Policies,Administrative,UWMF,UWMF-wide,Information Services

Computer Security Incident Response (SE-POL-002)

Computer Security Incident Response (SE-POL-002) - Policies, Administrative, UWMF, UWMF-wide, Information Services



Information Services

Effective Date:

Administrative Manual

x Other Information Services

Policy #:
SE – POL - 002

x Original

Total #
Pages: 4

Title: UW Health IS Computer Security
Incident Response Policy


The purpose of this policy is to address the attempted or successful unauthorized
access, use, disclosure, modification, or destruction of information or interference with
system operation in an information system that is outside of a downtime incident. This
policy only addresses adverse events that are computer security-related. It excludes
adverse events caused by sources such as natural disasters, hardware, media or power
failures, or downtimes. This policy has general applicability to all hardware and computer
systems that are under the control of the UW Health Information Services (UWH IS)


A. Adverse event – Any observable occurrence in a computer system or network with a
potential negative consequence, such as system crashes, unscheduled down time,
unauthorized use of system privileges, unauthorized access to sensitive data, and
execution of malicious code that destroys data.
B. Computer Security Incident (CSI) – Defined as any real or suspected adverse event
in relation to the security of networks, systems or applications, incidents could include;
Attempts (either failed or successful, such as Phishing) to gain unauthorized
access to a system or its data.
Hacking – human attempts to compromise the network or system security
Unwanted disruption or Denial of Service (DoS).
Malware - Malicious software code designed to infiltrate or damage a computer
system without the owner’s informed consent (i.e. virus, worm, Trojan Horse
Stolen, shared, or inappropriately obtained passwords
Corrupted hardware that does not allow for restoration of data
Loss or theft of UW Health electronic data
Any other violation of policy that puts UW Health electronic data at risk

C. Security Incident Response Team (SIRT) – Group of individuals in the UWH IS
department appointed by the UWH IS VP/CIO who are responsible for overall
management, documentation, internal communications and reporting of a CSI. The
team will also include the UWH IS HIPAA Security Officer, organizational HIPAA
Privacy Officer(s), Internal Audit, and the Building and/or Facilities Management staff
as deemed appropriate for the incident. The roles and responsibilities of each

Page 2 of 4

member are defined within the UW Health IS Computer Security Incident Response


Proactive measures will be taken to reduce the risk that an incident may occur on UW
Health systems. Some samples of this are security awareness training\emails, firewalls,
anti-virus software, OS patch management, intrusion detection, penetration testing, and
vulnerability assessments.

In the event a potential incident is reported or detected, an initial assessment will be
made to determine if the event qualifies as a security incident or not. If it does, the
incident will be categorized and prioritized based on any other incidents that may be
concurrently occurring. An investigation of the incident follows, which includes
containing the event. Once resolved, any incident that meets the criteria of the Incident
Review Policy will have a post-mortem incident review conducted to evaluate the
process and identify any areas of improvement.

Incidents are to be documented, reported to appropriate individuals as noted in the UW
Health IS Computer Security Incident Response Procedure, and stored in an encrypted
file with limited need-to-know access only, for a minimum of 6 years.

The UWH IS CIO’s office has the authority to declare an incident a disaster or
emergency and invoke the UWH IS Business Continuity or Disaster Recovery Plan at
any time.

All media inquiries should be referred to the office of UW Health Public Affairs.

IV. Forms

[Provide Forms as well as Form Numbers and/or Hyperlinks]


UW Health IS Computer Security Incident Response Procedure SE-PRO-002

VI. Related Policies and Other Resources
UW Health IS Incident Review Policy
SC-003 UW Health Stolen or Lost Mobile Device Policy
“NIST Publication”
“Federal Government Incident Response Team”
“CSIRT Case Classification”
“Responding to IT Security Incidents”

Page 3 of 4

“Risk Analysis and Security Policy”
“CERT Coordination Center – Incident Reporting Guidelines”
“Computer security incident management”
“Denial of Service Attack”


UW Health is not a legal entity. UW Health is comprised of three separate entities. This
policy applies to facilities and programs operated by the University of Wisconsin
Hospitals and Clinics Authority and the University of Wisconsin Medical Foundation, Inc.,
and to clinical facilities and programs administered by the University of Wisconsin
School of Medicine and Public Health.

Each entity is responsible for enforcement of this policy in relation to the facilities and
programs that it operates.

Page 4 of 4


The details of Coordination of UWHC, UWMF and UWSMPH are shown below. Approval
and coordination of this policy by those entities occurs per their individual processes.

UWHC Sr. Management Sponsor: Leroy Baker, UW Health IS CTO
UWHC Author: Elaine Gerke, UW Health IS Security Officer
UWHC Author: UW Health IS Senior Security Engineers
UWHC Author: UW Health IS SIRT Team Members
UWHC Reviewers: UW Health IS VP/CIO & Directors
UWHC Reviewers: UWHC Internal Audit

UWMF Sr. Management Sponsor: Leroy Baker, UW Health IS CTO
UWMF Author: Elaine Gerke, UW Health IS Security Officer
UWMF Author: UW Health IS Senior Security Engineers
UWMF Author: UW Health IS SIRT Team Members
UWMF Reviewers: UW Health IS VP/CIO & Directors

UWSMPH Approval: UW Administrative Legal Services


[Insert Signature Block(s) for Appropriate Signer] Date