Incident Response Procedures
These procedures are for ISMs, ISAs, and other IT staff to follow whenever an incident is detected or suspected within a unit.
High Severity Incidents are IT security incidents which involve a confirmed or suspected restricted data breach or have more than a minor impact on operations. High severity incidents require the activation of UFIT ISO-CSIRT’s Incident Response procedures.
- Evaluate severity level. Any security incident involving an information system used to store, transmit or process UF Restricted Data or a security incident that results in degraded performance of a UF IT asset, which represents more than a minor impact on operations , is considered a high-severity incident. High-severity incidents should be reported immediately.
- Report high-severity incidents to the UFIT Information Security Office by sending email to email@example.com or calling 352-273-1344. Include a brief description of the incident and who should be contacted for more information. See “How to Report a Security Incident” below for specific contact details.
- Protect the evidence
- Do not access (logon) or alter the affected IT asset
- Do not power off or logoff the affected IT asset
- Unplug the network cable from the affected IT asset, network port or wall-jack
- Physically label the IT asset, directing others to not touch or use the IT asset
- Document the following, provide as much specificity as possible:
- When and how the incident was detected?
- What actions have been taken so far? Include the date/time, location, person(s) involved and actions taken for each step.
- The type of data the affected IT asset is used to store, transmit or process
- Anticipate that the UF Computer Security Incident Response Team (CSIRT) will collect all related system or service logs and ancillary electronic evidence
- Be prepared to assist the UF CSIRT as they investigate the incident
- All reported high-severity security events and/or incidents shall be promptly investigated and documented by the UF Computer Security Incident Response Team (CSIRT) in accordance with UF’s Information Security Incident Response Plan. The UF CSIRT is authorized to direct all incident response activities including, when necessary, containment and remediation tasks necessary to protect UF’s IT resources.
Restricted Data – Restricted Data is formally defined in UF’s ‘Data Classification Policy’. For the purpose of this Incident Response Plan, Restricted Data is data that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non -directory student records and export controlled technical data.