vice President for Finance and Administration, or central administration designee, must conduct an annual IS IR tabletop exercise. A brief summary of the event, including lessons learned must be documented.

D. Foundation IR Plans

Each University of Wisconsin campus IS Designee is responsible for working with their associated Foundation(s) to establish and maintain a joint IR Plan. The plan must, at a minimum, clearly define roles and responsibilities between the institution and the Foundation(s) regarding who is responsible for remediating incidents.

7. Related Documents

Regent Policy Document 25-5, Information Technology: Information Security

UW System Administrative Policy 1031, Information Security: Data Classification

UW System Information Security Program

UW System Information Security Incident Response Plan

UW System Incident Reporting Protocol

8. Policy History

Revision 8:                   May 29, 2024

Revision 7:                   November 11, 2022

Revision 6:                   August 23, 2022

Revision 5:                   July 7, 2021

Revision 4:                   November 13, 2020

Revision 3:                   April 22, 2020

Revision 2:                   January 9, 2019

Revision 1:                   July 31, 2017

First approved:         September 14, 2016

9. Scheduled Review

July 2026