Information Security Incident Response Guidelines for LSPs
The University of Virginia Information Security, Policy, and Records Office (ISPRO) coordinates response and investigation of security and responsible use incidents of University information technology resources. This includes computer and network security breaches and unauthorized disclosure or modification of sensitive and legally protected data.
The information below applies only to security incidents occurring within the academic divisions of the University and Foundations. There are different instructions for reporting incidents at the Medical Center, Health Services Foundation, and UVa's College at Wise (and related foundations there).
All faculty and staff must report the incident to ISPRO as soon as the incident is identified. Of particular concern is a security incident that involves a computer hosting sensitive and legally protected data. [What exactly is an IT security incident?]
Here are some steps to help guide you through an identification and containment process:
- Find the device (computer, router, medical machine, etc.).
- Disconnect the network cable (not the power cable) from the computer.
- Scan the computer with Identity Finder for highly sensitive data.
- If Identity Finder reports highly sensitive data, complete an Incident Report as referenced in the Incident Reporting Policy. Reports should be made as soon as possible and no later than 24 hours from the time the incident is identified.
- Do not take any other action until advised by ISPRO.
- Do not talk about the incident with any other parties until you are authorized as part of the process outlined in this document.
If exfiltration of highly sensitive data is suspected or even possible, it is important that the computer remain in an unaltered state.
Time Is Critical
Immediately containing and limiting the exposure is the first priority. If the incident involves personal data, individuals involved in such incidents expect quick notification so that they can monitor their accounts. The most common complaints after an incident are about how long it took the organization to contain the exposure and to send notifications.
ISPRO is charged with investigation and coordination of incidents where sensitive and legally protected data is suspected to have been exposed. Upon receipt of the report, the ISPRO will inform all appropriate University officials. Since the involvement of law enforcement in lost or stolen equipment is especially time-critical, lost or stolen electronic devices and media must also be reported directly to the UVa Police Department. If the incident did not occur in the Charlottesville-Albemarle area, it should be reported to the appropriate police jurisdiction instead.
- Guidelines for Identifying Sensitive and Legally-Protected Data
- UVa Police Department
- IT Security Risk Management
- Identity Finder to find SSNs on your system
- Reporting a Security Problem
- SANS Top 20 Internet Vulnerabilities
- Identity Theft
- Choosing Good Passwords
- Requirements for Securing Electronic Devices