Report an Information Security or Privacy Incident :Office of the CISO -

Office of the CISO

Report an Information Security or Privacy Incident

APS 2.5, Information Security and Privacy Incident Management Policy

UW employees shall report any potential event that adversely impacts the Confidentiality, Integrity, or Availability of Institutional Information, regardless of form (paper or electronic), Infrastructure Technology, or Information Systems.

Reporting Incidents


Potential incidents involving National Security Information:

University Facility Security Officer

Potential incidents involving protected health information:

UW Medicine Compliance

All other potential incidents:

Office of the CISO Information Security Services

Who does this apply to?


This process applies to all UW employees who possess, control, or have custody of Institutional Information, Infrastructure Technology, and Information Systems.

Individuals and entities that are not University employees, but are contractually bound to limit the access, use, or disclosure of Institutional Information, Information Systems, and Infrastructure Technology, shall promptly report potential Incidents to the University employee who authorized their access, use, or disclosure.

Examples of types of incidents

  • Web site defacement
  • Theft of intellectual property
  • Unauthorized access of systems and information
  • Virus, worms, and malicious code
  • Denial of service attacks
  • Inappropriate disclosure of information
  • Evidence of tampering with data
  • Loss of information
  • Loss/theft of a computer, data storage device, or media

Do and Don’t


  • Ensure that all information security incidents are reported
  • Immediately isolate the affected system to prevent further intrusion, release of data, etc.
  • Only document information that has been substantiated
  • Use the telephone to communicate
  • Preserve all pertinent systems logs
  • Identify all systems and departments that connect to the affected system



  • Communicate that there is a potential incident to individuals not directly involved in the incident management process
  • Delete, move, or alter files on the affected system
  • Contact or retaliate against the attacker
  • Conduct your own forensic analysis

What to report


Please provide the following data when reporting an incident: 
  • Reporting department name
  • Reporting person’s name and contact information
  • Description of the incident
  • Data and time the incident was discovered
  • Whether or not paper or electronic information was impacted
  • What actions have been taken before reporting the incident


If known:

  • Classification of data potentially accessed in the incident
  • How many records were involved in the incident
  • Whether or not the electronic device, media, or information was encrypted

What happens in the incident management process?


 Identification – A UW employee triggers the identification process upon the detection of a potential incident. The UW Facility Security Officer, UW Medicine IT Services Help Desk or UW Technology Security Operations will then investigate the incident or open up a ticket with the team that will investigate the incident. The key steps in this stage are:
  • Analyze all available information related to an incident
  • Determine if an incident has occurred
  • Classify the incident
  • Record all incident activities


Response – Once an incident is identified, the response stage is triggered. The response includes notifying the designated official and assembling an incident management team. The key steps in this stage are:

  • Handle evidence associated with incident
  • Contain the incident
  • Perform detailed analysis
  • Eradicate the cause of the incident
  • Communicate with stakeholders
  • Determine if notification is necessary
  • Assign Incident Manager
  • Assemble Incident Management team


Recovery – This stage is started when the response stage is materially complete. The goal is to return the business and information systems to normal operation. The key steps in this stage are:

  • Rebuild and reconfigure affected systems and applications
  • Reconnect networks (if disconnected during incident)
  • Restore lost or corrupted data
  • Document changes to infrastructure
  • Improve business processes


Remediation and Incident Review – This stage can be triggered at any time during the incident management process as appropriate. The goal is to support follow-up actions, understand the root cause, and identify areas for institutional improvement as well as completing the incident summary. The key steps in this stage are:

  • Perform detailed analysis to determine root cause
  • Review the incident management process
  • Examine adequacy of and present recommendations for security controls
  • Prepare incident summary if incident included restricted or confidential information.
  • Close the incident

Additional information