Incident Management & Communication
Communication Checklist
This document provides a high-level overview of the communication flow that needs to take place during a Severity 3 (Sev 3), once a Sev 3 has been declared.
<<University>> IT divisions will assess incidents as normal – once elevated to a Sev 3, initiate this checklist.
Normal Business Hours (8:00am – 5:00pm): Applies to weekdays and non-holidays.
Management Steps
Communication Flow
Normal Business Hours (8:00am – 5:00pm)
1  Determines if <<University>> Security, and/or
Manager On <<University>> Facilities need to be engaged. If yes,
Call (MOC) engages each required unit (18, 19, 20).
 Declares Severity 3 Incident.
 Notifies Customer Contact Centers. If no one is
available to answer the call, the answering service
process will kick in.
 Direct Operations Center to maintain CHRON until
scribe is identified.
 Notifies IMOC (3). Provides them with a brief of the
situation.
 Assembles and leads technical teams/technicians that
must be on-site unless otherwise directed by IMOC.
Determines meeting location and initiates Phone Bridge
if needed
 Identifies relevant vendors that may be needed.
 MOC will determine if techs need to forward their
phones (internal calls only) allowing uninterrupted
problem solving.
After Hours
 Determines if <<University>> Security,
<<University>> Facilities, and/or Rochester
Management need to be engaged. If yes, engages each
required unit (18, 19, 20).
 Declares Severity 3 Incident.
 Notifies Customer Contact Centers. If no one is
available to answer the call, the answering service
process will kick in.
 Begins and maintains CHRON until scribe is identified.
 Notifies IMOC (3). Provides IMOC with a situation
brief and determines on-site support needs. Determines
resources that need to be on-site. Potential use of ITS
Alert (www.g2alert)
 Assembles and leads technical teams/technicians that
must be on-site unless otherwise directed by IMOC.
Determines meeting location and initiates Phone Bridge
if needed
 If incident is over 12 hours, coordinates staffing
schedule
 Identifies relevant vendors that may be needed.
 If the Customer Contact Center is not open, MOC for
affected department(s) is responsible for coordinating
customer communication.

Management Steps
Communication Flow
Normal Business Hours (8:00am – 5:00pm)
2  Provide customers with IMOC-supplied information
<<University>>
IT Customer
Contact  Ensures MOC(s)/MOC Designee of affected
Centers department(s) was notified and is aware of the situation.
 Notifies both service center staff members.
 Provides guidelines for customer communication as
determined by the IMOC, MOC, and Communications
Manager or other key players as needed based on
incident type.
 Triages calls and provides updates as requested by
MOC.
 The Center serves as a hub to coordinate the
communication with customers and IT contacts. The
center is effective at handling this communication.
Keeps the customer list up-to-date and monitors the
service impact by customer base through direct
customer contact.
 Periodically checks in with customers to assess the
situation (Are fixes working? Are users still
experiencing problems?) – be sure to include faculty,
staff, and students in relevant locations.
Incident Management & Communication
After Hours
 Provide customers with IMOC-supplied information. If
center is not open, MOC for affected department(s) is
responsible for this communication.
 Ensures MOC(s) of affected department(s) was notified
and aware of the situation.
 Provides guidelines for customer communication as
determined by the IMOC, MOC, and Communications
Manager or other key players as needed based on
incident type.
 Triages calls and provides updates as requested by
MOC.
 The Center serves as a hub to coordinate the
communication with customers and IT contacts. The
Center is effective at handling this communication.
Keeps the customer list up-to-date and monitors the
service impact by customer base through direct
customer contact.
 Periodically checks in with customers to assess the
situation (Are fixes working? Are users still
experiencing problems?) – be sure to include faculty,
staff, and students in relevant locations.

Management Steps
Communication Flow
Normal Business Hours (8:00am – 5:00pm)
3  Evaluates the situation and gathers all the facts from
Incident MOC.
Manager On-  Notifies CIO and Directors (5,7).
Call (IMOC)  Initiates IMOC Phone Bridge, if necessary
 <<Phone Bridge number>>
 Call Information Security MOC to review situation and
determine if there has been a breach [SKIP this step if it
is clear that the event is NOT security related; see next
page for detail]. Information Security Office will make
one of three decisions (see item 6 for details):
1. Security Controlled
2. Security Related
3. No Security Impact
 Engages Communications Manager and Scribe (8,9).
 Contact Production Control MOC to review impact of
incident with scheduled production jobs. Internal
communication should reflect potential impacts.
 Notifies University IT or directs the Communications
Manager to send out notification (11). .
Communication should provide a brief of the situation,
what the solution is, and if the event is still ongoing.
May use Mass Notification if deemed necessary.
 Provides regular updates to the CIO office.
 Schedules and leads post-mortem/de-brief session.
Incident Management & Communication
After Hours
 Evaluates the situation and gathers all the facts from
MOC.
 Notifies CIO and Directors for after hour incidents.
 Initiates IMOC Phone Bridge, if necessary
 <<Phone Bridge number>>
 Calls in Information Security MOC to review situation
and determine if there has been a breach [SKIP this step
if it is clear that the event is NOT security related; see
next page for detail]. Information Security Office will
make one of three decisions (see item 6 for details):
1. Security Controlled
2. Security Related
3. No Security Impact
 Coordinates CHRON and scribe duties. Calls in staff for
communications and scribe duties if needed.
 Contact Production Control MOC to review impact of
incident with scheduled production jobs. Internal
communication should reflect potential impacts.
 Communicates with key people & customers during
event.
 Prepares a communication for release to University IT
and external groups in early AM next business day.
Communication should provide a brief of the situation,
what the solution is, and if the event is still ongoing.
May use Mass Notification if deemed necessary
 Meets next morning AM with communications manager
to discuss future communications and follow-up (if
required).
 Schedules and leads post-mortem/debrief session.

Management Steps
Communication Flow
Normal Business Hours (8:00am – 5:00pm)
4 Technicians will be required to be on-site unless otherwise
IT Technical directed by the IMOC or MOC.
Staff / If MOC determines, technicians can forward internal calls
Technicians on for short periods of time.
Call  Troubleshoots problem and begins working on
solutions.
 Retrieve Technical Recovery Guides (TRG’s) for
services affected.
 Provides regular updates to MOC.
 Participates in vendor calls as needed.
 Periodically checks in with other IT staff members to
assess the situation – be sure to include members in
other locations.
 Periodically checks in with customers to assess the
situation (Are fixes working? Are users still
experiencing problems?) – be sure to include faculty,
staff, and students in relevant locations.
 Avoid incoming customer calls. These are distractions
to solving the issue at hand. If they are calling your
phone, route them to the Call Centers (2).
 Do not speak with internal or external media. Direct
them to <<University>> Communications.
5 May be onsite or working from home as determined by
IT Director - of
 Participates in discussions lead by MOC and IMOC.
affected unit(s)
 Provides support to technical teams.
 Provides any other support that may be needed to help
resolve the incident.
Incident Management & Communication
After Hours
Technicians will be required to be on-site unless otherwise
directed by the IMOC or MOC.
 Troubleshoots problem and begins working on
solutions.
 Retrieve Technical Recovery Guides (TRG’s) for
services affected.
 Provides regular updates to MOC. If off-site, calls into
MOC Phone Bridge if needed
 Participates in vendor calls as needed.
 Periodically checks in with other IT staff members to
assess the situation – be sure to include members in
other locations.
 Periodically checks in with customers to assess the
situation (Are fixes working? Are users still
experiencing problems?) – be sure to include faculty,
staff, and students in relevant locations.
 Avoid incoming customers calls. These are distractions
to solving the issue at hand. If they are calling your
phone, route them to the Call Centers (2).
 Do not speak with internal or external media. Direct
them to <<University>> Communications.
MOC.
 Participates in discussions lead by MOC.
 Provides support to technical teams.
 Provides any other support that may be needed to help
resolve the incident.
 Incident Management & Communication

Management Steps
Communication Flow
Normal Business Hours (8:00am – 5:00pm) After Hours

6 1. Security Controlled May be onsite or working from home as determined by the

Information  Situation is critical and may involve highly type of security incident.
Security sensitive data. 1. Security Controlled
 Security Office takes control of incident  Situation is critical and may involve highly
Security Controlled management and IMOC coordinates sensitive data.
Examples: communications.  Security Office takes control of incident
 Missing person  Engages University Legal and/or University HR management and IMOC coordinates
 Crimes (domestic (20,21). communications.
and international)
 Develops and distributes communications on a  Engages University Legal and/or University HR.
 Major security limited basis. Some events will require Security
breach  Develops and distributes communications on a
Office to keep all details confidential. Determines limited basis. Some events will require Security
(if critical security situation) what information can Office to keep all details confidential. Determines
Security Related be shared beyond the Security office.
Examples:
(if critical security situation) what information can
 If services are impacted, public communications be shared beyond the Security office.
 Worm outbreak
will be determined by Security Office. If servers are  If services are impacted, public communications
 Virus problems down, notifies Operations Centers. will be determined by Security Office. If servers are
2. Security Related down, notifies Operations Centers.
 Reviews situation and gathers facts from 2. Security Related
technicians.  Reviews situation and gathers facts from
 Participate in troubleshooting and helps to technicians.
implement solution.  Participate in troubleshooting and helps to
 Begins a parallel communication stream as may be implement solution.
required by specific incidents.  Begins a parallel communication stream as may be
3. No Security Impact required by specific incidents.
 Takes no action unless specifically asked to. 3. No Security Impact
Incident is NOT security related in any way.  Takes no action unless specifically asked to.
Incident is NOT security related in any way.

Management Steps
Communication Flow
Normal Business Hours (8:00am – 5:00pm)
7  Receives details about incident from IMOC.
CIO’s Office  Provides incident brief to Provost and President (12,13).
 Provides business perspective (big picture) for the
incident.
8  Gathers details about incident.
Communication
 Crafts messages for internal and external use.
Manager and/or
 Identifies appropriate communication channels.
Other
 Deploys communications according to incident
Designated IT
timeframe through identified channels/Working with
Employees MOC and IMOC. [All Channels]
(Set up where main
 Provides guidelines for communications to the
communication is
taking place) Customer Service Centers and to the IT Admins so they
can handle calls appropriately and deliver the same
message (2,10).
 Identifies channels for post-incident follow-up and
helps prepare messages for those channels.
 Retain copy of all communications for debrief session
and for audit purposes.
Incident Management & Communication
After Hours
 Receives details about incident from IMOC.
 Decides if the Provost and President should be notified
before the start of the next business day.
 Gathers with IMOC next business day morning to
review event and provides business perspective (big
picture) for the incident.
Picks up the next business day to continue on-going
communications (internal and external) or to assist in
closing out the incident.
If incident is closed:
 Sends final communications if closed.
 Identifies channels for post-incident follow-up and
helps prepare messages for those channels.
 Retain copy of all communications for debrief session
and for audit purposes.
If incident is still open:
 Gathers details about incident and reviews CHRON.
 Crafts messages for internal and external use.
 Identifies appropriate communication channels.
 Deploys communications according to incident
timeframe through identified channels/Working with
MOC and IMOC. [All Channels]
 Provides guidelines for communications to the
Customer Service Centers and to the IT Admins so they
can handle calls appropriately and deliver the same
message.
 Identifies channels for post-incident follow-up and
helps prepare messages for those channels.
 Retain copy of all communications for debrief session
and for audit purposes.
 Incident Management & Communication

Management Steps
Communication Flow
Normal Business Hours (8:00am – 5:00pm) After Hours

9  Takes detailed notes during event to help complete the Picks up in the AM of next business day.
Scribe CHRON and serve as a record of the event. If incident is closed:
(Set up where main  Types up info in CHRON template and distributes to
communication is  Types up info in CHRON template and distributes to
team at regular intervals during incident. team at regular intervals during incident.
taking place)
 Prepares and send final CHRON at close of incident.  Prepares and send final CHRON at close of incident.
Provides this info for debrief meeting. Provides this info for debrief meeting.
If incident is still open:
 Reviews CHRON already completed.
 Continues CHRON and takes detailed notes during the
event.
 Types up info in CHRON template and distributes to
team at regular intervals during incident.
 Prepares and send final CHRON at close of incident.
Provides this info for debrief meeting.
10 In the AM of next business day:
IT Office  Uses guidelines for communications to customers when
 Uses guidelines for communications to customers when
Admins responding to calls that may come in from various
areas. responding to calls that may come in from various
areas.
11 In the AM of next business day:
IT Staff  Uses guidelines for communications to customers when
 Uses guidelines for communications to customers when
Members responding to calls that may come in from various
areas. responding to calls that may come in from various
areas.
12  Receives regular updates from CIO.
Provost  Disseminates info as needed to key staff members.
13  Receives regular updates from CIO.
President  Disseminates info as needed to key staff members.
14
Other

University
Executives
 Incident Management & Communication

Management Steps
Communication Flow
Normal Business Hours (8:00am – 5:00pm) After Hours

15

Students
16 
Faculty /
Departments or
Divisions
17 
University Staff
18  Participates as required by incident.  Participates as required by incident.
University
Security
19  Participates as required by incident.  Participates as required by incident.
University
Facilities
20  Participates as required by incident, specifically when  Participates as required by incident, specifically when
University security related. security related.
Legal
21  Participates as required by incident, specifically when  Participates as required by incident, specifically when
University HR security related. security related.