An event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending an email, and a firewall blocking a connection attempt.

Adverse events (alerts) are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and the execution of malware that destroys data.

Machine or human analysis triggers Alerts, and those alerts can lead to security incidents.

A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Examples of incidents are:

• An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash.
• Users are tricked into opening a “quarterly report” sent via email that is actually malware; running the tool has infected their computers and established connections with an external host.
• An attacker obtains sensitive data about the organization and threatens to release the details publicly if it does not pay a designated sum of money.
• A user provides or exposes sensitive information to others through peer-to-peer file-sharing services.

In the University of Toronto context, incidents may be violations of the Policy on Information Security and the Protection of Digital Assets, Policy on the Acceptable Use of Information and Communication Technology, other University policy, security standards, or code of conduct, or threatens the confidentiality, integrity, or availability (CIA) of Information Systems or Institutional Data.

Incidents are established from many vectors, including but not limited to:

• Monitoring systems,
• Reports from faculty, staff and students,
• Outside organizations,
• Service degradations or outages.

Discovered incidents shall be declared and appropriately documented. IT security-related incidents may also cause service outages.

Data in the context of an incident is the data that has been or could have been accessed, exfiltrated, or publicly exposed due to the incident.  The data could reside on a compromised device or in another directly connected device or another device in the same network environment.

The University of Toronto Data Classification Standard identifies four data levels and what data types are included in each level.

Depending on the type of data exposed, the University may be responsible for different notification levels to the government or private bodies.  These are the three primary Laws’ or agreements related to data that the University may need to report to are:

• Personal Health Information Protection Act (PHIPA)

  PHIPA is specific to health information and, in this context, the security of that data.

• Freedom of Information and Protection of Privacy Act (FIPPA)

  FIPPA is related to personal data, and many things can fall under its purview, including communications with students, UTORids, Employee records and research data. IS and the FIPP office can help clarify what does or doesn’t fall under FIPPA as data is identified.

• Payment Card Industry Data Security Standard (PCI DSS or PCI)

  PCI is explicitly associated with credit card information and disclosure. In particular, exposure of full credit card numbers and expiry dates or magnetic stripe data is of concern.