(Approved by the Chief Privacy Officer, Chief Health System Officer for UW Medicine, and Vice President for Medical Affairs by authority of Executive Order No. 1; the Provost and Executive Vice President by authority of Executive Order No. 4; the Vice President for Finance and Facilities by authority of Administrative Order No. 9; and the Vice President for UW Information Technology and Chief Information Officer by authority of Executive Order No. 63)
This policy establishes the requirement that all University of Washington employees, trainees, students, volunteers, and other entities or persons who perform work for the University (hereafter "workforce members") are obligated to report information security and privacy incidents (hereafter "incidents") to the appropriate individuals with delegated authority as identified below.
For the purpose of this policy an incident is any event that adversely affects the confidentiality, integrity, or availability of information that is created, received, maintained, or transmitted by the University.
This policy also describes the required program elements used by the University for assessing, responding to, and managing incidents.
This policy applies to:
Workforce members must promptly report potential incidents to the appropriate individual with delegated authority using the contact information referenced in the table below in Section 4. At the direction of the individual with delegated authority, or his or her designee, workforce members must provide full assistance as needed with the incident management processes.
On behalf of the institution, the following individuals are responsible for the oversight, direction, and decisions related to investigations and notifications:
|Delegated Authority for Information Security and Privacy Incidents||Area of Responsibility||Contact Information|
|University Chief Information Security Officer and Associate Vice President, UW Information Technology||All information, information systems, and infrastructure technology except for the areas specifically listed below||Phone: 206-685-0116
Email: firstname.lastname@example.org or email@example.com
|Executive Director, Health Sciences Administration and Chief Privacy Officer for Health Sciences Healthcare Components||Protected health information (PHI) for healthcare clinics other than UW Medicine Healthcare Components||Phone: 206-543-7202
|Chief Compliance Officer, UW Medicine, Associate Vice President Medical Affairs, UW and Chief Privacy Officer for UW Medicine Healthcare Components||PHI for UW Medicine Healthcare Components||Phone: 206-543-3098
|Assistant Director of Regulatory Affairs, Human Subjects Division, Office of Research||Human Subject Information||Phone: 206-543-0098
|Empowered Official, Office of Research||Unclassified information that does not meet the standards for national security classification, but is pertinent to the national interests of the United States, and requires, under law or policy, protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination.||Phone: 206-543-4043
Each individual with delegated authority for incidents is responsible for developing, maintaining, and following an incident management process. Such processes must define procedures for preparing for an incident and address, at minimum, the following elements:
The individual with delegated authority for incidents, or a designee, is responsible for managing the incident and consulting with or assembling subject matter experts or institutional officials as necessary.
Identification and Preservation of
The individual with delegated authority for incidents, or designee, is responsible for gathering initial information to determine if an incident has occurred. During this initial assessment the individual with delegated authority for incidents, or designee, must monitor and execute the steps needed to preserve evidence, forensic integrity, and chain of custody.
If an incident has occurred, the individual with delegated authority for incidents, or designee, must proceed with the subsequent sections of this policy and documented processes.
If an incident has not occurred, the individual with delegated authority for the incidents, or designee, must document the decision and assessment criteria used, and provide appropriate notification to involved parties.
The individual with delegated authority for incidents, or designee, is responsible for assessing the data involved, the risk to the institution, and the potential harm to the individuals the University serves. The individual with delegated authority for incidents, or designee, is responsible for engaging other areas of the University during the assessment process, as needed, to determine:
Based on the risk assessment the individual with delegated authority for incidents, or designee, is responsible for taking containment actions to stop harm caused by the incident, if any. This may mean temporarily taking systems, services, or websites off-line.
|E.||Communication and Notification
Communication and notification to persons or third parties affected by an incident will be made as directed by the individual with delegated authority for incidents, or designee, and are to be carried out in accordance with applicable legal, regulatory, or contractual requirements.
This includes, but is not limited to:
Efforts to address the weakness that caused the incident or mitigate the root cause of the incident may begin at any time, as appropriate, during the incident management process, provided evidence is preserved. The individual with delegated authority for incidents, or designee, may also require the departmental unit(s) involved in the incident to develop a remediation plan or present to the PASS Council the status of the remediation efforts.
Once evidence is preserved and the immediate actions have been taken to address the incident, the organizational area(s) involved in the incident may begin restoring the affected systems or services back to an operational state.
For all incidents, the individual with delegated authority for incidents, or designee, must prepare a written summary that includes the pertinent details of the incident and serves as the final and official record for the University to be maintained according to the records retention schedule.
Care must be taken in handling evidence and communicating information related to incidents in order to comply with applicable public record exemptions and federal or state laws that limit disclosure.
At least every three years, or more frequently as needed to respond to changes in the regulatory environment, the University Chief Information Security Officer will review and revise this policy statement in collaboration with other individuals with delegated authority for incidents.
For further information on this policy, contact the Office of the Chief Information Security Officer:
November 4, 2011; January 7, 2016.