Policy Number: 12-016

Incident Response Policy

Category: Information Technology

Responsible Executive: Vice President and Chief Information Officer

Responsible Office: Vice President and Chief Information Officer

  1. Purpose The purpose of this policy is to clearly define IT roles and responsibilities for the investigation and response of computer security incidents and Data Breaches. 

  2. Applicability This policy applies to information systems, regardless of ownership or location, used to store, process, transmit or access UF Data as well as all personnel including employees, students, temporary workers, contractors, those employed by contracted entities and others authorized to access UF enterprise assets and information resources. 
  3. Definitions Computer Security Incident Response Team (CSIRT): A function of the Information Security Office responsible for receiving, reviewing and coordinating the response to computer security incident reports and activity involving University of Florida Data and/or Information Systems.

    Data Breach: Unauthorized access, acquisition, use or disclosure of Restricted Data. Data breach notifications are subject to regulatory requirements following a privacy investigation and risk assessment.

    Incident: An event, whether electronic, physical or social that adversely impacts the confidentiality, integrity or availability of University of Florida data or information systems; or a real or suspected action, inconsistent with University of Florida Privacy or Acceptable Use policies.

    Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

    University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.
  4. Policy Statement
    • The Computer Security Incident Response Team (CSIRT) detects and investigates security events to determine whether an incident has occurred, and the extent, cause and damage of incidents.
    • The CSIRT directs the recovery, containment and remediation of security incidents and may authorize and expedite changes to information systems necessary to do so. The CSIRT coordinates response with external parties when existing agreements place responsibility for incident investigations on the external party.
    • During the conduct of security incident investigations, the CSIRT is authorized to monitor relevant UF IT resources and retrieve communications and other relevant records of specific users of UF IT resources, including login session data and the content of individual communications without notice or further approval and in compliance with the Monitoring of IT Resources Policy.
    • Any external disclosure of information regarding information security incidents must be reviewed and approved by the CIO in consultation with the Office of General Counsel, University Communications, and other university stakeholders as appropriate.
    • The CSIRT coordinates with law enforcement, government agencies, peer CSIRTs and relevant Information Sharing and Analysis Centers (ISACs) in the identification and investigation of security incidents. The CSIRT is authorized to share external threat and incident information with these organizations that does not identify any member of the University of Florida Constituency. 

Click here to view the Incident Response Procedures.


Revision Date Description
February 6, 2020  Policy originally adopted
Policy updated