University of Toronto Logo

Information + Technology Services

Small normal big

IT Security Incident Reporting Protocol

All computer security incidents should be reported to the Information Security and Enterprise Architecture Group. This enables ISEA to monitor and investigate computer security incidents involving University hardware and users. ISEA is able to draw upon other resources within ITS to protect University networks and systems in order to minimize disruption of services caused by such incidents.

ISEA keeps tracks of the number and type of security incidents in order to provide regular reports to senior management on the state of University networks.

Incident Reporting Protocol

How should incidents be reported?

In order to ensure that ISEA is able to investigate incidents, it is critical that any system logs (in case of hacking attacks or unauthorized access) and e-mail headers (in case of incidents involving the use of e-mail) are saved. Detailed logs should include information such as date and time of attack, IP numbers, protocols used, etc. Since the forging of e-mail addresses is quite easy to do, it is important that e-mail headers are forwarded to ISEA in order to enable them to identify the origin of an e-mail message. If you are using Outlook, you can view and copy the e-mail headers of a message as follows:

  • Open the message and click on View Choose Options from the drop-down menu.  The system will open a window which include the Internet headers
  • Highlight the headers using your mouse and then right click and Copy the headers
Incident response tracking procedure
  • Report sent to security.admin@utoronto.ca.
  • If necessary, the individual submitting the incident report is asked to forward logs, e-mail headers, or other information necessary to assist the University in investigating the incident.
  • The incident is assigned to an individual within ISEA for investigation.
  • The System/Network Administrator responsible for the system from which the incident originated is contacted and asked to investigate.
  • The System/Network Administrator investigating the incident reports his/her findings and actions taken to ISEA.
  • If necessary, the incident is escalated to management for further action (such as authorizing the suspension of network connections, user accounts, etc. as necessary to minimize the effect of the incident on the rest of the University community or outside resources.
  • Once the incident is resolved, the individual who submitted the report is notified and informed on how the status of the incident report.
To whom should incidents be reported?

Generally speaking, incidents should be reported through your local System/Network Administrator. If you do not have an Administrator or know who your Administrator is, you may contact ISEA directly by sending us an e-mail.

 

What sort of incidents should be reported?
  • Hacking attacks
  • Unauthorized access to computing resources.
  • Harrassment and threats received in email.
  • Denial of service attacks.
  • Malicious code (viruses, worms, etc.)