Information security incident response is a vital component of adequate information and cyber risk management. Effective incident response is a complex and multi-dimensional undertaking whose success depends on planning and resources.  The Incident Response Plan provides guidance for managing incident response with the primary objective to contain and mitigate the risks and issues associated with computer security incidents.

This document also outlines the high-level process and requirements for responding to and resolving security incidents such as:

  • Phishing attacks
  • Malware and viruses
  • Denial of resources or services
  • Unauthorized access or attempts to gain unauthorized access
  • Inappropriate use of network resources
  • Data breaches
  • Changes to system hardware, firmware or software without owner’s knowledge
  • Any other unlawful activity involving computer networks and processing equipment

The use of this plan will provide respondents dealing with an incident with the following:

  • A basic overview of the most common types of incidents
  • Direction for classifying the severity of an incident
  • Direction for who should and who must be notified, based on the severity
  • Recommendations for the makeup and responsibilities of the incident response team
  • Relationships to other policies and procedures and playbooks

The Incident Response Plan is an essential element of the Risk Management program. All units shall have an Incident Response Plan in place that is reviewed annually and ensure appropriate training and operational readiness to respond to an information security incident.

This plan addresses only adverse events that are information security-related, not those caused by natural disasters, power failures, etc.


The purpose of this document is to:

  1. Outline a process for responding to information security incidents along with roles and responsibilities
  2. Define the classification of information security incidents
  3. Provide a resource toolkit on incident management training (proactive) and handling (during a live incident).


The primary audience for this plan includes all information technology (IT) managers, non-IT unit leaders and all other employees at the University of Toronto who need to be aware of the incident response process and be able to escalate incidents to their leadership teams, including divisions/departments/faculties responsible for conducting or involved with information security investigations.

Additionally, all IT professionals at the University shall review the document to become familiar with the Incident Response process.


The Incident Response Workgroup under the Information Security Council will review and maintain this document on an annual basis. As such, this document’s audience shall review this document in the same frequency after its publication.


The Chief Information Security Officer (CISO) or their delegates are charged with executing this plan by virtue of its original charter and the Policy on Information Security and the Protection of Digital Assets.

Relationship to other policies

This plan supports the implementation of the Policy on Information Security and the Protection of Digital Assets.

Relationship to other groups at the University

The Information Security (IS) department acts on behalf of the University community to manage security incidents and will ask for cooperation and assistance from community members as required. The IS department also works closely with University administrative groups such as the Student Life Office, Human Resources and the Office of General Counsel and Freedom of Information and Protection of Privacy (FIPP) in investigations and e-discovery matters. At their behest or if directly requested, IS may also assist law enforcement.