IT Security Incident Response Guidelines for LSPs
The University of Virginia IT Security and Policy Office coordinates response and investigation of security and responsible use incidents of University information technology resources. This includes computer and network security breaches and unauthorized disclosure or modification of sensitive and legally protected data.
The information below applies only to security incidents occurring within the academic divisions of the University and Foundations. There are different instructions for reporting incidents at the Medical Center, Health Services Foundation, and UVa's College at Wise (and related foundations there).
Reporting Steps
All faculty and staff must report the incident to the University of Virginia IT Security and Policy Office as soon as the incident is identified. Of particular concern is a security incident that involves a computer hosting sensitive and legally protected data. [What exactly is an IT security incident?]
Here are some steps to help guide you through an identification and containment process:
- Find the device (computer, router, medical machine, etc.).
- Unplug the network cable (not the power cable) from the computer.
- Do not power off - in the worst case, memory, cache, and running programs need to be examined. Powering off will delete forensic evidence that may be critical to your incident.
- Do not attempt to login, or alter the compromised system.
- Ask the user what data was on the drive. [Guidelines for Identifying Sensitive and Legally-Protected Data]
- Immediately report the incident to the Security and Policy Office as referenced in the Incident Reporting Policy. Complete the form. Reports should be made as soon as possible and no later than 24 hours from the time the incident is identified.
- Do not take any other action until advised by the IT Security and Policy Office.
- Do not talk about the incident with any other parties until you are authorized as part of the process outlined in this document.
Time Is Critical
Immediately containing and limiting the exposure is the first priority. If the incident involves personal data, individuals involved in such incidents expect quick notification so that they can monitor their accounts. The most common complaints after an incident are about how long it took the organization to contain the exposure and to send notifications.
The University Information Technology Security and Policy Office is charged with investigation and coordination of incidents where sensitive and legally protected data is suspected to have been exposed. Upon receipt of the report, the Information Technology Security and Policy Office will inform all appropriate University officials. Since the involvement of law enforcement in lost or stolen equipment is especially time-critical, lost or stolen electronic devices and media must also be reported directly to the UVa Police Department. If the incident did not occur in the Charlottesville-Albemarle area, it should be reported to the appropriate police jurisdiction instead.
Related Links
- Guidelines for Identifying Sensitive and Legally-Protected Data
- UVa Police Department
- IT Security Risk Management
- Identity Finder to find SSNs on your system
- Reporting a Security Problem
- SANS Top 20 Internet Vulnerabilities
- Identity Theft
- Choosing Good Passwords
- Requirements for Securing Electronic Devices