Click here to view the Incident Response Procedures.
The purpose of this policy is to clearly define IT roles and responsibilities for the investigation and response of computer security incidents and Data Breaches.
This policy applies to information systems, regardless of ownership or location, used to store, process, transmit or access UF Data as well as all personnel including employees, students, temporary workers, contractors, those employed by contracted entities and others authorized to access UF enterprise assets and information resources.
- The Computer Security Incident Response Team (CSIRT) detects and investigates security events to determine whether an incident has occurred, and the extent, cause and damage of incidents.
- The CSIRT directs the recovery, containment and remediation of security incidents and may authorize and expedite changes to information systems necessary to do so. The CSIRT coordinates response with external parties when existing agreements place responsibility for incident investigations on the external party.
- During the conduct of security incident investigations, the CSIRT is authorized to monitor relevant UF IT resources and retrieve communications and other relevant records of specific users of UF IT resources, including login session data and the content of individual communications without notice or further approval and in compliance with the Monitoring of IT Resources Policy.
- Any external disclosure of information regarding information security incidents must be reviewed and approved by the CIO in consultation with the Office of General Counsel, University Communications, and other university stakeholders as appropriate.
- The CSIRT coordinates with law enforcement, government agencies, peer CSIRTs and relevant Information Sharing and Analysis Centers (ISACs) in the identification and investigation of security incidents. The CSIRT is authorized to share external threat and incident information with these organizations that does not identify any member of the University of Florida Constituency.
- All members of the University Constituency are responsible for promptly reporting any suspected or confirmed security incident involving University of Florida Data or an associated information system, even if they have contributed in some way to the event or incident. Reports are to be made to the UF Information Security Office, 352-273-1344 or firstname.lastname@example.org. Members of the University Constituency must cooperate with incident investigations, and may not interfere, obstruct, prevent, retaliate against, or dissuade others from reporting an incident or cooperating with an investigation.
- Information Security Administrators (ISAs) are responsible for unit procedures to train users to recognize and report information security incidents.
- Information Security Managers (ISMs) are responsible for responding to, and periodic reporting on, Low Severity security incidents according to procedures established by the Information Security Office. High Severity incidents reported to or discovered by ISMs are to be promptly reported to the Computer Security Incident Response Team (CSIRT).
- The Computer Security Incident Response Team (CSIRT) is responsible for responding to High Severity incidents according to procedures established in the UF Computer Security Incident Response Plan.
- The Chief Information Security Officer is responsible for staffing the CSIRT, and augments staff with subject matter experts and/or surge staffing as necessary.
UF-1.0102: Policies on Information Technology and Security
NIST 800-53: IR-2, IR-3, IR-4, IR-5, IR-6, IR-7, IR-8, PM-12
UF Computer Security Incident Response Plan (Restricted access per FS 1004.055)