Report Security Incidents (Compromised Data, Virus, etc.)
This article applies to: Security & Policy
- Report incidents immediately.
- Take steps to protect evidence.
- Contact your Security Liaison.
Provide incident details to the IT Security office. To the best of your knowledge, please let us know:
- The nature of the incident. Was a system or application compromised? If so, how?
- When did the incident occur, and when was it discovered?
- How was the incident discovered?
- What is the scope of the incident? How many systems are affected? How many users have been affected?
- Was there any sensitive data (confidential, regulated, etc.) on the affected systems or was any accessed during the time of compromise?
- All available, relevant logs (include logs on the affected system, as well as firewall, domain, and IDS logs).
- All applications that reside on this system (include databases, servers, and user applications).
- Where the most recent backup resides, how often the system was backed up, and when it was last backed up.
- Who should have access to the system, when they should be accessing it, how they should be accessing it (console, VPN, etc.), and what data they should be accessing.
Coordinate additional response with the IT Security Office.
- Depending on the nature of the incident, it may be necessary for the IT Security Office to perform analysis on the affected systems. Local support providers may be asked to participate in this analysis. This could include assistance with the creation of disk images of the affected resources, confirmation of system configuration and activity, and validation of any remediation tasks.
- Follow guidelines to recover from the system compromise.
Reporting security incidents is mandated by Policy 5.4.2, Reporting Electronic Security Incidents.