University of Washington Policy Directory

Print This Page
*Formerly part of the University Handbook
Administrative Policy Statement
2.5



Information Security and Privacy Incident Management Policy

(Approved by the Chief Health System Officer, UW Medicine and Vice President for Medical Affairs by authority of Executive Order No. 1; the Provost and Executive Vice President by authority of Executive Order No. 4; and the Vice President and Vice Provost for UW Information Technology by authority of Executive Order No. 63)



1.  Purpose

This policy describes the process used by the University of Washington (University) for assessing, responding to, and managing information security and privacy incidents (hereafter "incidents"). Incidents include unauthorized access, disclosure, modification, destruction, availability, etc. of institutional information, information systems, computerized devices, or infrastructure technology.

2.  Scope

This policy applies to incidents involving institutional information, information systems, computerized devices, or infrastructure technology either managed by the University or by a third party on behalf of the University and pursuant to a written agreement.

3.  Incident Management Process

  a. High Level Incident Management Process Flow and Oversight

Figure 1 illustrates the high level incident management process flow and is described in the sections below.



    The Managerial Group for Classified Research and Contracts provides oversight and direction for incidents involving national security information or national security systems. The University Privacy Official and University Chief Information Security Officer provide oversight and direction for incidents unrelated to national security information or national security systems.

  b. Obligation to Report and Assist

Workforce members shall promptly report potential incidents as follows.
Third parties that are contractually bound to limit the access, use, or disclosure of institutional information, information systems, computerized devices, or infrastructure technology, shall promptly report potential incidents to the University employee who authorized their access, use, or disclosure.

Workforce members and third parties shall provide full assistance with the investigation of any potential incident.

  c. Analysis and Assessment

Based on the type of incident, the Managerial Group for Classified Research and Contracts, University Privacy Official, and University Chief Information Security Officer have designated the offices in Figure 2 below to lead the analysis and assessment of a potential incident.

The designated offices shall analyze and assess a potential incident to determine whether an actual incident occurred.

Analysis and Assessment of Potential Incidents
Designated Office Type of Incident Organizational Area
Office of Research, University Facility Security Officer National security information or national security systems All areas of the University
UW Medicine Compliance Protected health information All areas of the University
Office of the University Chief Information Security Officer All incidents unrelated to national security information, national security systems, or protected health information All areas of the University

Figure 2. Designated Offices for Analysis and Assessment of Potential Incidents

The designated office will engage other designated offices or areas of the University (e.g., UW Medicine Information Technology Services), as appropriate, in the analysis of potential incidents. Only authorized persons will be made aware of potential incidents involving national security information or national security systems until such incidents are contained.

Each designated office shall develop, maintain, and follow an incident response plan that defines its procedures for analyzing and assessing a potential incident. Incident response plans shall address, at minimum, information described in Figure 3 below. The University Chief Information Security Officer, the University Privacy Official, and the University Facility Security Officer shall review and approve the incident response plans.

     

Incident Response Plan Elements
  1. Documentation
  2. Preserving evidence and chain of custody
  3. Analysis and assessment
  4. Referral and communication to designated official
  5. Containment
  6. Remediation
  7. Reporting
     
Figure 3. Minimum Elements of an Incident Response Plan

  Concurrent with the analysis and assessment, the designated office for the potential incident shall take appropriate measures, working where it deems appropriate with information assurance liaisons, system owners, or system operators, to obtain and preserve the necessary evidence associated with the incident, evaluate risks, and mitigate additional risk as practical.

If the designated office determines that an incident actually occurred, it shall conduct a risk assessment based on the sensitivity of the institutional information, impact to users, and criticality of the information system, computerized devices, or infrastructure technology to determine whether an incident should be referred to the designated officials in Section 3.d below.

  d. Incident Management

Based on the type of incident, the Managerial Group for Classified Research and Contracts, University Privacy Official, and University Chief Information Security Officer have designated the officials in Figure 4 below to lead the incident management team.

Management of Incidents
Designated Official Type of Incident Organizational Area
University Facility Security Officer or his or her designee National security information or national security systems All areas of the University
Chief Privacy Officer for the non-UW Medicine components of the hybrid entity or his or her designee Protected health information (PHI) Non-UW Medicine healthcare components of the University
Chief Privacy Officer for UW Medicine or his or her designee Protected health information (PHI) UW Medicine
University Chief Information Security Officer or his or her designee All incidents unrelated to national security information, national security systems, or protected health information All areas of the University

Figure 4. Designated Official for Incident Management

The designated officials will engage other designated officials, as appropriate, in the management of incidents.

The designated official shall assign an incident manager and assemble an incident management team that may include, but is not limited to, the following individuals or expertise:

  • University Privacy Official or his or her designee

  • University Chief Information Security Officer

  • University Facility Security Officer

  • Entity or school compliance officer

  • Executive director, Risk Management or director, Health Sciences Risk Management

  • Executive director of Internal Audit

  • Legal counsel with the Attorney General's Office

  • Representatives from Media Relations and Communications or UW Medicine News and Community Relations

  • University-empowered official for export control

  • Export compliance specialist

  • Data trustee or data custodian

  • Executive heads of major University organizations

  • Director, Human Subjects Division

  • Associate Vice President, Advancement Services, University Advancement or Associate Vice President and Chief Advancement Officer, UW Medicine Advancement

  • University's subject matter experts on information security and privacy laws or regulations related to the incident.
The incident management team shall:
  • Review the initial analysis and assessment to determine the potential impact of the incident;

  • Assign additional resources, as needed, for further investigation and forensic analysis;

  • Develop and implement a plan to communicate within the University about the incident. The communication plan shall specify the recipients, content, and methods of communication; and

  • Determine whether notification of the incident to parties outside the University is necessary.
  e. Notification

Notification of an incident shall be made as directed by the incident management team, and shall be carried out in accordance with applicable legal, regulatory, or contractual requirements. The incident manager shall facilitate any notification to parties outside the University.

  f. Document–Incident Summary

The incident management team shall prepare a written incident summary for each incident. The Managerial Group for Classified Research and Contracts, University Privacy Official, and University Chief Information Security Officer shall perform an annual analysis of these summaries to identify trends.



g. Remediation

Remediation means efforts to address harm caused by the incident, if any, and efforts to address issues that led to the incident.

Remediation may begin at any time, as appropriate, during the incident management process, provided evidence is preserved.

If an incident actually occurred and an incident management team is convened, the designated official shall review and approve all proposed remediation actions. The designated official may also require the departmental unit(s) involved in the incident to develop a formal remediation plan.

If an incident did not occur and an incident management team was not convened, the Managerial Group for Classified Research and Contracts, University Privacy Official, and University Chief Information Security Officer have designated the offices and process described in Section 3.c to determine whether remediation is appropriate, and if so, the scope of any such effort.

4.  Disclosure Limitations

Care shall be taken in handling evidence and information related to incidents in order to comply with federal or state laws that limit disclosure—e.g., Health Information Portability and Accountability Act (HIPAA) and Family Education Rights and Privacy Act (FERPA).

Documentation related to the incident may include information regarding the infrastructure and security of computer and telecommunications networks, security recovery plans, and security risk assessments; or, may include information for which disclosure is prohibited by federal law. As a result, incident-related information may be exempt from public disclosure (see, RCW 42.56.420).

5.  Policy Maintenance

The Managerial Group for Classified Research and Contracts, University Privacy Official, and University Chief Information Security Officer shall review this policy statement at least every three years or more frequently as needed to respond to changes in the regulatory environment. The Office of the University Chief Information Security Officer shall manage the review process.

6.  Additional Information

For further information on this policy or to report an incident contact:

    University Office of the Chief Information Security Officer
  • Phone: 206–685–0116 or 206–221–7000
  • Email: ciso@uw.edu or security@uw.edu

  • UW Medicine Compliance
  • Phone: 206–543–3098
  • Email: comply@uw.edu

  • Office of Research, University Facility Security Officer
  • Phone: 206–543–1315
  • Email: uwfso@uw.edu

November 4, 2011.