Information Security Incident Response Policy

Category: Information Technology

Responsible Office: Information Security Office

Responsible Executive: Vice President and Chief Information Officer (VPCIO)

Date Established: September 24, 2025

The University at Buffalo Information Security Office maintains an Information Security Incident Response Plan providing a framework which ensures information security incidents are managed consistently and effectively. This document provides a high-level overview of UB’s Information Security Incident Response Plan which incorporates the risk classifications for university data and administrative information as outlined in UB’s Data Risk Classification Policy and applies to the systems, research and administrative data, and networks of UB as well as any person or device which gains access to these systems or data.

  • If an incident is considered illegal or life threatening, contact the UBPD: 716-645-2222.
  • For suspected or confirmed information security incidents, contact the UBIT Help Center: www.buffalo.edu/ubit/help or 716-645-3542.

The University at Buffalo (UB, university) is committed to maintaining the effective operation of university IT systems, and ensuring the confidentiality, integrity and availability of university data. The information security threat landscape is dynamic and ever-changing. As technology advances, so do the risks and challenges faced by the university.

The University at Buffalo Information Security Incident Response Plan takes into consideration the sensitivity and value of the affected assets, is designed to ensure the integrity of UB data while minimizing service disruptions; and is intended to meet the university’s legal and/or regulatory obligations.

Please reach out to sec-office@buffalo.edu for additional details or a copy of the Information Security Incident Response Plan.

Applicability

This policy applies to all faculty, staff, student employees, contractors, and vendors who utilize UB’s information technology services. Compliance with this policy is mandatory. Individuals must understand their roles and responsibilities regarding information security and protecting UB’s data assets. The failure to comply with this or any other information security policy that results in the compromise of university data confidentiality, integrity, privacy, and/or availability may result in appropriate action as permitted by law, rule, regulation or negotiated agreement.

Responsibility

Information Security Office (ISO)

  • Conduct periodic security reviews of systems approved for storing and handling protected data.
  • Develop and deliver enterprise information security strategy, governance, and policy in support of institutional goals. Information security incidents must be reported to the CISO.
  • Review and approve departmental collection, storage, and transmission of data when necessary, according to its classification.

Information Security and Privacy Advisory Committee (ISPAC):

  • Evaluate, develop, and recommend information security and privacy policies, procedures, and operations vital to protecting and sustaining the university’s mission.

Vice President and Chief Information Officer (VPCIO)

  • Provide leadership for development and delivery of information technology (IT) services to the university. 
  • Oversee an enterprise IT services organization, Computing, and Information Technology (CIT), and work in partnership with UB’s schools, colleges, and administrative IT units to enable a unified and productive IT experience for students, faculty, and staff.

Contact Information

Vice President and Chief Data Officer
Phone: 716-645-7979
Email: vpcio@buffalo.edu

Information Security Office 
Phone: 716-645-6997
Email: sec-office@buffalo.edu

Related Information

University Links

Data Risk Classification