UC San Diego SearchMenu

How to Report a Computer Security Incident

When a security incident takes place, there are specific steps to take when working with the Computer Incident Response Team (CIRT).

If you are a system administrator, working with the CIRT will

  • Manage security incidents at UC San Diego
  • Combat rising security and accountability risks
  • Reduce associated costs

Departments with internal incident response teams are still required to contact the CIRT in case of incident. The CIRT will work closely with your security team to investigate the incident.

If you are not a system administrator and suspect a violation of your computer's security has occurred, contact your department's technical support person immediately. After hours, call the ITS Service Desk, (858) 246-4357 or extension 6-HELP.

If you suspect an incident has taken place:

Expand all

1. Don't touch the machine or system

  • Do not turn off the machine.
  • Do not remove the machine from the network.
  • Do not look at the system to see what files are on it, or what might have been touched.

2. Find out what constitutes a security incident

A security incident occurs when an unauthorized entity gains access to UC San Diego computing or network services, equipment, or data. Typical situations include:

  • You detect or get a report of a physical or criminal act, such as theft of a laptop, desktop computer, or mobile device.
  • A law enforcement representative contacts the university regarding a security incident.
  • You suspect that a computer or other network device may have been compromised to allow the viewing, transferring, or alteration of student data, personal information, medical data managed under the Health Insurance Portability and Accountability Act (HIPAA), or other legally regulated data.
  • You suspect a security problem with a desktop workstation and the person and/or the workstation:
    • Works with personnel or financial data
    • Connects to UC San Diego business databases
    • Works with personal information used for medical services or human subjects
    • Submits student grades
  • You suspect that a multi-user machine, file, or web server may have been jeopardized

Non-Incidents

  • Virus or Denial of Service (network is flooded with traffic) attacks are not security incidents because no unauthorized access was achieved.
  • An unsuccessful attempt may not be a security incident, but may warrant investigation and action by the system administrator or the system's owner.

3. Request assistance from IT Services Security

Report any incident you consider a possible threat. Contact the IT Service Desk, (858) 246-4357 or extension 6-HELP. The Help Desk will contact the on-call CIRT representativeto respond. The earlier you contact the CIRT, the more likely it is that the CIRT will be able to help.

4. Cooperate with the CIRT

The CIRT will work with you to:

  • Preserve and use forensic evidence to discover the extent of the intrusion
  • Determine and minimize risk and the possibility of future risk to the university
  • Provide and maintain smooth and consistent interaction with law enforcement and university management

The CIRT cannot assist with cleanup and data recovery, except as they pertain to the situations above.

  • Learn about the CIRT process for dealing with security incidents.

Expand all