Escalation Procedure for Extensive / Widespread Cybersecurity Incident

Extensive / Widespread incidents will be further reported to University Senior management.

  • Upon receiving report from IT Security Officer, Director of ITSC will report the incident to Associate Provost (Teaching & Learning) and Vice-President for Administration & Business within 24 hours on confirmation of the incident. They will decide collectively if further escalatation to the President and/or any legal action are necessary.
  • All server and network logs will be preserved. 
  • In addition, the incident will be handled in a manner acceptable for possible subsequent legal action. Namely,certified cybersecurity forensics experts will be engaged to assist the investigation and handling of evidence, with respect to the following actions:
    • Data acquisition : Use forensically safe method to obtain compromised image. 
    • Evidence handling : Evidence and its copies will be safely stored and protected. Detail transfer logs will be documented in order to preserve chain of custody.
    • Investigation : Investigation methods will be clearly documented in order to show it is comprehensive.
    • Reports will be prepared in a forensically sound manner when the incident is required to be admissible in court.

Milestone at different stages

  • Report will be provided when one of the following milestones is reached during the course of incident handling:
    • Early assessment on business impact 
    • Completion of containment and how the containment could protect the business.
    • Completion of incident eradication.
    • Final incident report is ready.
  • In case the next milestone cannot be reached within a month, a monthly update will be provided.