IT Incident Response Policy
Purpose
The purpose of this policy is to provide guidance regarding response to and management of IT security incidents involving the University of Dayton.
Scope
This policy applies to the information systems, institutional data, and networks of the University of Dayton, as well as any person or device that gains access to them.
Policy History
Effective Date: September 2009
Approval: December 2, 2025
Policy History:
-
Approved in original form: September 2009
-
Approved as amended: December 17, 2015
-
Approved as amended: December 2, 2025
Maintenance of Policy: Vice President and Chief Information Officer, University of Dayton Information Technology (UDit)
Policy
The University of Dayton (UD) maintains a sophisticated computing environment to support its diverse operations. Consequently, UD hosts large amounts of data, much of which is sensitive according to the University’s Information Security Policy. Legal and regulatory requirements, as well as best practices, dictate that we be prepared to detect, contain, eradicate, recover from, and report on IT security incidents.
IT security incidents are defined in NIST SP 800-61r3, “Incident Response Recommendations and Considerations for Cybersecurity Risk Management,” as “an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits, or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” IT security incidents may include denial of service, attacks, malicious software infections, loss or theft of equipment, and unauthorized access to data. Such incidents shall be reported immediately to the IT Security Director, who will coordinate relevant parties and activities, as applicable, to ensure an effective response.
Incident Severity Levels:
Incident response will be based on the severity of the incident, considering the sensitivity of the data involved, the number of end users impacted, and its overall impact on the University’s ability to fulfill its mission. Incident severity falls into three categories.
Level 1:
An IT security incident may be considered Level 1 if any of the following conditions are present:
i. It threatens Restricted data as described in UD’s Information Security Policy, or information technology resources that contain Restricted data;
ii. It has the potential for substantial to total disruption to a large number of information technology resources, data, and/or people (for example, the entire institution is affected);
iii. It poses a potentially substantial reputational, financial risk, or legal liability to the University;
iv. Terroristic or other threats to human life or property when received by UDit.
Level 2:
A security incident may be considered Level 2 if any of the following characteristics are present:
i. It threatens data classified as High or information technology resources that contain data classified as High;
ii. It adversely impacts a moderate number of information technology resources, data, and/or people;
iii. It poses a potentially moderate reputational, financial risk, or legal liability to the University.
Level 3:
Low severity incidents do not have characteristics from Levels 1 or 2 and may include any of the following:
i. It threatens data classified as Medium, information technology resources that contain data classified as Medium, or data that poses little or no risk to individuals and/or the institution;
ii. It adversely impacts a very small number of information technology resources, data, and/or people;
iii. It poses a potentially small reputational, financial risk, or legal liability to the University.
The severity level determines response urgency. All incident response activities will be documented, including solutions to prevent recurrence, and collected evidence will be handled appropriately.
Roles and responsibilities
Incident severity will also determine who participates in incident response activities. A core group of the Office of Legal Affairs; the Division of Safety, Audit, Risk and Compliance; University Marketing and Communications; and IT Security will be initiated for all Level 1 and 2 incidents. Others from the list below will be added as necessary to complete the incident response team or engaged to address Level 3 incidents. The IT Security Director will lead the team unless otherwise specified.
Application Owner: The Application Owner will be notified of IT security incidents involving their application, system or service, or notify the IT Security Director immediately if they first determine an IT security incident has occurred. They will work with the incident response team, applicable Data Stewards and subordinate System/Network Administrators to investigate, develop, and carry out an appropriate response. The Application Owner is required to ensure accurate and current information is maintained in the University’s application portfolio.
Chief Information Officer: The CIO will participate as a member of the incident response team on Level 1 incidents and will be notified of all Level 2 and Level 3 incidents as necessary.
Data Steward: Data Stewards will be notified immediately and will serve as members of the incident response team for all incidents involving the data types for which they are designated as responsible.
Facility Security Officer: The FSO will be notified of and serve as a member of the incident response team for any IT security incidents involving data, systems, or services regulated/classified under the referenced DFARS and NISPOM guidelines or by UDRI contract. Given their work with research data labeled Confidential Unclassified Information (CUI), UDRI maintains its own operations to include incident response. To ensure consistency and visibility, the core members of UD’s incident response team will participate in UDRI’s incident response activities.
IT Security Director: The IT Security Director (also referred to as the IT Risk Management Officer) will be notified of all IT security incidents. As the incident response team lead, they will be responsible for assembling the incident response team, collecting data pertinent to the incident, coordinating activities to manage it, and, as necessary, preparing post-incident reports. If someone else is selected to lead an incident response, the IT Security Director will help the appointed team lead coordinate efforts.
IT Service Center: UDit's IT Service Center will notify the IT Security Director immediately as IT security incidents are identified. All incidents determined to be Level 3, for which a formal playbook has been developed, will be addressed by the proper UDit team with reporting handled through that office and existing reporting facilities.
Marketing and Communications: University Marketing and Communications is represented as a core member of the incident response team and, as such, will participate in Level 1 and 2 incidents, and be notified of Level 3 incidents as necessary. They are responsible for community and external communications.
Office of Legal Affairs: Legal is a core member of the incident response team and will participate in Level 1 and 2 incidents, and be notified of Level 3 incidents as needed. Legal provides guidance on best practices, industry regulations, and applicable federal and state laws relevant to the University of Dayton’s response. If the University of Dayton is first notified of an IT security incident through Legal, that office will notify the IT Security Director immediately.
Public Safety: The incident response team will engage Public Safety if a criminal investigation may be needed. If Public Safety is the first to learn of an IT security incident, it will immediately notify the IT Security Director. Public Safety will provide guidance on the collection and preservation of evidence, as necessary.
Safety, Audit, Risk and Compliance: The Division of Safety, Audit, Risk and Compliance is represented as a core member of the incident response team and, as such, will participate in Level 1 and 2 incidents, and be notified of Level 3 incidents as necessary. The office will be responsible for reporting incidents to UD’s Cyber Insurance Representatives. If a device is reported as lost or stolen for insurance purposes, the office will notify the IT Security Director to determine whether further investigation is necessary.
System/Network Administrator: System/Network Administrators will notify the Application Owner and the IT Security Director immediately if they become aware of an IT security incident. These subject matter experts have the skill sets and familiarity with the applicable computing environment to provide information and administer the various stages of incident response efforts — contain, eradicate, and recover — in coordination with the Application Owner and the incident response team.
UDRI Technology Office: UDRI's Technology Office will be notified immediately of all UD security incidents with the potential to impact their operation.
Various: Departments or individuals not falling into any of the categories above shall be engaged to participate in or provide service to the incident response team as necessary. Contact information for essential partners, to include cyber insurance representatives, federal agencies, service providers and vendors, will be provided as a reference to the incident response team.
All information about a cybersecurity incident investigation must be handled with discretion and disclosed to internal and external parties only on a need-to-know basis.
Training will be provided to staff with IT security incident response responsibilities. The exercise of this policy and associated procedures will be conducted at a minimum every 2 years.
Regarding enforcement, parties found to have violated this policy may be subject to disciplinary action.
Reference Documents
Applicable Regulations
Including, but not limited to: