University information technology (IT) resource owners and overseers providing technology support for others are often the first to respond to information security incidents that are reported involving the resources these IT professionals manage. This document is intended to provide guidance for these individuals, bearing in mind that although it is critical to act quickly to contain an active incident, it is equally important to preserve evidence for investigative purposes and/or prevent reoccurrences. Depending upon the type of incident reported, these first responders often assist in response by performing triage to identify and/or contain an active incident. However, in all cases, users are required report the incident within one (1) hour. Time is critical during an active incident, and reporting an incident promptly will allow more time for the Information Security office to identify the root cause and implement measures to contain the threat.
Important triage guidelines for University IT professionals who witness or receive a report of an information security incident:
- Do NOT wipe the device or otherwise attempt to remediate the issue
- Leave the device powered on (preserving evidence)
- Disconnect the device from the network, both wired and wireless
- Report the security incident
Additional guidelines for Incidents involving a lost or stolen device:
IT professionals managing the equipment in question must:
- Interview the device user to determine whether a backup or recent Data Loss Prevention (DLP) scan indicates that it contains sensitive information.
- Provide this information to the Information Security office when submitting the incident report.