Incident Response Flow

1) Threat to life or property is usually really easy to spot, and you can skip everything else. Don’t wait for anyone, call the police at 911.  To ensure prompt service, after calling 911 contact Campus Police at 416-978-2222 

  • Fire, flood, physical break-ins, assault, robbery, etc.
  • If there turns out to be an investigation that requires Infosec, Campus police may engage us in this case, but they will continue to own the incident.

2) Event or Incident?

When deciding whether an event is security related, and it is not immediately obvious, consider these questions:

  • Did someone see/change/delete sensitive information that they should not have? (Ransomware, Denial of Service, Loss of data confidentiality, etc.)
  • Did someone intentionally access a system that they should not have? (hacking access, installing and using a back door, etc.)
  • Did someone misrepresent themselves when accessing a University resource? (use of stolen credentials, falsifying identification, etc)
  • Something else?

One of the key consideration is whether there was a malicious intent or not. In general, if there is malicious intent, then it is an INCIDENT, otherwise it is an EVENT.

Events should be reported to local helpdesks / IT admins / business offices as appropriate.

3)  Classification levels are generally decided by the potential impact of the incident. Some examples:

  • low impact malware such as clickfraud on workstations without restricted data is low.
  • Denial of service attack against a shared hosting service (multiple groups affected) is a medium.
  • unauthorized access to a service that hosts restricted data is a high.

Low incidents would usually be managed by a D/D/F incident management process.

4 ) For medium and high incidents, contact ISEA.

We have set up a new email address security.response@utoronto.ca. This should only be used for high priority communication. Highly sensitive issues can also be reported by phone though the usual means.

5) Jurisdiction

When ISEA is the lead investigating body, we will coordinate any other groups within the university as needed to investigate the incident quickly and thoroughly. We will work with the original reporter, and/or their Infosec / IT group to gather the appropriate information for the investigation. In the cases where the incident is necessarily in a different jurisdiction, we will facilitate the hand-off in a quick and clean manner.

6) Enterprise Report Process.

The incident report will have all the necessary details of the incident to document it and bring it to a satisfactory conclusion. It is necessarily classified as restricted and must be stored appropriately for that classification. The Enterprise Reporting Process will extract key measurements and metrics that can be used for reporting purposes and will not contain any information above the level of “internal use only”. It’s purpose is to be able to provide an accounting of the number of incidents reported, what types of incidents we face, what technologies are being exploited, and similar. (We have not completed this process yet, and expect this to be a discussion with other stakeholders.)