Skip to Content

Division of Information Technology

  • A person wearing a ski mask looks suspicious in front of words such as fraud, hacker, and spyware.

Incident Response

Incident response is the process of dealing with a security incident to limit the amount of damage an attacker can do.

Report an Incident

You can report a security incident through the IT Service Portal.

The Incident Response Procedure


The purpose of the Incident Response Procedure is to establish necessary guidance for the initial evaluation, escalation, and remediation of a significant security event. A typical "significant" event is where there is a threat to a person, a mission-critical system, or university-owned sensitive data as defined by the data classification section of UNIV 1.51 [pdf].

By University IT Policy 3.00 [pdf], the University Information Security Office (UISO) is responsible for coordinating and investigating information security incidents.


The intended audience is anyone outside the UISO who will participate in incident response at USC. 


Check out the flowchart of our Incident Response Process [pdf].

For clarity, an asset could be a physical device, a cloud-based system, a user account, or SaaS subscription, or any other technology that the USC owns, pays for, or stores data belonging to the USC.

IMPORTANT:  If you are the IT manager, user, or administrator of suspected compromised IT asset(s), do not access or alter the asset(s) in any way until the UISO clears you to do so. Any access or alteration to the asset(s) could impact a potential investigation if the security event is classified as significant.

The UISO will begin investigating the event by classifying associated risks. This is accomplished by determining the following:

  • Was there a personal threat to an individual?
  • Was the department in the event occurred in known to handle or generate sensitive data?
  • Did the user(s) involved in the event have access to sensitive data?
  • Was there a significant risk of business disruption caused by this event (this would be ransomware or DDoS)
  • Was a particular person or group targeted? This would indicate intelligent, intentional malicious actions.

If any of the above are true, the UISO may initiate its Incident Response plan. There are two primary components to this plan:

  • The incident manager's checklist - This is a checklist of items that apply to the most significant breaches in security.
  • The incident playbooks - The UISO maintains a set of incident response procedures referred to in the event of a significant security breach.

In the event your area is involved in a "significant" breach of security and the IR Plan is initiated, the UISO will provide directions on what actions should be performed. Please be advised that the UISO coordinates with various other departments such as a General Counsel, Public Relations, and various other subject matter experts during security breaches. The UISO will keep the affected IT managers, department heads, and end users up-to-date with current happenings as quickly as is practical.

Coordination of events will be completed by the UISO's Security Operations Center.

In the event of a security issue that doesn't require execution of the IR Plan, the UISO will notify the relevant security liaisons with recommendations on remediating the event and assist when appropriate.


Challenge the conventional. Create the exceptional. No Limits.