Mandatory Reporting Requirement

Purpose

In order to ensure a proper and coordinated response and to take advantage of all possible opportunities for improving the University's information security environment, it is imperative that all actual or suspected information security incidents and/or weaknesses be reported.

Definitions

Incident: An information security incident is inappropriate or unauthorized access, or attempted access, to any type of information system or to any area where confidential information or electronic media are held.

Weakness: An information security weakness is a condition or circumstance that poses a reasonably apparent risk of unauthorized access to confidential information, unauthorized access to University computers or networks, damage to or interference with University computers or networks, or loss of information.

Requirement

All information security incidents and suspected incidents must be immediately reported to the appropriate central information security office at your campus or business entity. Additionally, all information security weaknesses must be immediately reported to your departmental IT office or central IT office. All University faculty, staff and student employees must comply with this requirement. Failure to report information security incidents, suspected incidents or known weaknesses may result in disciplinary action. All University faculty, staff and student employees are strongly encouraged to report any other conditions or circumstances that, if addressed, would improve the overall security environment.

Examples

Information security incidents and weaknesses may include but are not limited to:

• A known or suspected compromise of a computer system, application or database
• A fax machine that receives confidential faxes located in a cubicle rather than a lockable office
• Missing reports or printouts that are known to contain confidential information
• E-mail containing confidential information sent to the wrong recipient(s)
• Disposing of documents that contain sensitive information without shredding them first
• Known uses of insecure (weak) passwords, sharing, actual/suspected loss or theft of passwords
• Insecure physical access to network and/or server closets or other areas that should be secure
• Unauthorized or old accounts within a computing system or database
• Suspicious data flows in or out of a system
• Key logger(s) installed on a desktop or laptop computer
• Systems that are known to be configured in an insecure manner
• Physical theft or loss of computer or storage device*

*It is recommended that all physical thefts be reported to your campus or local police department before reporting the incident to the campus IT security office. Physical thefts of computers or related materials should be reported to both the police and to IT security to ensure that both departments receive the information.