Guidelines for Internal Reporting of Information Security Breaches

Important Contact Information:

• Public Safety Office: 458-8999
• Information Security Program Coordinator: Scott Dittman, University Registrar, 458-8452, sdittman@wlu.edu
• Information Security Officer: Dean Tallman, Director Enterprise Applications and ITS Security, 458-8089, dtallman@wlu.edu

Washington and Lee University's Information Security Program Committee oversees the university's handling of confidential information. For more information on the policies that relate to information security at W&L, see the Information Security Program (available at: http://go.wlu.edu/OGC/InfoSecurityProgram). These procedures are a reference for any faculty or staff employee who suspects that a breach of confidential university information has occurred.

1. What constitutes a "breach?"
Think of the term "breach" in fairly broad terms. A "breach" includes any situation that does or likely could involve the unauthorized release, disclosure, loss, or theft of confidential information, whether known or suspected, accidental or intentional.

2. Whom should I contact in the event that printed information is involved in a breach of security?
Report any known or suspected breach of printed information to the University's Information Security Program Coordinator (contact information above).

3. Whom should I contact in the event that electronic information is involved in a breach or an electronic device is lost/stolen?
Report any known or suspected breach of electronic information or loss/theft of an electronic device (e.g., university-owned cell phone, computer, jump-drive) to the University's Information Security Officer (contact information above).

4. Whom should I contact in the event of a physical theft?
Report all physical thefts to Public Safety, to the Information Security Program Coordinator, and, if applicable, to the Information Security Program Coordinator and/or the Information Security Officer as noted above.

5. What happens after I initially report a breach?
Depending on the nature of the actual or suspected breach, the person you contact will usually request more information from you about the circumstances surrounding the breach. If necessary, the University's Information Security Program (ISP) Committee will be notified and may meet to recommend a course of action to the Provost.

The Bottom Line: Contact one of the above-listed individuals as soon as possible after you suspect a breach or become aware that an electronic device has been lost or stolen.