Skip to Content

University Technology Services


Information Technology Security

Compromised System Response Procedure

Date Issued: 27-Aug-2013
Date Effective: 27-Aug-2013
Owner: UISO - University Information Security Office


Purpose

The purpose of this procedure is to establish a process for the initial evaluation, escalation, and remediation of computer compromise by malicious code or other forms of intrusion.

As recommended methodology is revised, and as resources become available for improved secure implementation of data systems, it is the intent of the UISO to revise this procedure accordingly.

Scope

This procedure applies to:

  • all systems owned by the university, when exhibiting symptoms of compromise.

Definitions

In the context of this document, the following terms are used as indicated here:

  • system - a computer (physical or virtual), or a network device.

Process

IMPORTANT: Any access or alteration to the system will impact a potential breach investigation.

  1. Do not access or alter the system in any way until the UISO clears you to do so.
  2. Ask the user if restricted data (e.g. SSNs, credit card numbers, grades, medical information) are stored or processed on the system.                               
  3. Immediately contact the University Information Security Office (UISO) with the following information:
    • A description of the type(s) of data processed or stored on the system
    • User's name and account IDs
    • System name
    • Operating system version
    • IP address
    • Description of symptoms
    • Time of first observed symptoms
  4. If the system does handle sensitive data, the UISO will perform incident response.
  5. If the system does not handle sensitive data, the unit will verify the infection and follow the organization's procedures for cleaning the system.

Responsibility for Implementation

The technician assigned to remediate the compromise is responsible for following this procedure.

Enforcement and Consequences

Failure to comply with this procedure could result in serious legal and/or public relations consequences for the university. Any person found in violation may face disciplinary action as appropriate.