UofL Faculty, Staff, Students and other Users
Knowledge of violations or of non-compliance with information security policies must be immediately reported to the University's Information Security Office (ISO) as well as the appropriate administrator for the department or unit in which the violation occurred. Individuals who wish to remain anonymous may contact the University's Compliance Hotline. See ISO PS006 Security Incidents for more information.
The ISO will work with the reporter to determine the administrative level at which the initial advisory should occur and whether other university areas such as Institutional Compliance, Information Technology or the Information Security Incident Response Team (ISIRT) should be notified. The ISO can be reached at isopol(@)louisville.edu. Technology specific violations can be reported to the University's Computer Incident Response Team (ULCIRT) at SecureIT@louisville.edu or, if the violation has potentially serious consequences and requires immediate attention, the violation should be reported to the IT Help Desk at 502-852-7997 with priority one status requested.
The University has identified the ISIRT and ULCIRT teams as its authority in developing response plans to information security and technology policy violations and serious security incidents. The teams consist of personnel from the Information Security Office and Enterprise Information Technology. The appropriate team will assess the reported violation and/or incident using an established procedural framework. This framework has been established to apply a consistent methodology to all assessments. Goals of the framework include:
o documentation of the reported violation or incident;
o preservation of evidence;
o impartial assessment of the accuracy of the reported violation or incident, including hearing the particulars from the personnel apparently responsible for the violation;
o possible escalation of the violation or incident to Human Resources, UofL Department of Public Safety, outside authorities or others;
o containment and mitigation of the violation or incident;
o remediation of the violation or incident; and
o imposition or recommendation of sanctions if and as appropriate.
Established procedures and guidelines are followed when investigating reported policy violations and security incidents.
Corrective actions and sanctions applied pursuant to this policy shall not supersede or impede any regulatory authority conferred upon other compliance oversight offices at the University of Louisville to apply sanctions or take other corrective actions appropriate to their authority. Corrective actions and sanctions applied pursuant to this policy do not supersede any sanctions imposed by external regulatory bodies.
Corrective Actions and Sanctions Available:
Corrective actions and sanctions available to the University in those circumstances where a violation or non-compliance of information security or technology policy has occurred include, but are not limited to:
· imposition of a requirement to obtain additional appropriate training;
· temporary suspension or permanent revocation of computing accounts or computing access rights at the University;
· requirement to bring self, unit, department or school managed computing resources up to specified and on-going standards or place these resources under the management of the Information Technology Department;
· imposition of a mandate and timetable for corrective or remediating action;
· letter of Reprimand placed in personnel file;
· loss of improperly collected data;
· requirement to make financial restitution;
· suspension of some or all activities at the University;
· any action that may be required by applicable law, regulation or contract;
· any other disciplinary actions available as corrective action in a case of inappropriate behavior by a student, faculty member, staff, administrator or other employee up to and including termination;
· when appropriate and warranted, a department or unit may be held accountable for fees, charges, fines, or expenses incurred or resulting from or related to any such violation or non-compliance where the unit or department is deemed in whole or part responsible.
The Redbook of the University of Louisville (http://louisville.edu/provost/redbook)
Human Resources Staff Disciplinary Policy
Compliance Hotline 1-877-852-1167