IT Incident Response Standard

I. Purpose

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It defines the requirements for detecting, analyzing, prioritizing, and handling Information Security Incidents. Security incidents can occur when an FSU student, staff, contractor, or faculty member violates FSU security and privacy policies and standards, specific legal requirements, or contractual obligations. Malicious outside entities may also attempt to comprise systems. A prompt, effective response to a security breach may help minimize loss of information and disruption of services caused by incidents.

Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with FSU policies or obtain an exception in accordance with the Request for Exception to IT Security Policy.


II. Definitions

Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

Incident Response (IR) Plan – documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of malicious cyberattacks against an organization's information system(s).

Information Security Incident – a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

IT Assets - technology resources including, but not limited to, computers, networks, servers, applications, databases, software, and operating systems that are owned by, managed by and/or sponsored by IT Asset Custodians.

Full IT Glossary


III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.

Consolidated University Units (CUUs) are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Controls supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework and Controls

Function Category Desired Outcome
Supply Chain Risk Management (ID.SC):
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.
ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
PR.IP-10: Response and recovery plans are tested
Detect (DE) Anomalies and Events (DE.AE): Anomalous activity is detected and the potential impact of events is understood. DE.AE-4: Impact of events is determined
DE.AE-5: Incident alert thresholds are established
Respond (RS) Communications (RS.CO): Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies). RS.CO-1: Personnel know their roles and order of operations when a response is needed
RS.CO-2: Incidents are reported consistent with established criteria
RS.CO-3: Information is shared consistent with response plans
RS.CO-4: Coordination with stakeholders occurs consistent with response plans
Analysis (RS.AN): Analysis is conducted to ensure effective response and support recovery activities. RS.AN-1: Notifications from detection systems are investigated
RS.AN-2: The impact of the incident is understood
RS.AN-3: Forensics are performed
RS.AN-4: Incidents are categorized consistent with response plans
Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident. RS.MI-1: Incidents are contained
RS.MI-2: Incidents are mitigated
Recover (RC) Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. RC.IM-1: Recovery plans incorporate lessons learned
RC.IM-2: Recovery strategies are updated
Communications (RC.CO): Restoration activities are coordinated with internal and external parties (e.g.  coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors). RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents. RC.RP-1: Recovery plan is executed during or after a cybersecurity incident

Full CSF Crosswalk to Controls: NIST Crosswalk

For more information on Security incident response best practices, see NIST Computer Security Incident Handling Guide, Special Publication 800-61 r.2.
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
IT Asset Custodian
An individual with responsibility for the configuration, implementation, management, monitoring, oversight, and day-to-day operations of university IT Assets. IT Assets include but are not limited to enterprise or distributed networks, servers, applications, databases, and operating systems.

For more information, see IT Roles and Responsibilities.

Security Incident Response Planning

Security incidents occur when an FSU student, staff, contractor, or faculty member violates FSU IT Policies and Standards, specific legal requirements, or contractual obligations. External entities may also target IT resources resulting in security incidents.

University Unit ISMs and CUU ISMs are responsible for ensuring appropriate Incident Response management and compliance for all IT Assets for the units within the CUU:

  • IT Asset Custodians are responsible for providing incident response information for IT Assets they manage.
  • University Unit ISMs are responsible for developing and maintaining an Incident Response (IR) Plan for the University Unit’s IT Assets.
  • University Unit IR Plans shall be made available to the CUU ISM. CUU ISMs are responsible for aggregating the University Unit Plans as needed to ensure a quick and coordinated response to incidents and dissemination of information to IR participants.
  • IR Plans must be reviewed and tested annually, or sooner if significant changes occur which could impact the plan.
  • IR Plans shall be made available to ISPO upon request.

Security Incident Response Steps


image of the Incident Response Steps Life Cycle
NIST Incident Response Life Cycle

IR Plans shall address the following phases of the Incident Response Life Cycle, commensurate with the value of the IT Asset and the level of risk:

  1. Preparation
    IT Asset Inventory - Inventory IT Assets, including but not limited to servers, networks, applications, and critical devices. Rank IT Assets by level of importance and risk to determine the level of appropriate response required for incidents. Risk level is determined by the IT Asset Custodian based on factors including, but not limited to:
  • the sensitivity and risk of harm to individuals or FSU if the IT Asset or High Risk/Moderate Risk data is subject to a breach or unauthorized disclosure. (For more information see .)
  • failure or loss of availability of a critical business function.
  • loss of productivity or other negative impacts to resources.

    Communication – Develop a communication plan including contact information for the primary and backup individuals responsible for managing the incident; internal, management or third-party personnel; and any others involved or required to be notified as defined by this Standard. Information to be reported includes contact information (names, phone numbers, email addresses, secure method of communication, and verification of identity instructions), timeframes, mechanisms for reporting and any other reporting requirements based on the type of incident. Identify security incident thresholds that would require investigation. Develop a process and baseline IR Plan for each type of incident to be used if needed.

    All dissemination of information to the media related to university IT security events will be managed by University Communications. Refer all information requests to that office.
  1. Detection and Analysis
    In addition to anticipated risks, focus on preparations to handle incidents that use common attack vectors (external/removable media, web, email attachments, theft of equipment, etc.). Information related to the incident must be gathered and appropriate research performed to determine the entry point, extent of the breach and any additional notifications required.

    Reporting requirements must be documented and may vary depending on the type of security incident and risk level.
  2. Containment, Eradication and Recovery
    Containment is intended to quickly patch the entry point of a threat before resources are overwhelmed or damaged. Containment strategies vary based on the type of incident, so each type of incident should have a containment strategy. Containment examples include system shut down, disconnection from the network or disabled functions.

    Eradication may be necessary after containment to eliminate the threat. If so, all affected hosts affected within the infrastructure must be identified and remediated. Eradication examples include deletion of malware, disabled breached user accounts and mitigation of vulnerabilities that were exploited.

    Recovery includes restoring systems to normal operations, confirming functionality and remediating vulnerabilities to prevent similar incidents. Recover examples include restoring systems from backups, rebuilding systems from scratch, installing patches and changing passwords.
  3. Post-Incident Activity
    This step focuses on follow-up, lessons learned, coordination and information sharing, and process improvements to reduce the likelihood of recurrence of similar incidents. Lessons learned should be used to update IR Plans.

For more information, see the NIST Security Incident Handling Guide, SP 800-61 r2 and CRR Supplemental Resource Guide, Vol 5 Incident Management.

Reporting Of Security Incidents

All Users
Users are responsible for safeguarding security tokens, smart cards, identification badges, or other devices used for authentication and access to secured IT facilities. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report the loss or suspected loss of any of these devices providing secured access to the appropriate unit or facility coordinator, and the University Unit ISM.

University Unit ISMs
University Unit ISMs are responsible for reporting all confirmed or suspected Information Security and Privacy Incidents to the CUU ISM and the Chief Information Security Officer (CISO) at

IT Asset Custodians
IT Asset Custodians are responsible for notifying the University Unit ISM and the CUU ISM of any security incidents, as defined by their IR Plan for the IT Asset.

University Unit ISMs and CUU ISMs
The University Unit ISM in conjunction with their CUU ISM, is responsible for coordinating and reporting suspected or confirmed security and privacy incidents with the appropriate entities, including but not limited to:

  • The CISO/ISPO will be notified immediately of all security incidents that are threatening other IT resources (e.g. hacking of a mail or webserver, etc).
  • FSU Police Department (FSU PD) will be notified of criminal activity and incidents such as threats to human beings or property, harassment or other criminal offenses involving user accounts, credit card fraud, child pornography, loss or theft of computing devices, breaches of Criminal Justice Information Services (CJIS) information and compromise of High Risk or Moderate Risk data. FSU PD will serve as liaison with other law enforcement entities (FBI, FDLE, other federal, state, and local) as needed.
  • The University Unit DDDH and CUU DDDH will be notified for security incidents involving payment card data breaches, suspected or actual incidents involving CUU IT Assets and critical systems, and compromise of High Risk or Moderate Risk data.
  • Incidents involving misuse of FSU IT resources by employees, employee misconduct (criminal or otherwise), and violations of the Acceptable Use of Technology Policy must be reported to the Office of Human Resources.
  • Incidents involving misuse of FSU IT resources by students must be reported to the Office of Student Rights and Responsibilities.
  • Incidents of a technical nature, including unauthorized computer access; compromise of Personally Identifiable Information (PII) or other Federal regulations (FERPA, HIPAA, GLB) and contractual obligations (PCI DSS); root attacks on critical IT Assets or the infrastructure; Denial of Service attacks that impair the availability of FSU computing resources; malicious code attach/malware; compromise of user logon account credentials; etc. must be reported to the CISO at immediately upon discovery.
  • Suspected fraud activities may also be reported to the FSU Ethics Pointhotline at 855-231-7511 or the FSU Ethics Point website.

See Information Technology Security and Privacy Incident Response and Reporting Procedures for additional information.

IV. Resources

CIS Tabletop Exercises
Sample tabletop exercises provide cybersecurity scenarios that can be used as a learning opportunity by CUUs in developing Incident Response Plans.

CRR Supplemental Resource Guide, Vol 5 Incident Management
This document provides information and sample templates for Risk Management and Incident Response planning.

CIS Control 17: Incident Response Management Controls Assessment
This document contains information about Incident Response

V. References

Back to Top | Back to Standards