Categorization of Incidents is based on the potential for exposure of sensitive data or the resource’s criticality using a High-Medium-Low designation. The severity rating initially applied can be adjusted during the plan’s execution as identification of the scope and contents of the systems involved progresses.

High:

Significant fines, penalties, regulatory action, civil or criminal violations could result from disclosure. It could also cause significant harm to Institutional Information, major impairment to the Location’s overall operation, or the impairment of essential service(s). This impact level also includes lower-level impact items that, when combined, represent an increased impact. A security incident is severity “high” if any of the following characteristics are present:

1. Threatens to impact (or does impact) systems critical to the University’s ability to function normally. This includes but is not limited to email, courseware, human resources, financials, internet connectivity, or portions of the campus network.
2. It poses a serious threat of financial risk, reputational damage or legal liability.
3. Threatens to expose (or does expose) a significant amount of Level 3 or Level 4 data as defined by the Data Classification Standard.
4. Significant threat to propagate to or attack other networks or organizations internal or external to the University.
5. Terroristic threats or other threats to human life or property.

Medium:

Unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could: (a) result in moderate damage to UofT, its students, employees, community or reputation; (b) result in moderate financial loss; or (c) require legal action. This impact level also includes lower-level impact items that, when combined, represent an increased impact. A security incident is severity “medium” if any of the following characteristics are present:

1. Threatens to impact (or does impact) a significant number of systems or people. The University can still function, but a group, department, Unit, or building may not be able to perform its mission.
2. Systems impacted may contain any level of data as defined by the data classification standard; however, only a limited amount of Level 3 or Level 4 data.
3. Moderate threat to propagate to or attack other networks or organizations internal or external to the University.

Low:

Unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in minor damage, small financial loss or affect the privacy of an individual or small group. Low severity incidents tend to have routine solutions and have no characteristics from the “medium” or “high” categories and may include the following:

1. It impacts only a small number of people or systems.
2. Impacted systems contain a limited amount of only Level 1 or Level 2 data or a minimal amount of Level 3 data as defined by the data classification standard.
3. Little to no risk of the incident spreading or impacting other organizations or networks.