University of Washington Policy Directory

Print This Page
*Formerly part of the University Handbook
Administrative Policy Statement
2.5



Information Security and Privacy Incident Reporting and Management Policy

(Approved by the Chief Privacy Officer, Chief Health System Officer for UW Medicine, and Vice President for Medical Affairs by authority of Executive Order No. 1; the Provost and Executive Vice President by authority of Executive Order No. 4; the Vice President for Finance and Facilities by authority of Administrative Order No. 9; and the Vice President for UW Information Technology and Chief Information Officer by authority of Executive Order No. 63)



1.  Purpose

This policy establishes the requirement that all University of Washington employees, trainees, students, volunteers, and other entities or persons who perform work for the University (hereafter "workforce members") are obligated to report information security and privacy incidents (hereafter "incidents") to the appropriate individuals with delegated authority as identified below.

For the purpose of this policy an incident is any event that adversely affects the confidentiality, integrity, or availability of information that is created, received, maintained, or transmitted by the University.

This policy also describes the required program elements used by the University for assessing, responding to, and managing incidents.

2.  Scope

This policy applies to:

3.  Incident Management Reporting

Workforce members must promptly report potential incidents to the appropriate individual with delegated authority using the contact information referenced in the table below in Section 4. At the direction of the individual with delegated authority, or his or her designee, workforce members must provide full assistance as needed with the incident management processes.

4.  Incident Management Oversight

On behalf of the institution, the following individuals are responsible for the oversight, direction, and decisions related to investigations and notifications:

Delegated Authority for Information Security and Privacy Incidents Area of Responsibility Contact Information
University Chief Information Security Officer and Associate Vice President, UW Information Technology All information, information systems, and infrastructure technology except for the areas specifically listed below Phone: 206-685-0116
Email: ciso@uw.edu or security@uw.edu
Executive Director, Health Sciences Administration and Chief Privacy Officer for Health Sciences Healthcare Components Protected health information (PHI) for healthcare clinics other than UW Medicine Healthcare Components Phone: 206-543-7202
Email: hsaea@uw.edu
Chief Compliance Officer, UW Medicine, Associate Vice President Medical Affairs, UW and Chief Privacy Officer for UW Medicine Healthcare Components PHI for UW Medicine Healthcare Components Phone: 206-543-3098
Email: comply@uw.edu
Assistant Director of Regulatory Affairs, Human Subjects Division, Office of Research Human Subject Information Phone: 206-543-0098
Email: hsdinfo@uw.edu
Empowered Official, Office of Research Unclassified information that does not meet the standards for national security classification, but is pertinent to the national interests of the United States, and requires, under law or policy, protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Phone: 206-543-4043
Email: export@uw.edu

5.  Incident Management Process

Each individual with delegated authority for incidents is responsible for developing, maintaining, and following an incident management process. Such processes must define procedures for preparing for an incident and address, at minimum, the following elements:

  A. Assign Incident

The individual with delegated authority for incidents, or a designee, is responsible for managing the incident and consulting with or assembling subject matter experts or institutional officials as necessary.

  B. Identification and Preservation of Evidence

The individual with delegated authority for incidents, or designee, is responsible for gathering initial information to determine if an incident has occurred. During this initial assessment the individual with delegated authority for incidents, or designee, must monitor and execute the steps needed to preserve evidence, forensic integrity, and chain of custody.

If an incident has occurred, the individual with delegated authority for incidents, or designee, must proceed with the subsequent sections of this policy and documented processes.

If an incident has not occurred, the individual with delegated authority for the incidents, or designee, must document the decision and assessment criteria used, and provide appropriate notification to involved parties.

  C. Risk Assessment

The individual with delegated authority for incidents, or designee, is responsible for assessing the data involved, the risk to the institution, and the potential harm to the individuals the University serves. The individual with delegated authority for incidents, or designee, is responsible for engaging other areas of the University during the assessment process, as needed, to determine:
  • Potential legal, regulatory, financial, and reputational risks.

  • The stakeholders and other institutional partnerships that may be required for next steps based on the unique circumstances involved in the incident (e.g. technical, legal, public relations, patient relations, and research compliance).
  D. Containment

Based on the risk assessment the individual with delegated authority for incidents, or designee, is responsible for taking containment actions to stop harm caused by the incident, if any. This may mean temporarily taking systems, services, or websites off-line.

  E. Communication and Notification

Communication and notification to persons or third parties affected by an incident will be made as directed by the individual with delegated authority for incidents, or designee, and are to be carried out in accordance with applicable legal, regulatory, or contractual requirements.

This includes, but is not limited to:
  • Reporting to the Privacy Assurance and Systems Security Council (PASS Council) for risk oversight.

  • Coordinating with the Office of the Chief Information Security Office (CISO) if the incident management vendor or Special Assistant Attorney General services are needed to assist with the incident.

  • Informing Compliance and Risk Services of the incident and involvement of any expenses or third parties, such as the incident management vendor, Special Assistant Attorneys General, or other consultants.

  • Reporting incidents, if required, to the Washington State Attorney General's Office, the federal Office for Civil Rights, Defense Security Services, or other parties.

  • Notifications to media through Media Relations and Communications, University websites, or other venues.
  F. Mitigation

Efforts to address the weakness that caused the incident or mitigate the root cause of the incident may begin at any time, as appropriate, during the incident management process, provided evidence is preserved. The individual with delegated authority for incidents, or designee, may also require the departmental unit(s) involved in the incident to develop a remediation plan or present to the PASS Council the status of the remediation efforts.



G. Recovery

Once evidence is preserved and the immediate actions have been taken to address the incident, the organizational area(s) involved in the incident may begin restoring the affected systems or services back to an operational state.

  H. Records Management

For all incidents, the individual with delegated authority for incidents, or designee, must prepare a written summary that includes the pertinent details of the incident and serves as the final and official record for the University to be maintained according to the records retention schedule.

6.  Disclosure Limitations

Care must be taken in handling evidence and communicating information related to incidents in order to comply with applicable public record exemptions and federal or state laws that limit disclosure.

7.  Policy Maintenance

At least every three years, or more frequently as needed to respond to changes in the regulatory environment, the University Chief Information Security Officer will review and revise this policy statement in collaboration with other individuals with delegated authority for incidents.

8.  Additional Information

For further information on this policy, contact the Office of the Chief Information Security Officer:

November 4, 2011; January 7, 2016.