Threat to life or property – call police 911

  • This is usually really easy to spot – Fire, flood, physical break-ins, assault, robbery, etc.
  • To ensure prompt service, after calling 911, contact Campus Police at 416-978-2222
  • If there turns out to be an investigation that requires Infosec, Campus police may engage us in this case, but they will continue to own the incident.

Event or Incident?

When deciding whether an event is security related, and it is not immediately obvious, consider these questions:

  • Did someone see/change/delete sensitive information that they should not have? (Ransomware, Denial of Service, Loss of data confidentiality, etc.)
  • Did someone intentionally access a system that they should not have? (hacking access, installing and using a back door, etc.)
  • Did someone misrepresent themselves when accessing a University resource? (use of stolen credentials, falsifying identification, etc)
  • Something else?

One of the key consideration is whether there was a malicious intent or not. In general, if there is malicious intent, then it is an Incidentotherwise it is an Event.


Contact your local Help Desk

HelpDesk Button



Please see the Incident Event Flow for an overview.

For Medium and High incidents, contact ISEA at

Highly sensitive issues can also be reported by phone though the usual means.

Classification of an Incident

  • low impact malware such as clickfraud on workstations without restricted data is low.
  • Denial of service attack against a shared hosting service (multiple groups affected) is a medium.
  • unauthorized access to a service that hosts restricted data is a high.

Low incidents would usually be managed by a Department/Division/Faculty (D/D/F) incident management process. If you do not know the process, contact your local IT group.