How to Report a Computer Security Incident
August 19, 2011 1:28:58 PM PDT
If you are a system administrator, follow these steps to work with the Computer Incident Response Team (CIRT) and help:
- Manage security incidents at UCSD
- Combat rising security and accountability risks
- Reduce associated costs
Departments with internal incident response teams are still required to contact the CIRT in case of incident. The CIRT will work closely with your own security team to investigate the incident.
If you are not a system administrator and suspect a violation of your computer's security, contact your department's technical support person immediately. After hours, call the ACT Help Desk, (858) 534-1853.
- Do not turn off the machine.
- Do not remove the machine from the network.
- Do not look at the system to see what files are on it, or what might have been touched.
A security incident occurs when an unauthorized entity gains access to UCSD computing or network services, equipment, or data.
Review typical situations:
- You detect or get a report of a physical or criminal act, such as theft of a laptop, desktop computer, or PDA.
- A law enforcement representative contacts the University regarding a security incident.
- You suspect that a computer or other network device may have been compromised to allow the viewing, transferring, or alteration of student data, personal information, medical data managed under HIPAA, or other legally regulated data.
- You suspect a security problem with a desktop workstation and the person using the workstation:
- Works with personnel or financial data
- Connects to UCSD business databases (because the password may have been revealed, exposing this data)
- Works with personal information used for medical services or human subjects
- Submits student grades
- You suspect that a multi-user machine, a file, or a Web server may have been jeopardized.
Consider other questionable circumstances:
- Disruptive virus or Denial of Service (network is flooded with traffic) attacks are not security incidents because no unauthorized access was achieved.
- An unsuccessful attempt may not be a security incident, but may warrant investigation and action by the system administrator or the system's owner.
Report any incident you consider a possible threat.
- Contact the ACT Help Desk, (858) 534-1853. The Help Desk will contact the on-call CIRT representative, who will respond.
- Note: The earlier you contact CIRT, the more likely it is that CIRT will be able to help.
CIRT will work with you to:
- Preserve and use forensic evidence to discover the extent of the intrusion
- Determine and minimize risk and the possibility of future risk to the University
- Provide and maintain smooth and consistent interaction with law enforcement and university management
Note: CIRT cannot assist with cleanup and data recovery, except as they pertain to the situations above.
- Learn about the CIRT process for dealing with security incidents.
For more information, e-mail CIRT