Reporting IT Security Incidents

Reporting IT Security Incidents

Procedure for Reporting IT Security Incidents

What is an IT Security Incident?

IT security incidents are potential attacks on digital assets. They jeopardize the confidentiality, integrity, or availability of digital assets and the data stored on it. It is also a threat towards violation of institutional security policies, security procedures, or acceptable use policies.

Source:

Impact of an IT Security Incident

Potential attacks can damage digital assets making them inoperable, unstable, or allow a threat actor to compromise and use them for their illicit purposes. Furthermore, theft of sensitive data pertaining to the University, employees, faculty, and students can be stolen. Reputational damage, loss of revenue, service disruption, or legal liability can also be incurred due to incidents.

Source:

Examples of an IT Security Incident

  • A malicious actor compromising, degrading, or destroying systems, networks, or services.
  • Attempted phishing attack executed via an email message to compromise user accounts, private information, or digital assets.
  • The loss or theft of a portable device – such as a laptop or smartphone – used by the institution.
  • Incidents resulting from a violation of acceptable usage policies by an authorized user.
  • System compromise through removable media (e.g., flash drive, CD) or a peripheral device.

Source:

Reporting an IT Security Incident

IT security incidents can cause great harm to the University community. For this reason, it is important to report it immediately if one is detected so it can be investigated, and the possible impact minimized. To report a suspected incident,

Report Information Report Details
Provide the Subject Matter
  • Possible Security Breach – Urgent
Provide Individual/Group Details:
  • Your name
  • Contact Details
  • If you are student, faculty, staff
  • Department name (if faculty or staff)
Provide Incident Details:
  • The type of incident that is occurring or occurred, and its category: Compromised user account, unauthorized access, insider breach, DDoS, destructive attack, data or system breach, malware attack, etc.
  • Who is or was impacted: User type (i.e. Students, employees, faculty, etc.)
  • The type of data that may have been affected: Names/addresses/email addresses, SSN's, unique student/employee ID's, etc.
  • What assets or services are or may have been affected: File shares, Gothicnet, Peoplesoft servers, etc.
  • How and when incident and discovery of incident occurred: Date and time that the incident was detected and how it was detected.
  • Who has been affected: University department or unit? Also include geographical location, if specific location is affected.
  • The negative impact the incident is having: Users can’t log on to their accounts, xyz services are down and the University cannot provide them to students, compromised account, etc.
  • What has been done to immediately contain the incident: System was disconnected from the network; user password was reset, etc.
Send Email To:

Do not tamper with the asset or environment believed to be compromised to avoid loss of evidence or changing anything that requires investigation.

If an electronic device has been compromised:

  • Do not access (do not logon) or alter compromised device.
  • Do not power off the compromised device to avoid loss of data or evidence.
  • Do unplug network cable (NOT power cable) from the compromised device, as well as disconnect from WiFi.

If a user account was compromised:

  • Disable the account(s) and have the password changed

Additionally, any suspected security incidents occurring outside of the University community can be reported through . For more information and sources, you can visit the