Reporting a Security Incident

Quick Summary:

  • Do not attempt to investigate or remediate the compromise on your own.
  • Instruct any users to stop work on the system immediately.
  • Do not power down the machine.
  • Remove the system from the network by unplugging the network cable or disconnecting from the wireless network (turn on airplane mode).
  • Report the incident by contacting the support center at 989-964-4225 or send an email to support@svsu.edu.
  • ITS will identify the wired and wireless (if available) MAC addresses of the computer and supply those to networking so the computer can be locked into a quarantine vlan.

Purpose

The purpose of this Procedure is to provide instructions for responding to an actual or suspected compromise of Saginaw Valley State University’s computing resources or SVSU’s data.

Definitions

  • Computing resources refers to any resource, computer, tablet, or phone owned by SVSU.
  • Data refers to all data generated or collected by SVSU. This includes, among other things, personal information on students, their parents, and employees, faculty or student research, and any SVSU proprietary data.

Applies To

This Procedure applies to anyone using Saginaw Valley State University’s computing resources that suspects that the security or privacy of these resources has been compromised.  This Procedure also applies to situations where there has been no compromise, but someone suspects their computing resources are actively being attacked.  This Procedure applies to SVSU owned systems, and anytime it is suspected that SVSU data may have been compromised.  It does not apply to computing resources owned by students, or others, when SVSU data is not involved.

 

What is a security incident?

  • Theft or loss of a laptop, desktop, phone, or tablet that might contain SVSU data.
  • Intrusion by unauthorized individuals into a system that contains or handles SVSU data.
  • Disruption of service by a 3rd party
  • Unauthorized changes to network or server configurations

 

 

 

Reporting a security incident

  • Call the support center at 989-964-4225. Or, send an email to support@svsu.edu.
  • The Support Center will create a “Security Incident” type ticket under Information Security.
  • The Support Center will escalate the ticket and make sure that Information Systems Security Manager is notified and acknowledges the incident.
  • Include the following information when reporting a security incident:
    • Your name
    • Department
    • Email address
    • Telephone number
    • Description of the information security problem
    • Date and time the problem was first noticed (if possible)
    • Any other known resources affected
    • Include specific details that indicate a system breach, vulnerability, or compromise of your computer.  The Information Security team will respond to the reported incident with a plan for further containment and mitigation.

 

What action should be taken if a computer is suspected to be compromised

  • Do not attempt to investigate or remediate the compromise on your own.
  • Instruct any users to stop work on the system immediately.
  • Do not power down the machine.
  • Remove the system from the network by unplugging the network cable or disconnecting from the wireless network (turn on airplane mode).
  • Report the incident by contacting the support center at 989-964-4225 or send an email to support@svsu.edu.
  • A full time ITS employee will be dispatched to disconnect the device from the network and label the device as "Do not touch / Machine in Quarantine Contact IT Support x4225 if you have questions.  Ticket ### .  (It’s understood that disconnecting a device has implications like DB corruption, etc.)
  • ITS will identify the wired and wireless (if available) MAC addresses of the computer and supply those to networking so the computer can be locked into a quarantine vlan.

Details

Article ID: 134208
Created
Fri 7/16/21 12:44 PM