Information Security: Responsibilities of Department/Unit Security Contacts

University Information Security (UIS) maintains a list of contacts for each department, college or unit. These contacts are designated by department IT staff or leadership to help with security incidents. They can be sysadmins, directors, IT staff who work with vendors, etc.

Department contacts have the following responsibilities:

  • Respond appropriately* to notifications in their area about security incidents (e.g. malware infections and jack shut offs), potential large scale breaches or outages.
  • Assist UIS in identifying and investigating systems or hosts that generate security alerts.
  • Provide 24x7 contact information (mobile phone/pager) for a minimum of two people on the team who are responsible for security a primary contact and a backup. 
    • A defined process for paging the oncall contact using a system like PagerDuty is also acceptable.
  • Notify UIS if there are any changes to the contact list for the department or unit.

Additionally, the contact is responsible for responding appropriately based on the incident severity and urgency as defined below:

Type of incident

Expected response time

Response

Unusual Notify email

In the next 72 hours

Reply to email with intent to look into it, actual steps taken can come later depending on activity investigated

Suspicious Shut off email

In the next 24 hours

Update to end user of alert and a plan of action shared with UIS

Malicious Shut off email 

In the next 4-6 hours

Urgent intervention with the user and steps taken shared with UIS

Malicious RAMCAP request email

In the next 60 minutes

Immediate intervention with the user, collection of RAM and/or replace system with loaner (if applicable)

Phone Call/Page from UIS during major incident

In the next 15 minutes

Contact UIS immediately to learn more

Vulnerable System/Service Notification email

In the next 24 hours, or depending on severity of vulnerability

Contact UIS with acknowledgement and plan of action as determined in notification