Administrative Policy Statement
2.5
Information Security and Privacy Incident Management Policy
(Approved by the Chief Health System Officer, UW Medicine and Vice President for Medical Affairs by authority of Executive Order No. 1; the Provost and Executive Vice President by authority of Executive Order No. 4; and the Vice President and Vice Provost for UW Information Technology by authority of Executive Order No. 63)
1. Purpose
This policy describes the process used by the University of Washington (University) for assessing, responding to, and managing information security and privacy incidents (hereafter "incidents"). Incidents include unauthorized access, disclosure, modification, destruction, availability, etc. of institutional information, information systems, computerized devices, or infrastructure technology.
2. Scope
This policy applies to incidents involving institutional information, information systems, computerized devices, or infrastructure technology either managed by the University or by a third party on behalf of the University and pursuant to a written agreement.
3. Incident Management Process
| a. | High Level Incident
Management Process Flow and Oversight Figure 1 illustrates the high level incident management process flow and is described in the sections below. |
||||||||||||||||||||
 |
|||||||||||||||||||||
| The Managerial Group for Classified Research
and Contracts provides oversight and direction for incidents
involving national security information or
national security systems. The University
Privacy Official and University Chief
Information Security Officer provide oversight and direction for
incidents unrelated to national security information or national
security systems. |
|||||||||||||||||||||
| b. |
Obligation to Report and Assist Workforce members shall promptly report potential incidents as follows.
Workforce members and third parties shall provide full assistance with the investigation of any potential incident. |
||||||||||||||||||||
| c. | Analysis and
Assessment Based on the type of incident, the Managerial Group for Classified Research and Contracts, University Privacy Official, and University Chief Information Security Officer have designated the offices in Figure 2 below to lead the analysis and assessment of a potential incident. The designated offices shall analyze and assess a potential incident to determine whether an actual incident occurred.
Figure 2. Designated Offices for
Analysis and Assessment of Potential Incidents The designated office will engage other designated offices or areas of the University (e.g., UW Medicine Information Technology Services), as appropriate, in the analysis of potential incidents. Only authorized persons will be made aware of potential incidents involving national security information or national security systems until such incidents are contained. Each designated office shall develop, maintain, and follow an incident response plan that defines its procedures for analyzing and assessing a potential incident. Incident response plans shall address, at minimum, information described in Figure 3 below. The University Chief Information Security Officer, the University Privacy Official, and the University Facility Security Officer shall review and approve the incident response plans. |
||||||||||||||||||||
|
|||||||||||||||||||||
Figure 3. Minimum Elements of an Incident Response Plan |
|||||||||||||||||||||
| Concurrent with the analysis and assessment,
the designated office for the potential incident shall take appropriate measures,
working where it deems appropriate with information assurance liaisons, system owners,
or system operators, to obtain and preserve the necessary evidence associated with
the incident, evaluate risks, and mitigate additional risk
as practical. If the designated office determines that an incident actually occurred, it shall conduct a risk assessment based on the sensitivity of the institutional information, impact to users, and criticality of the information system, computerized devices, or infrastructure technology to determine whether an incident should be referred to the designated officials in Section 3.d below. |
|||||||||||||||||||||
| d. | Incident Management
Based on the type of incident, the Managerial Group for Classified Research and Contracts, University Privacy Official, and University Chief Information Security Officer have designated the officials in Figure 4 below to lead the incident management team.
Figure 4. Designated Official for Incident Management The designated officials will engage other designated officials, as appropriate, in the management of incidents. The designated official shall assign an incident manager and assemble an incident management team that may include, but is not limited to, the following individuals or expertise:
|
||||||||||||||||||||
| e. | Notification
Notification of an incident shall be made as directed by the incident management team, and shall be carried out in accordance with applicable legal, regulatory, or contractual requirements. The incident manager shall facilitate any notification to parties outside the University. |
||||||||||||||||||||
| f. | Document–Incident
Summary The incident management team shall prepare a written incident summary for each incident. The Managerial Group for Classified Research and Contracts, University Privacy Official, and University Chief Information Security Officer shall perform an annual analysis of these summaries to identify trends. |
||||||||||||||||||||
| g. | Remediation Remediation means efforts to address harm caused by the incident, if any, and efforts to address issues that led to the incident. Remediation may begin at any time, as appropriate, during the incident management process, provided evidence is preserved. If an incident actually occurred and an incident management team is convened, the designated official shall review and approve all proposed remediation actions. The designated official may also require the departmental unit(s) involved in the incident to develop a formal remediation plan. If an incident did not occur and an incident management team was not convened, the Managerial Group for Classified Research and Contracts, University Privacy Official, and University Chief Information Security Officer have designated the offices and process described in Section 3.c to determine whether remediation is appropriate, and if so, the scope of any such effort. |
||||||||||||||||||||
4. Disclosure Limitations
Care shall be taken in handling evidence and information related to incidents in order to comply with federal or state laws that limit disclosure—e.g., Health Information Portability and Accountability Act (HIPAA) and Family Education Rights and Privacy Act (FERPA).
Documentation related to the incident may include information regarding the infrastructure and security of computer and telecommunications networks, security recovery plans, and security risk assessments; or, may include information for which disclosure is prohibited by federal law. As a result, incident-related information may be exempt from public disclosure (see, RCW 42.56.420).
5. Policy Maintenance
The Managerial Group for Classified Research and Contracts, University Privacy Official, and University Chief Information Security Officer shall review this policy statement at least every three years or more frequently as needed to respond to changes in the regulatory environment. The Office of the University Chief Information Security Officer shall manage the review process.
6. Additional Information
For further information on this policy or to report an incident contact:
-
University Office of the Chief Information Security Officer
- Phone: 206–685–0116 or 206–221–7000
- Email: ciso@uw.edu or security@uw.edu
- Phone: 206–543–3098
- Email: comply@uw.edu
- Phone: 206–543–1315
- Email: uwfso@uw.edu
November 4, 2011.