Computer Security Incident Response Team

The Computer Security Incident Response Team (CSIRT), is established and managed under the direction of the Chief Information Security Officer (CISO). The mission of CSIRT is to provide an immediate, effective, and skillful response to any unexpected incident with information security implications.

The CSIRT is expected to follow the Incident Response Plan and is authorized to take appropriate action necessary to contain, investigate and remediate a security incident.

The Computer Security Incident Response Team (CSIRT) will be convened as necessary by the CSIRT Coordinator, based on the incident scope and severity.

UF CSIRT membership includes:

  • CSIRT Coordinator – the individual, versed in the Incident Response Plan, who is designated as responsible for implementing the plan, activating team members as necessary, coordinating communications, and keeping leadership informed of developments as necessary and appropriate.
  • Privacy Officer –during an active incident response, the functional role of the Privacy Officer is to make the determination whether data protected by regulation, may be involved. If protected information is not involved the Privacy Officer has no further responsibilities to the CSIRT. If protected information is involve then the Privacy Officer is also responsible for any applicable post-incident data breach notifications.
  • UF General Counsel – should be consulted in cases involving alleged criminal activity or investigations focusing on an individual or any incident requiring legal interpretation. Is responsible to determine whether a security incident meets the threshold of a reportable cyber liability insurance incident.
  • UF Relations – will coordinate all public communication and information sharing about a specific incident with the community and public as needed. UF Relations may further delegate responsibility to specific individuals or CSIRT members for specific media inquiries or statements.
  • UF Human Resources – assists in coordinating investigations of employees who may be affected by a security incident either as victims or having alleged involvement in the incident.
  • UF Computing Help Desk – in many cases, serves as the initial point of contact for faculty, staff or students for information about the effect a security incident may have on IT related services.
  • UFHealth/IFAS IT – contributes in the response for incidents that involve UFHealth or Institute of Food and Agricultural Science (IFAS) information systems and coordinates necessary access to affected IT resources in their domain during an incident response.
  • University Police Department – should be involved with incidents that may have criminal consequences, only after consultation with the Office of General Counsel
  • Other Law Enforcement Agencies – when an incident involves criminal activity by malicious actors outside the university’s domain, it may be necessary to include law enforcement (i.e. FBI, others) in the incident response, only after consultation with the Office of General Counsel.
  • Unit-level Information Security Administrators (ISA) and Unit-level Information Security Managers (ISM) – contributes in the response for incidents that involve information systems in the ISA/ISM’s domain, coordinates necessary access to affected IT resources during an incident response.
  • Subject Matter Experts (SME) – individuals with specific needed skillsets or those familiar with the applicable computing environment, who have the knowledge and access necessary to make any required changes to the systems or network.
  • UF Self-Insurance Program (SIP) – upon UF General Counsel’s determination that a security incident meets the threshold of a reportable cyber liability insurance incident, the SIP facilitates incident reporting to the carrier’s designated breach response contacts and manages the filing a claim with the carrier if it becomes necessary. Coordinates the response actions between insurance carrier’s breach response team and UF’s CSIRT Incident Manager.
  • Forensics SME – A necessary SME skillset required to support CSIRT operations belonging to individuals who can perform host-based and network forensics. Incident handlers performing forensic tasks are expected to have a reasonable comprehensive knowledge of forensic principles, guidelines, procedures, tools and techniques, as well as anti -forensic tools and techniques that could be used to conceal or destroy data.
  • Third-Party Assistance – sources of help, such as external security experts, ISACs, etc. may be utilized as desired or appropriate. At the discretion of the CIO, and with input from the CISO and CSIRT Coordinator, third-party computer security incident response teams may be engaged in response to a security incident.