Computer Security Incident
Reporting a Computer Security Incident
In the event of a security incident concerning a computer hosting sensitive institutional or personal data, the unit must take immediate action to report the incident to the University IT Security and Compliance Office (ITSCO) AS SOON AS THE INCIDENT IS SUSPECTED.
Examples of incidents include:
- Denial of Service (DoS)--an attack that prevents or impairs the authorized use of network, systems, or applications by exhausting resources.
- Malicious Code--a virus, work, Trojan horse, or other code-based malicious entity that successfully infects a host.
- Unauthorized Access--a person gains logical or physical access without permission to a network, system, application, data, or other IT resource.
- Inappropriate Usage--a person violates acceptable use of any network or computer policies.
- Multiple Component--a single incident that encompasses two or more incidents; for example, a malicious code infection leads to unauthorized access to a host, which is then used to gain unauthorized access to additional hosts.
Of greater concern is the loss of control of vital systems and loss of sensitive data in the care of Samford University.
IMMEDIATELY CALL, no matter what time of day or night or weekday or weekend or holiday, until you get to a human. Try in this order: Technology Services Help Desk at 205-726-2662 (24X7); Dennis Self at 205-726-2692 or 205-447-0800. If you reach the Help Desk, ask them to PAGE THE IT SECURITY & COMPLIANCE OFFICE. A representative from the ITSCO will then call you back. Please ALSO email firstname.lastname@example.org with details of the suspected exposure. Please DO NOT simply leave voicemail or send email - please ensure you reach a human, because it is CRITICAL that we begin response procedures immediately.
***DO NOT TAKE ANY ACTION until advised by the IT Security and Compliance Office***
***DO NOT touch, attempt to login, or alter the compromised system. DO NOT power it off. These actions will delete forensic evidence that may be critical to your incident***
***DO Unplug the network cable from the computer to disable any further Internet operation. If WiFi or Bluetooth is in use, notify ITSCO immediately.***
***DO NOT TALK about the incident with any other parties until you are authorized as part of the process***
ITSCO is charged with investigation and coordination of incidents where sensitive institutional or personal data is suspected to have been exposed. ITSCO has arranged for licensed forensic engineers to assist if warranted. Official records of the incident are maintained and tracked.
When ITSCO is notified, an Incident Team will immediately be assembled to advise and assist in containing and limiting the exposure, in investigating the attack, in obtaining the appropriate approvals, and in handling notification to the affected individuals and agencies. The incident still "belongs" to the unit experiencing the exposure; ITSCO's mission is to assist you.
A procedure document (kit) will be provided that contains the information needed by your unit, in cooperation with the other individuals on your Incident Team, to handle the incident. The University IT Security and Compliance Office in Technology Services has oversight responsibility to assist the unit in taking all necessary steps and in obtaining all necessary approvals. However, it is the responsibility of the unit to identify the resources needed to lead and accomplish an appropriate and timely resolution to the incident. Collect and record staff time spent weekly during the event in order to be able to track the cost of the incident, especially if the suspect will be charged with a crime.
TIME IS CRITICAL. Immediately containing and limiting the exposure is first priority. In certain situations, we must notify legal entities within a brief period on becoming aware of the incident. In others, we must notify our Merchant Bank involved within 24 hours. The forensic process can vary widely on each incident. Please be patient and cooperative during this process. Also, individuals involved in such incidents expect expeditious notification to them so that they can monitor their accounts. The most common complaints after an incident are about how long it took the organization to contain the exposure and to send notifications. AT SAMFORD UNIVERSITY, OUR GOAL IS TO NOTIFY THE INDIVIDUALS AFFECTED WITHIN ONE WEEK OF OUR BECOMING AWARE OF THE EXPOSURE.
Examples of Sensitive Data
Note: This list is not exhaustive. Often, context plays a role in data sensitivity.
Note: Although laws or regulations might not require notification to individuals for some types of data, Samford University may still choose to do so, and in fact will usually err on the side of caution and go ahead and notify. Always report the incident to ITSCO, so that the appropriate university officials have the opportunity to evaluate whether or not notification is the right thing to do.
1. Social Security number (SSN)
2. Credit card number (CCN), also call Primary Account Number (PAN) - Visa, MC, AMEX, Discover, Diner's Club - Acct number, Exp date, Cardholder name, Cardholder address, Track 1, Track 2, CVC2, CVV2, PIN
3. Banking information.
4. Driver's license number, other financial account numbers/security codes.
5. FERPA protected information - student information, grades, etc.
6. HIPAA protected information - health, medical, psychological information
7. University restricted data - limited access, university internal
8. Anything that can be used to facilitate identity theft (ex. birth date, mother's maiden name).
9. Tax information.
10. Credit reports.
12. Illegal data (child pornography, etc.)
13. Human subjects research data.
Examples of Non-Sensitive Data:
1. Publicly available information that is lawfully made available to the public from records of another federal or local agency.
2. Information that would appear in the telephone directory.
3. Only last 4-digits of social security number or credit card number.
4. Faculty/staff email.
5. Encrypted data (if encryption is strong enough and encryption key is sufficiently secured).
6. In some cases, password-protected data.