109 Information Security Incident Reporting, Response, and Recovery

The following table shows who is responsible for ensuring compliance with the policy requirements listed below.

RequirementAll UsersSystem OwnersSystem Custodians/ AdministratorsDepartments, Schools, Units
Suspected security events and incidents will be immediately reported to IT Service Desks or the OIS (p. 2).
WashU community members will notify OIS of all computer and network security incidents (p. 2).
When an incident involves law enforcement or has legal ramifications, the scene and evidence within the system will be documented and preserved (p. 2).

Summary of Policy

End-User Incident Reporting (109.01)

The OIS will investigate incidents and work with WashU community members to complete the incident reporting documentation

Incident Response Roles and Responsibilities (109.02)

The OIS must be notified of all computer and network security incidents that may affect the confidentiality, integrity, or availability (CIA) of computer equipment or information at WashU. 

Incident Response Planning (109.03)

The Incident Response Plan details the mission and process for the WashU organizational response to incidents, establishes incident alert thresholds, and identifies metrics for measuring and maturing the effectiveness of the plan. 

Incident Response Testing and Training (109.04)

The OIS Incident Response Team will routinely practice and test incident response plans to determine its capacity to respond, adjust plans as necessary, and train incident-response personnel. Testing will involve coordination among those with incident response roles and responsibilities and those responsible for related plans (e.g., Business Continuity and Disaster Recovery). 

Incident Handling (109.05)

The OIS will follow the incident response plan to perform the following duties during and after an incident. 

Requirements for Incident Preservation of Forensic Evidence (109.06)

After consultation with the Office of General Counsel (OGC), OIS may, among other actions, disconnect, monitor, or take possession of devices as part of the incident response process. OIS will notify appropriate leadership. 

Incident Reporting Requirements for Regulations and Contracts (109.07)

OIS will work with Area Specific Compliance Offices (ASCOs) to ensure that all other reporting requirements are fulfilled. 

Incident Recovery (109.08)

OIS will establish an incident recovery plan and execute the plan after an incident has been contained and mitigated. 

Full Text of Policy

Policy 109 Information Security Incident Reporting, Response, and Recovery

The policy communicates a planned and systematic approach to incident handling from reporting to recovery and analysis.

Related Information

209 Information Security Incident Response and Recovery

This standard establishes processes related to incident detection, response, and containment.