Skip to main content
University of Florida
NaviGator AI home page NaviGator AI

Incident Response Procedure

University IT staff members must follow the Incident Response Procedure in the event of an information security incident impacting university infrastructure and IT assets.

Before consulting the procedure, staff must determine whether it is a high-severity or low-severity security incident.

Low Severity Incidents IT security incidents that do not involve a suspected breach of restricted data and have a minor impact on operations. Low severity incidents do not involve the activation of UFIT ISO-IRT’s Incident Response Procedure and should be directed to the Help Desk or the staff member’s corresponding IT unit for assistance. High Severity Incidents IT security incidents that involve a confirmed or suspected restricted data breach or have more than a minor impact on operations. High severity incidents require the activation of UFIT ISO-IRT’s Incident Response Procedure.

Staff can use the following questions to assist in determining whether the incident is low-severity or high-severity:

  • Is the information system involved in this security used to transmit, store or access UF Restricted Data and defined by UF’s Data Classification policy?
  • Does this security incident represent more than a minor impact to the unit’s business or operational functions?

“YES” to either of these questions suggests a high-severity incident and should be escalated to the Incident Response Team (IRT) following the procedure below.

High-Severity Incident Response Procedure

  1. Secure the Evidence
    1. Do not access, log on or alter the affected IT asset.
    2. Do not power off or log out of the affected IT asset.
    3. Unplug the affected IT asset’s network cable from the network port or wall-jack.
    4. Physically label the IT asset, directing others not to touch or use it.
  2. Report the Incident
    1. Contact the UFIT Information Security Office by sending an email to ufirt@ufl.edu or calling (352) 273-1344
    2. Include documentation of the incident using the following questions:
      1. When and how was the incident detected?
      2. What actions have been taken so far? (include the date/time, location, person(s) involved)
      3. What type of data was the affected IT asset storing, transmitting or processing?
  3. Be Prepared to Assist the Incident Response Team

The IRT will collect all related system or service logs and ancillary electronic evidence. If necessary, the team will direct all incident response activities, such as containment and remediation tasks, to protect IT resources.

Incident Response Procedure PDF

Click the link below for a printable version of these steps.

Download PDF