Incident Response Procedures

IT Resource Security Standards - Incident Response


The intent of this guide is to provide an organized approach to dealing with an incident involving one or more Information Technology Resources. The goal is to handle the situation in a way that limits damage and reduces recovery time and cost. What constitutes an incident is defined by a breach of Canadian law(s), University policy and to a limited extent, standards set by the Information Security Office.

Identification of an incident can come from any individual on campus who observes something they may deem as inappropriate. Individuals are encouraged to contact the appropriate managers of the facility or the Technology Solutions Center Help Desk directly.

IT Resource incident response normally involves the following key processes:


All IT Resource related incidents once confirmed, are to be documented and tracked through the lifecycle of the incident. Documentation could include logs, computer screenshots, data examples, network traces, etc. Presentation of this documentation may be required to University Administration or law enforcement.


Roles of Involved Parties

Chief Technology Officer

The CTO is the sole communications link with relevant parties/departments in order to minimize confusion and possible reporting of misinformation. The CTO is looked upon to execute or delegate the following:


Information Security Officer

Main duties of the Information Security Officer are to confirm incidents and coordinate resources to handle them, which include:


Incident Response Team

The Incident Response Team will be comprised of members with varying skill sets required to react to, contain and recover from an incident. Main duties include:


Security Services


Legal Counsel


Communications Department


Classifying Incident Levels

Incidents fall under four general categories:





These incidents have very little or no effect on operations and are usually very isolated occurrences. Response is prioritized by importance and solved within a generally acceptable time frame by technical staff or another department or group.

Single system malware infection, Email Spamming, Individual (single) accounts disabled or compromised, Phishing attempts, Firewall and system penetration attempts


These incidents result in little to no loss of sensitive information, little or very limited impact to University operations and offers minimal risk of negative financial impact. Public relations may be affected but is controllable. Resources from various departments may be sought depending on the severity of the incident. IT Resources may be confiscated and services may be disrupted. Decisions are made to involve law enforcement.

Copyright infringement, Child pornography, Attempted distributed denial of service (DDOS), Network-based worms, Rogue IT resources on network, Multiple compromised accounts, Hacking of low/medium sensitivity system(s)


These incidents are very successful and difficult to control or counteract. Results in loss of highly sensitive data and/or mission critical systems and services. High risk of negative financial and public relations impact. Loss of mission to one or more departments. IT Resources may be shut down and services disrupted with little notice. Law enforcement is brought in to assist.

Successful compromise of highly sensitive system(s) or core infrastructure devices, Breach of highly sensitive data, Successful distributed denial of service attack (DDOS), Highly sensitive data leakage


These incidents are completely unexpected and result in extreme disruption/loss to the University's core services and its ability to meet its mission objectives.

Natural or man-made disaster (tornado, flood, sabotage, fire)



Incident Response Procedures

For internal use only.