Information Technologies

Information Security Event Reporting

Section: Information Technologies Policies
Policy Name: Information Security Event Reporting
Policy Owner: Executive Vice President
Responsible University Office: Information Technologies
Origination Date: December 1, 2021
  1. SCOPE OF POLICYInformation Technology units are responsible for the University’s vast array of information and systems assets and for implementing appropriate proactive protocols to safeguard these assets. The University community must assist in these efforts by reporting potential events that may undermine these safeguards. This policy defines certain potentially negative events involving University Data, IT Services, and IT Systems (all as defined below) and assigns responsibility for reporting and responding to them.
  2. DEFINITIONS
    1. University Data” means any information within the University’s purview, including information that the University may not own but for which the University is held accountable. University Data encompasses all data that pertains to or supports the administration and missions of the University, including research.
    2. IT Services” means the full set of the University-managed or procured information technology services involved in the management of University Data, including those services hosted in the cloud (e.g., Software as a Service).
    3. IT Systems” means the full set of the University-owned or controlled information technology systems and infrastructure involved in managing University Data or supporting University operations, including those systems hosted in the cloud (e.g., Infrastructure as a Service).
    4. Event” means any observable occurrence with potentially negative consequences affecting University Data, IT Services, or IT Systems. Events can be accidental incursions or deliberate attempts to break into systems and can be benign to malicious in purpose or consequence. An Event can, among other things:
      1. result in misappropriation or misuse of individuals’ confidential information such as social security number, grades, health records, financial transactions;
      2. jeopardize the functionality of the University’s information technology infrastructure;
      3. permit unauthorized access to the University’s resources or information;
      4. use the University’s technology resources to disrupt, misappropriate or misuse other University resources;
      5. allow the University’s information technology resources to be used to launch attacks against the resources and information of other individuals or organizations.
    5. Data Security Incident” means an Event that presents an elevated risk of actual or potential unauthorized access, use, change, deletion, or export of University Data or significant impairment of University IT Services or IT Systems. Data Security Incidents include, but are not limited to, loss or theft of devices (laptops, thumb drives), cyberattacks, phishing campaigns, and other attempts to install malware or ransomware. Data Security Incidents include the loss of University Data, regardless of the form of information (e.g., electronic or paper).
  3. POLICY STATEMENTAll members of the University community, including but not limited to students, faculty, and staff with access to University IT systems, must report Events as specified in this policy. Failing to report Events will result in disciplinary action.
  4. POLICY STANDARDS AND PROCEDURES
    1. Individuals observing an Event must (i) immediately report the Event to the information technology support professional in their department or college (the “Local IT Support”) or to the Security Operations Center (“SOC”) by completing the Reporting Form or calling 302-831-6000 and (ii) comply with instructions provided.
    2. Local IT Support will respond promptly to Event reports they received. If the Local IT Support determines the Event is limited to malware that does not pose a threat of serious impact to University Data, IT Services, or IT Systems, Local IT Support will take appropriate measures to isolate the Event and restore the system.  If the Local IT Support does not make such a determination, Local IT Staff will immediately report the Event to the SOC.
    3. The SOC will follow the procedures specified in the University Data Security Incident Response Plan (“SIRP”) in responding to Event reports.