IT Incident Response Plan

This guideline covers how IT organizations at Washington University in St. Louis should respond to various incidents on campus.


This policy governs the university’s general response, documentation and reporting of incidents affecting computerized and electronic communication information resources, such as theft, intrusion, misuse of data, other activities contrary to the university’s acceptable use policy, denial of service, corruption of software, computer and electronic communication-based HIPAA violations, and incidents reported to Washington University by other institutions and business entities. This policy does not include damage to personal computers owned by students, unless their computers contribute to the incident.

Policy Statement

The Washington University IT security incident response policy and subordinate procedures define standard methods for identifying, tracking and responding to network and computer-based IT Security Incidents.

The Washington University IT Security Incident Response Policy is established to protect the integrity, availability and confidentiality of confidential or proprietary information, to prevent loss of service and to comply with legal requirements. This policy establishes the coordination of the university’s response to computerized and electronic communication systems incidents to enable quicker remediation, information gathering and reporting of infrastructure-affecting and FERPA-security related events.


An IT security incident (“incident”) is any activity that harms or represents a serious threat to the whole or part of Washington University’s computer, telephone and network-based resources such that there is an absence of service, inhibition of functioning systems, including unauthorized changes to hardware, firmware, software or data, unauthorized exposure, change or deletion of critical records, or a crime or natural disaster that destroys access to or control of these resources.

Routine detection and remediation of a “virus,” “malware” or similar issue that has little impact on the day-to-day business of the university is not considered an incident under this policy. Routine issues should be reported to the appropriate IT support staff for remediation and tracking.

Policy Sections

Identification of Incidents

Any member of the Washington University community or individual or organization outside of Washington University may refer an information security activity or concern to the Network Security Office. The NSO itself can also identify an incident through its proactive monitoring of Washington University’s network and information system activities. Once identified, the NSO will use standard internal procedures to log and track incidents and, working with others as appropriate, take steps to investigate, escalate, remediate, refer to others or otherwise address as outlined in the remainder of this policy.

Establishment of an IT Security Incident Response Team

The IT director of the impacted school is responsible for incident interdiction and remediation of computer and electronic communication-based resources affected by these incidents. They will consult key representatives of Washington University’s IS&T, administrators in affected schools, Washington University Police, Disaster Recovery, and the Legal, Public Affairs, Internal Audit, Academic and Administrative Systems Departments, or other units, as warranted, to establish an IT Security Incident Response Team appropriate to respond to a specific incident.

Risk Assessment Classification Matrix

IS&T, in partnership with Washington University’s schools, will establish an internal risk assessment classification matrix to focus the response to each incident, and to establish the appropriate team participants to respond. This classification matrix will correspond to an “escalation” of contacts across the university, and will indicate which authorities at Washington University to involve and which procedure would be applicable for each class of incident.

Documentation and Communication of Incidents

The school IT director will ensure that incidents are appropriately logged and archived. Any IT security incidents involving sensitive data will be so identified in order to implement the relevant FERPA security procedures. The impacted school will provide incident reporting to the Washington University’s technology leadership council (TLC).

Wherever possible, documentation of such incidents will cross-reference other event databases within the university, such as the IS&T trouble ticketing and network monitoring systems, and Washington University Police Case Reports. Any incidents involving systems that are tracked in the IS&T trouble ticket system will be cross referenced in that database with the school or IS&T incident tracking log. The IT Security Incident Response Team representatives will be responsible for communicating the incident to appropriate personnel and maintaining contact, for the purpose of update and instruction, for the duration of the incident.

Subordinate Procedures

The TLC will maintain standard subordinate procedures for the response and investigation of each incident, as well as securing the custody of any evidence obtained in the investigation. The classification matrix described in the section above will govern the application of these procedures. The procedures will specify the location and method of custody for each incident if custody of evidence is required.

Role of Washington University Personnel, Training

Washington University personnel are required to report incidents to the appropriate school IT director or IS&T.

Incident Prevention

Wherever possible, the university will undertake to prevent incidents by monitoring and scanning its own network for anomalies and developing clear protection procedures for the configuration of its IT resources.

Modifications and Adjustments

This policy and its procedures will be reviewed at least annually to adjust processes, identify new risks and remediations.

Special Situations/Exceptions

Any personally owned devices, such as PDAs, phones, wireless devices or other electronic transmitters which have been used to store sensitive university data and are determined to contribute to an incident, may be subject to seizure and retention by Washington University Police until the incident has been remediated, unless the custody of these devices is required as evidence for a court case. By using these devices within the Washington University network for business purposes, individuals are subject to university policies restricting their use.


The TLC maintains internal procedures for incident logging, tracking and reporting, for evidence custody and related practices.