Responding to an IT Security Incident

Guidance for all faculty, staff, and students

As soon as possible (e.g., in the first ten minutes):

  • If you think a device may be impacted, for example if you have given remote access to your device to a threat actor, do not continue using it as normal. 
    Note: If you are unable to contact unit IT staff for assistance in the first ten minutes, shut down the device.
  • Change your UMICH password. (DO NOT use a device that you think may be impacted to do so.)
  • Get help - Contact your unit IT staff. If you don’t know who to contact, call 764-HELP (734-764-4357).
  • Report the incident to [email protected].

Preserve information, if possible:

  • Do not run anti-virus software.
  • Take notes regarding what actions were taken and when, for example if you changed your password.

Guidelines for Units

IT Security Incident Management Guidelines for University Units (U-M login required) provides detailed information about incident response roles and responsibilities for units and Information Assurance (IA), as well as an overview of the process and time-sensitive tasks. This guidance is intended for staff in U-M units who have information security responsibilities.

Reporting Incidents

Report all actual or suspected IT security incidents to IA at [email protected] as soon as possible and within the first 24 hours. When you report an incident, please provide: 

  • Your name, department, email address, telephone number
  • Date and time the problem was first noticed (if possible)
  • Description of the IT security problem, including any actions taken so far

IA will contact the unit and develop a plan for further containment and mitigation.

Tips for Handling IT Security Incidents:

  • Stay calm. There is an established protocol for handling incidents, and IA is equipped to guide the process.
  • Sacrifice speed for correctness. Don’t act rashly.
  • Work with IA to alert business owners and leadership, advising them to keep all details confidential until further noice.
  • Every detail is important. Share everything you know with the IA incident coordinator(s)

Operating Level Agreement (OLA)

The IT Security Incident Operating Level Agreement (PDF) (U-M login required) describes the university's Computer Security Incident Response Team (CSIRT) and defines the roles and responsibilities of central offices for their participation in the U-M incident response processes for serious incidents.