The purpose of this policy is to clearly define IT roles and responsibilities for the investigation and response of computer security incidents and Data Breaches.
This policy applies to information systems, regardless of ownership or location, used to store, process, transmit or access UF Data as well as all personnel including employees, students, temporary workers, contractors, those employed by contracted entities and others authorized to access UF enterprise assets and information resources.
- Computer Security Incident Response Team (CSIRT): A function of the Information Security Office responsible for receiving, reviewing and coordinating the response to computer security incident reports and activity involving University of Florida Data and/or Information Systems.
- Data Breach: Unauthorized access, acquisition, use or disclosure of Restricted Data. Data breach notifications are subject to regulatory requirements following a privacy investigation and risk assessment.
- Incident: An event, whether electronic, physical or social that adversely impacts the confidentiality, integrity or availability of University of Florida data or information systems; or a real or suspected action, inconsistent with University of Florida Privacy or Acceptable Use policies.
- Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.
- University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.
- The Computer Security Incident Response Team (CSIRT) detects and investigates security events to determine whether an incident has occurred, and the extent, cause and damage of incidents.
- The CSIRT directs the recovery, containment and remediation of security incidents and may authorize and expedite changes to information systems necessary to do so. The CSIRT coordinates response with external parties when existing agreements place responsibility for incident investigations on the external party.
- During the conduct of security incident investigations, the CSIRT is authorized to monitor relevant UF IT resources and retrieve communications and other relevant records of specific users of UF IT resources, including login session data and the content of individual communications without notice or further approval and in compliance with the Monitoring of IT Resources Policy.
- Any external disclosure of information regarding information security incidents must be reviewed and approved by the CIO in consultation with the Office of General Counsel, University Communications, and other university stakeholders as appropriate.
- The CSIRT coordinates with law enforcement, government agencies, peer CSIRTs and relevant Information Sharing and Analysis Centers (ISACs) in the identification and investigation of security incidents. The CSIRT is authorized to share external threat and incident information with these organizations that does not identify any member of the University of Florida Constituency.
Click here to view the Incident Response Procedures.
Review and Adjudication
- All members of the University Constituency are responsible for promptly reporting any suspected or confirmed security incident involving University of Florida Data or an associated information system, even if they have contributed in some way to the event or incident. Reports are to be made to the UF Information Security Office, 352-273-1344 or firstname.lastname@example.org. Members of the University Constituency must cooperate with incident investigations, and may not interfere, obstruct, prevent, retaliate against, or dissuade others from reporting an incident or cooperating with an investigation.
- Information Security Administrators (ISAs) are responsible for unit procedures to train users to recognize and report information security incidents.
- Information Security Managers (ISMs) are responsible for responding to, and periodic reporting on, Low Severity security incidents according to procedures established by the Information Security Office. High Severity incidents reported to or discovered by ISMs are to be promptly reported to the Computer Security Incident Response Team (CSIRT).
- The Computer Security Incident Response Team (CSIRT) is responsible for responding to High Severity incidents according to procedures established in the UF Computer Security Incident Response Plan.
- The Chief Information Security Officer is responsible for staffing the CSIRT, and augments staff with subject matter experts and/or surge staffing as necessary.
Failure to comply with this policy could result in disciplinary action for employees, up to and including termination. Volunteers may have their volunteer status terminated.
|February 6, 2020||Policy originally adopted|