Skip to Main Content

Standard 12 - Security Incident Management



  1. Incidents involving computer security will be managed by IT Security and will be reported as required by Federal or State law or regulation.
  2. IT Security must establish and follow security incident management procedures to ensure that each incident is reported, documented, and resolved in a manner that restores operations and, if required, maintains evidence for further disciplinary, legal, or law enforcement actions.
  3. Reporting requirements. Security incidents will be reported as required by State and Federal law and University policy.
    1. All faculty members, staff, and/or students shall promptly report any unauthorized or inappropriate disclosure of University data to IT Security via itsecurity@unf.edu or (904) 620-2820.
    2. IT Security shall promptly report any unauthorized or inappropriate disclosure of University data to the UNF Chief Information Security Officer (CISO).
    3. The CISO shall report to the UNF Chief Information Officer (CIO) incidents involving computer security that compromise the security, confidentiality, or integrity of University data.
    4. The CISO, in consultation with the CIO, shall report significant security incidents to other University officers as appropriate.
    5. The University shall disclose, in accordance with applicable Federal or State law, incidents involving computer security that compromise the security, confidentiality, and/or integrity of University data it maintains to data owners. Such determination shall be made in consultation with University officers and the office of the General Counsel.
    6. Disclosure shall be made as quickly as possible upon the discovery or receipt of notification of the incident taking into consideration:
    7. The time necessary to determine the scope of the incident and restore the reasonable integrity of operations;
    8. Any request of a law enforcement agency that determines that the notification will impede a criminal investigation. The notification shall be made as soon as the law enforcement agency determines that it will not compromise the investigation.
  4. IT Security’s incident management procedures must incorporate the following: 
    1. For each incident, the University will establish a Computer Incident Response Team (CIRT) according to the response plan that, in the event of a significant computer security incident, will initiate and follow the incident management procedures. The members of this team will have defined roles and responsibilities that, based on the severity of the incident, may take priority over normal duties. 
    2. The CISO will report the incident to the appropriate University, State, and Federal agencies and departments as required by governing laws, rules, and procedures.
    3. The CISO, working with the selected CIRT team members and the CIO, will determine if a widespread University communication is required. 
    4. The CISO is responsible for maintaining a chain of evidence on incidents it investigates, or participates in investigating, in case the incident needs to be referred to law enforcement or for other legal proceedings.
    5. The CISO is responsible for determining the physical and electronic evidence gathered as part of the incident investigation, except in cases involving appropriate law enforcement personnel, where the University police department or other law enforcement agencies will make these determinations.
    6. Technical staff members from the CIRT, led by the CISO, are responsible for ensuring that any damage from a security incident is repaired or mitigated and that the vulnerability is eliminated or minimized.
    7. The CISO is responsible for initiating, completing, and documenting the incident investigation with assistance from the CIRT.
  5. Monitoring techniques and procedures. IT Security must implement monitoring controls and procedures for detecting, reporting, and investigating incidents.

Return to the ITS Policies and Procedures List