Cybersecurity Operations Center – Critical Event Response

Critical event response is a function of the Cybersecurity Operations Center, whose goal is to mitigate critical risks and impacts to the university. It exists as a fundamental part of Security’s charge, obligations, provisions, and directives presented to it under the Campus Administrative Manual, “Appropriate Use of Computers and Network Systems”.

How do I contact Critical Event Response?

  • Report incidents or other urgent security events by emailing security@illinois.edu
  • If it’s urgent, call the 24×7 on-call responder at 217.265.0000, option 3
  • (Note: For general questions or non-urgent security support, email securitysupport@illinois.edu)

What do they do?

  • Incident intake, triage, validation, and response
  • Vulnerability/exposure intake, triage, validation, and response
  • Threat intake, triage, validation, and response
  • “Response” can include one or more of the following:
    • Situation containment
    • Mitigation
    • Critical consultation

Who they do it do it for?

University of Illinois (BOT, administration, by charter)

What timelines are standard?

  • Event triage within 24 hours of notice or detection.
  • Low severity events will be picked up no more than 96 hours from the time of triage.
  • Medium severity events will be picked up and worked no more than 48 hours from the time of triage.
  • High severity events will be picked up and worked no more than 4 hours from the time of triage.
  • Critical severity events will be picked up and worked no more than 1 hour from the time of triage.
  • Mitigation of critical events enacted on a prioritized “ASAP” premise.
  • As-needed emergent engagement with leadership enacted when administrative process is required due to standing requirements, commitments, laws, policies, or procedures.
  • Continual monitoring, scanning, intelligence gathering, and network interrogation techniques to be employed for the purpose of detecting cybersecurity vulnerabilities, threats, exposures, breaches, anomalous activity, risks borne from noncompliance, cybersecurity incidents, misconfigurations, or other activities and conditions which may  contribute to the risk posture of the university.
  • Notification provided to owners of record after mitigation actions are taken, as soon as is practical. A best-effort process will be employed to contact security liaisons and/or stewards. Process assumes contacts are registered and findable in the CDB, Security Liaisons registry, or otherwise immediately identifiable using established university enterprise constructs.

Possible Impacts

Critical Event Response’s main purpose is to mitigate and investigate critical cybersecurity conditions, incidents, and events. Since such events are commonly unplanned, this function can impact critical university operations adversely and without prior notice.

Deviations of Process

Any request to change mitigation or incident response processes or outcomes should be addressed to the Chief Privacy and Security Officer, carbon copying security@illinois.edu.  

This service/function expectation(s) documentation is provided such that all who engage with it may understand what any given service/function promises to do or provide, for whom, on what timeline, and how well.