skip to content

University cyber-security incident response process

The University cyber-security incident process, effective from 8 February 2023, was requested by the Information Services Committee (ISC) to improve the detection, visibility, and response to cyber-security incidents across the University.

The process details the relationship between institutional IT staff and the UIS CSIRT service including requirements, responsibilities and response times. 

It applies to all institutions connected to the University Data Network when a cyber-security incident is detected.

The process assumes University working hours are 09:00 - 17:00, Monday to Friday (excluding public holidays). 


Reporting a cyber security incident 

Non-IT staff and students

Non-IT staff and students should follow the reporting an IT security incident process and report all cyber security incidents to their institution’s IT support team. For some institutions this is the UIS Service Desk, but most institutions have their own local IT support staff.

Institutional IT staff 

Institutional IT staff should follow the step-by-step process outlined below, which has been designed to help institutions and UIS maintain a consistent approach to cyber-security incident response.

View PDF flow charts of the response process. 


When to report an incident to UIS CSIRT

  1. Reporting significant incidents

    Institution IT staff must report significant cyber security incidents to UIS CSIRT. The decision on whether an incident is significant and reportable to CSIRT is the judgement of institutional IT staff, but UIS recommends that it is reportable where a cyber-attack: 


    • demonstrates unusual or novel attack methods
    • constitutes an elevated risk to the institution or the wider University 
    • successfully compromised a server, device or user account
    • successful malware infection

Institutions must update UIS CSIRT when a significant incident is resolved. 

  1. Minor incidents

    If an incident is not significant, then it should be considered a minor security incident or event, and this does not need to be reported to CSIRT.  Examples of a non-reportable event include: 

    • a security vulnerability is discovered but there’s no evidence of exploitation 
    • a port scan from a remote IP address is detected
    • an easily identifiable phishing email
    • a small number of failed logins to an SSH server
  2. Malicious spam reporting

    Malicious spam, such as phishing emails, is very common and can be acted upon by the UIS. Generally this doesn't need any additional correspondance back to an institution. In this case malicious spam can be sent directly to the UIS spam reporting address,

  3. Worsening incidents

    Institutions must update UIS CSIRT if an incident under investigation significantly changes in scope or becomes potentially relevant to other University institutions. 


How to report an incident to CSIRT

These steps are a summary of the incident flow diagrams.

  1. If UIS is responsible for the affected IT service  

    • Send CSIRT a support request message (
    • CSIRT investigates and resolves the incident
    • CSIRT sends the institution an incident resolved message
    • The incident is closed
  2. If the institution is responsible for the affected service  
    • The institution sends CSIRT an incident notification or a support request message
    • CSIRT responds within 4 working hours
    • The institution investigates the incident following their local process, with advice and support from CSIRT if requested
    • The institution resolves the incident
    • The institution sends CSIRT an incident resolved message
    • The incident is closed
  3. If it's malicious email  
    • The institution forwards the email to or, if support is required, sends CSIRT a support request message which follows the process outlined above
    • CSIRT follows the malicious email incident process


Receiving a CSIRT security alert or advisory 

These steps are a summary of the incident flow diagrams.

Process for receiving a [CSIRT Alert] email 

  1. An email sent from UIS CSIRT that includes in the Subject line [CSIRT Alert] is a security alert. It may be important and should be treated as a priority.
  2. An institution receiving a new security alert from UIS CSIRT must send an acknowledgement within 8 working hours. An automatically generated reply from a service desk platform, or similar, is not sufficient and the acknowledgement must be written by a person.
  3. If UIS CSIRT does not receive an acknowledgement, it will contact the institution’s designated cyber-security incident escalation address. 

Process for receiving a [CSIRT Advisory] email

  1. An email from CSIRT marked [CSIRT Advisory] in the Subject line is a security advisory. Security advisories are a lower priority than alerts.
  2. CSIRT does not require an acknowledgement within 8 working hours, but the institution must inform CSIRT by email when the advisory has been resolved so that the incident can be closed.
  3. CSIRT may repeat unresolved advisories if they have not received a reply.

Process for UIS CSIRT

  1. When contacted by an institution's IT staff, UIS CSIRT must send an acknowledgement within 4 working hours. 
  2. UIS CSIRT will inform Jisc of any security incidents that meet Jisc’s reporting criteria described in the Janet Security Policy. 

Institutional cyber-security incident contacts

The ISC has instructed that all institutions connected to the University Data Network supply a contact role email address to receive security alerts and advisories from UIS CSIRT. 

Additionally, all institutions must supply a cyber-security incident escalation contact, including an email address, for the situation when a [CSIRT Alert] is not responded to within the agreed time.

UIS Service Desk

Phone padded  Service status line: (01223 7)67999
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >

Latest news

Change to Raven login screen from Tuesday 14 February

26 January 2023

New login screen for current University members The login screen for Raven-protected websites and applications will change from Tuesday 14 February for current members of the University. It will become the same screen most of you are already familiar with from logging in to your University Microsoft account to access, for...

Changes to Microsoft Stream video sharing from Tues 07 Feb

26 January 2023

26 January 2023 What’s happening UIS is disabling uploads to Microsoft Stream (Classic), the old version of the video sharing app, on Tuesday 07 February. The new version is called Stream (on SharePoint). Teams meeting recordings are already being automatically saved to Stream (on SharePoint). More information: Stream (on...

Institutional File Storage (IFS) service release new features to Self-Service Gateway

18 January 2023

18 January 2023 Several new features are now live on the Self-Service Gateway run by the Institutional File Storage (IFS) service. IFS is a service for institutions to store and share everyday documents with colleagues. IFS Data Owners and Data Managers can use the Self-Service Gateway  portal to buy and administer storage...