Computer Security Incident FAQs
Security Incident FAQ Main Page |
Security Breach Procedures
Employees - What do I do if my network access has been terminated?
After a suspected computer' network connection is disabled, an e-mail is sent from UD IT Security (firstname.lastname@example.org) to a departmental contact (CITA, UD network registrant), describing the problem and necessary recovery steps. If you registered the computer and you do not have a CITA, you'll need to check your e-mail from a nearby system or a public workstation. If you have a CITA, check with him/her to see if any problems have been reported. If your system' network port has been shut off -
1. Do not move the machine to another port or use the network via a wireless connection. This will only return a hacked system to the network and will require additional measures to ensure it stays off the network until it is fixed.
2. Do not turn the machine off or reboot unless instructed to do so. It is possible that processes started by an attacker may not get restarted after rebooting, which will make it more difficult to fix the problem. In addition, dormant programs left on the machine may be started during reboot. Leave your computer on and disconnected from the network unless otherwise instructed.
3. Do not attempt to repair the system. You will be contacted by your CITA or IT-User Services to have your system cleaned.
4. Determine whether unencrypted high risk personal non-public information (PNPI - e.g., Social Security or credit card numbers is stored on, or accessible from (e.g., via a networked drive) the system. If you have a CITA, you will be contacted by him/her to assist you in making this determination.
5. Preserve system logs and other data that might be useful in tracking the source and nature of the intrusion. Log information on your compromised machine may provide clues as to the nature, extent and source of the attack. By preserving your system logs and relevant data, you can help UD IT Security determine if personal information was actually taken during the breach. Also, if the attack is widespread, well preserved system data can help trace the breach back to the source for a possible legal investigation.
6. Reply to email@example.com to indicate if PNPI is present or not. If PNPI is present, you are required to preserve all information related to the breach. Nothing is to be removed or altered as to make it impossible to know whose Social Security or credit card numbers, or other high risk personal information might have been taken (e.g., data files, system logs and other data that might be useful in investigating the extent of PNPI stolen during the breach). IT-User Services will be referred to the case to conduct an assessment of the incident to determine if PNPI was likely viewed and/or taken as a result of the security breach. See University Policy 1-22 Personal Non-Public Information Policy for more information.
7. Your port will be re-enabled after the PNPI assessment is complete and your system has been cleaned.
Questions / comments?