Incident Response Procedures

Information Security Office


The intent of this guide is to provide an organized approach to dealing with an incident involving one or more Information Technology Resources. The goal is to handle the situation in a way that limits damage and reduces recovery time and cost. What constitutes an incident is defined by a breach of Canadian law(s), University policy and to a limited extent, standards set by the Information Security Office.

Identification of an incident can come from any individual on campus who observes something they may deem as inappropriate. Individuals are encouraged to contact the appropriate managers of the facility or the Technology Solutions Center Help Desk directly.

IT Resource incident response normally involves the following key processes:

  • Incident confirmation by one or more parties
  • Information gathering to determine exactly what resources are involved
  • IT Resource containment
  • Analysis of what occurred
  • Reporting results to stakeholders and/or University Administration
  • Follow-up review to determine methods that may stop another incident from occurring


All IT Resource related incidents once confirmed, are to be documented and tracked through the lifecycle of the incident. Documentation could include logs, computer screenshots, data examples, network traces, etc. Presentation of this documentation may be required to University Administration or law enforcement.


Roles of Involved Parties

Chief Technology Officer

The CTO is the sole communications link with relevant parties/departments in order to minimize confusion and possible reporting of misinformation. The CTO is looked upon to execute or delegate the following:

  • Setting priorities
  • Notifying Senior Administration of an incident declaration
  • Disaster declaration
  • Notifying the Communications department as appropriate for internal and external communication
  • Overseeing the Information Security incident work plan(s) and process
  • Defining or issuing “gag” orders within the Information Technology departments involved in the incident(s) on particularly sensitive issues
  • Oversee the follow-up review process


Information Security Officer

Main duties of the Information Security Officer are to confirm incidents and coordinate resources to handle them, which include:

  • Determining the criticality level of the incident and notifying the CTO
  • Maintaining communications with the CTO during various phases of the incident response
  • Notifying Legal Counsel, Security Services and other department heads as delegated by the CTO or where appropriate
  • Form and engage an Incident Response Team to respond and contain the incident
  • Exercising any “gag” orders passed down by the CTO to IT staff
  • Ensure information during gathering phase is collected and documented
  • Developing containment procedures
  • Assist the Incident Response Team in determining the cause and effect(s) of the incident
  • Work with CTO and Legal Counsel during forensic investigations if required
  • Identifying external services/resources if needed
  • Confirming that all IT Resources are returned to operational quality


Incident Response Team

The Incident Response Team will be comprised of members with varying skill sets required to react to, contain and recover from an incident. Main duties include:

  • Assist in the collection of evidence during an incident investigation
  • Make recommendations to the Information Security Officer on remedial action of affected IT Resources
  • Determining whether IT Resources can be restored from backups or complete system initialization is required
  • Determining what data is lost and cannot be recovered or restored
  • Reloading of data/configurations on affected IT Resources
  • Restoring normal operations
  • Determining whether a detailed investigation is required to determine cause of incident
  • Provide feedback in follow-up review process and discuss procedural changes and updates


Security Services

  • Perform or assist in interviews and IT Resource confiscation if required
  • Coordinate with external law enforcement as required
  • Liaison with law enforcement as required by Legal Counsel


Legal Counsel

  • Provides guidance to the CTO and Senior Administration regarding legal and regulatory aspects of the incident and investigations involving employees
  • Advises Senior Administration if civil or legal action should be pursued against those parties who created the incident
  • Reviews communications drafted by the Communications Department as required
  • Liaison to external council


Communications Department

  • Provides external communications in consultation with Legal Counsel
  • Responds to all external media inquiries
  • Liaison to external public relation firms
  • Ensures internal communications are consistent with external communications


Classifying Incident Levels

Incidents fall under four general categories:





These incidents have very little or no effect on operations and are usually very isolated occurrences. Response is prioritized by importance and solved within a generally acceptable time frame by technical staff or another department or group.

Single system malware infection, Email Spamming, Individual (single) accounts disabled or compromised, Phishing attempts, Firewall and system penetration attempts


These incidents result in little to no loss of sensitive information, little or very limited impact to University operations and offers minimal risk of negative financial impact. Public relations may be affected but is controllable. Resources from various departments may be sought depending on the severity of the incident. IT Resources may be confiscated and services may be disrupted. Decisions are made to involve law enforcement.

Copyright infringement, Child pornography, Attempted distributed denial of service (DDOS), Network-based worms, Rogue IT resources on network, Multiple compromised accounts, Hacking of low/medium sensitivity system(s)


These incidents are very successful and difficult to control or counteract. Results in loss of highly sensitive data and/or mission critical systems and services. High risk of negative financial and public relations impact. Loss of mission to one or more departments. IT Resources may be shut down and services disrupted with little notice. Law enforcement is brought in to assist.

Successful compromise of highly sensitive system(s) or core infrastructure devices, Breach of highly sensitive data, Successful distributed denial of service attack (DDOS), Highly sensitive data leakage


These incidents are completely unexpected and result in extreme disruption/loss to the University's core services and its ability to meet its mission objectives.

Natural or man-made disaster (tornado, flood, sabotage, fire)



Incident Response Procedures

For internal use only.