I. Purpose

This document outlines the requirements for information security incident investigations at the University of California, San Francisco (UCSF). Effective incident response is essential in mitigating damage and loss due to an information security incident. Proper handling minimizes the disruption to workflow and ensures compliance to federal, state, and University laws, rules, regulations, and policies. This document satisfies the requirement in BFB IS-3 Information Security for Incident Response Procedures.

II. Objectives

• Protect UCSF’s computing and electronic information resources.
• Identify roles and responsibilities in incident investigations.
• Determine extent of damage or loss.
• Ensure proper handling of compromises or exposures of data such as restricted data as defined by the IS-3.
• Ensure compliance with Federal and State regulations and University policies.
• Prevent similar future incidents.

III. Overview And Scope

The following applies to all computing devices, networks and systems controlled by UCSF or utilized to conduct UCSF business. This also includes any computer security incident where data has been stored or transmitted over any UCSF controlled network or system.

IV. Definitions

Affected Department

Department in which an incident has occurred.

ePHI (electronic Protected Health Information)

Protected Health Information (PHI) which is created, stored, transmitted, or received electronically. See the UCSF HIPAA website for more detailed information.

S&P

UCSF Security & Policy office.

Electronic Information Resource Custodian

The department that has physical or logical control over an Electronic Information Resource. This includes, for example, departmental system administrators of a local area network and the campus administrator for a campus-wide database. This role provides a service to the Electronic Information Resource Proprietor.

Electronic Information Resource Proprietor

The Proprietor of Electronic Information Resource is the individual designated by the Chancellor or his designee as having the responsibility for determining the purpose and function of the Electronic Information Resource. Such responsibility may include specifying the uses for a departmentally owned server; establishing functional requirements during development of a new application or maintenance to an existing application; and determining which Users may have access to an application or to data accessible via an application. All Electronic Information Resources are University resources, and Electronic Information Resource Proprietors are responsible for ensuring that these Resources are used in ways consistent with the mission of UCSF.

HIPAA - Health Information Portability and Accountability Act

See the UCSF HIPAA website for further information.

Incident

An event that violates or is suspected of violating UCSF Electronic Information Resource access and usage policies.

Personally Identifiable Information (PII)

Information as defined by California Senate Bill 1386 (SB1386).

Protected Health Information (PHI)

PHI is an individual’s health information or data collected from an individual that is created or received by a health care provider, plan, or clearinghouse related to the past, present, or future physical or mental health or condition of an individual; the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual; identifies or could reasonably identify the individual; and is transmitted or maintained in electronic or any other form or medium. 

SB1386 California Privacy Legislation, Senate Bill 1386): SB1386 legislates notification to California residents of unauthorized exposure of Personally Identifiable Information.

V. Roles And Responsibilities

Authorized Users

Responsible for alerting S&P of any incident and working with various parties during an investigation.

Affected Department

An Affected Department is responsible for immediately contacting S&P when an incident is suspected. An Affected Department must work with S&P to ensure the incident is contained and an investigation is completed. Notification of individuals and entities affected by an incident, such as those legislated by SB1386, is the responsibility of the Affected Department. All costs associated with such notifications are the responsibility of the Affected Department.

Committee on Human Research (CHR)

As appropriate, the CHR will determine if there were any violations of laws, regulations, or policies involving human research subjects.

Controller

The Controller is responsible for determining the fiduciary consequences to UCSF resulting from the incident.

Electronic Information Resource Custodian

The Electronic Information Resource Custodian is responsible for working with the Electronic Information Resource Proprietor to ensure that:

• ePHI or personal information is properly protected;
• procedures are in place to indicate if unauthorized access has taken place;
• procedures are in place to monitor access; and
• the Electronic Information Resource Proprietor is notified immediately if a compromise has occurred or is suspected of having occurred.

Electronic Information Resource Proprietor

The Electronic Information Resource Proprietor is responsible for determining the purpose and function of the Electronic Information Resource and for ensuring that these resources are used in ways consistent with the mission of UCSF and with existing policies.

Security & Policy (S&P)

S&P is responsible for conducting and coordinating the investigation and verifying the sensitivity of the data residing in or accessible through the compromised Electronic Information Resource and for providing consulting services to ensure that the resources are properly protected from further compromises.

Human Resources

As appropriate, Human Resources may be involved for (re)training of the employee(s) involved and/or disciplinary action.

UCSF Police Department

The UCSFPD is responsible for criminal investigations associated with an incident. UCSFPD is responsible for notifying S&P about lost or stolen devices.

UCSF Privacy Office

When the unauthorized disclosure of PHI or ePHI may have taken place, the UCSF Privacy Office will conduct a thorough investigation and determine the risk to individuals in consultation with Campus Counsel. As appropriate, the UCSF Privacy Office will provide oversight.

UCSF Risk Management Services

Risk Management handles theft and property loss or damage claims under UC self-insurance program and provides risk assessment and mitigation consultation.

VI. Communication

All media inquiries must be directed to UCSF’s Public Affairs Office. UCSF’s Public Affairs Office will coordinate media releases of relevant information if necessary.

Communication with external entities to determine the extent of an incident will be coordinated by S&P.

VII.  Incident Reporting

All end users and owners of systems are responsible for reporting information security incidents to the appropriate organization to initiate an incident investigation.

Lost or Stolen System

Any confirmed or suspected lost or stolen EIR must be immediately reported to UCSFPD.

Compromised System

Compromises (suspected or otherwise) must be immediately reported to UCSF ITS Support.

VIII. Incident Investigation Procedures

All incidents must be investigated to determine the extent, ensure appropriate action is taken, determine corrective action, and determine if there are any legal obligations associated with the incident.

Incident investigations must follow UCSF Incident Investigation Procedures.

IX. Notification Responsibility And Requirements

Notifications must occur if circumstances surrounding an incident require mandatory notification by law or University policy.

Notification of affected individuals and entities is the responsibility of the Affected Department in coordination with S&P and UCSF Privacy Office. All costs associated with such notifications are the responsibility of the Affected Department.

X. Additional Resources

UCSF HIPAA Information
UCOP Guidelines for Determining Threshold for Notification (PDF)