Procedure for Reporting Suspected Security Incidents
Approval Date: 2010-03-25
Effective Date: 2010-03-25
Responsible Unit: Information Technology Services
A security incident refers to any event in which sensitive electronic data may be disclosed, altered, or destroyed by an unauthorized individual. Theft or loss of a computer or storage device, interception of login credentials by a keystroke logger, or the presence of a ‘hacker' on a computer system are all examples of security incidents.
Any employee who becomes aware of a possible security incident involving sensitive electronic data will immediately inform his or her immediate supervisor and the campus specific IT Service Desk. The service desk will immediately notify the Senior IT Director/Manager at the appropriate campus, or their IT Security Officer. The supervisor will inform the responsible unit head and will verify the circumstances of the possible incident. As soon as the incident has been confirmed to have or have not occurred, the supervisor will inform both the responsible unit head and the University Privacy Officer if a breach of personal information is suspected. This confirmation will occur within 24 hours of the initial report.
IT Service Desk contact information:
St. John's Campus 864-4595
Marine Institute 778-0628
Grenfell Campus 639-2049
If the system in question is powered on and running, do not shut it down; doing so will destroy whatever evidence currently resides in volatile memory. Instead unplug the systems' network cable, or switch off the wireless adaptor if the system is wirelessly networked. Doing so will have the desired effect of limiting the incident without destroying whatever evidence currently resides in volatile memory.
Suspected security incidents can be stressful, and stress can lead to panic and confusion. After isolating the affected system and informing the IT Service Desk, take a moment to document whatever details lead you to believe an incident has occurred; e.g., missing files, suspicious new files, strange programs running, where the device was last seen, etc. Doing so may aid in the resulting investigation.