The following resources are for Security Unit Liasons and unit IT managers:
Guidelines for Units
IT Security Incident Management Guidelines for University Units (U-M login required) provides detailed information about incident response roles and responsibilities for units and Information Assurance (IA). This guidance is intended for staff in U-M units who have information security responsibilities.
During the First 10 Minutes
Determine the severity of the incident. In the case of a serious incident, note that continued interaction with a compromised machine can severely affect later forensic analysis. When an incident is discovered, the unit should:
- Contain the incident by:
- Restricting network access
- Disabling all remote access
- Keeping the machine out of use
- Preserve Evidence By:
- Collecting and preserving volatile data, such as memory contents, process information, network activity, etc.
- And Do Not:
- Run anti-virus software
- Power down the machine
- Attempt any kind of unilateral mitigation procedure
During the First 24 Hours
Report all actual or suspected serious incidents to: [email protected]. Also alert business owners and leadership, advising them to keep all details confidential until further notice.When you report an incident, please provide as much information as possible including:
- Your name
- Department
- Email address
- Telephone number
- Description of the IT security problem
- Date and time the problem was first noticed (if possible)
- Any other known resources affected
IA will contact the unit and develop a plan for further containment and mitigation.
Tips for Handling IT Security Incidents:
- Stay calm. There is an established protocol for handling incidents, and IA is equipped to guide the process.
- Sacrifice speed for correctness. Don’t act rashly.
- Involve your leadership early. Remind them that all information, especially early in the investigation, should be limited to a need-to-know basis.
- Every detail is important. Share everything you know with the IA incident coordinator(s)
Operating Level Agreement (OLA)
The IT Security Incident Operating Level Agreement (PDF) (U-M login required) describes the university's Computer Security Incident Response Team (CSIRT) and defines the roles and responsibilities of central offices for their participation in the U-M incident response processes for serious incidents.