Discussion

University rules require that each School and Central Administration unit have, disseminate, and use an incident response process.  Such a process must include promptly notifying the proper authorities of any incident involving a breach of security, documenting responsive actions taken in connection with such a breach, a post-incident review of events and documenting any recommendations to make changes in business practices in response to the breach.

In the case of a breach involving high risk confidential information prompt notice must be given to the OGC and either the University CIO or the University Information Security Officer.  In the case of a breach involving credit or debit card information prompt notice must also be given to Cash Management.