Responding to an IT Security Incident

The following resources are for Security Unit Liasons and unit IT managers:

Guidelines for Units

IT Security Incident Management Guidelines for University Units (U-M login required) provides detailed information about incident response roles and responsibilities for units and Information Assurance (IA). This guidance is intended for staff in U-M units who have information security responsibilities.

During the First 10 Minutes

Determine the severity of the incident. In the case of a serious incident, note that continued interaction with a compromised machine can severely affect later forensic analysis. When an incident is discovered, the unit should:

  • Contain the incident by:
    • Restricting network access
    • Disabling all remote access
    • Keeping the machine out of use
  • Preserve Evidence By:
    • Collecting and preserving volatile data, such as memory contents, process information, network activity, etc.
  • And Do Not:
    • Run anti-virus software
    • Power down the machine
    • Attempt any kind of unilateral mitigation procedure

During the First 24 Hours

Report all actual or suspected serious incidents to: [email protected]. Also alert business owners and leadership, advising them to keep all details confidential until further notice.When you report an incident, please provide as much information as possible including:

  • Your name
  • Department
  • Email address
  • Telephone number
  • Description of the IT security problem
  • Date and time the problem was first noticed (if possible)
  • Any other known resources affected

IA will contact the unit and develop a plan for further containment and mitigation.

Tips for Handling IT Security Incidents:

  • Stay calm. There is an established protocol for handling incidents, and IA is equipped to guide the process.
  • Sacrifice speed for correctness. Don’t act rashly.
  • Involve your leadership early. Remind them that all information, especially early in the investigation, should be limited to a need-to-know basis.
  • Every detail is important. Share everything you know with the IA incident coordinator(s)

Operating Level Agreement (OLA)

The IT Security Incident Operating Level Agreement (PDF) (U-M login required) describes the university's Computer Security Incident Response Team (CSIRT) and defines the roles and responsibilities of central offices for their participation in the U-M incident response processes for serious incidents.