Information Security Incident Management Incident Response Standard
Number: 8075.0 Revised: August 15, 2010
Note: Information security incidents involving criminal acts or actions that you feel pose an immediate threat to personal safety or the privacy of confidential data should be reported to the University Police at extension 86851 or by calling 911.
Incident Response Standard
An information security incident is any event involving real or potential risk or threat to the security of campus devices, applications, or data. The first and most important step when a system is identified as being compromised is to immediately cease all activities on the system and immediately contact the Information Security Office at 278-1999.
Accessing a computer, device or data without permission or authorization
Hacking of a University system
Evidence of unauthorized release of University information
Using University resources to access any non-University computer system without permission or authorization
Using University IT resources to harass or threaten someone
Violating state or federal regulations with University IT resources
Finding print outs with confidential data in an unprotected area
The Information Security Office is responsible for managing the investigation, evaluation and containment of all information security incidents on campus. It is the responsibility of technical staff maintaining computer to systems to proactively monitor for malware attacks and other system compromises.
If the Information Security Office in not immediately available and technical staff determines the incident requires immediate containment, the first action they must consider is to physically remove the device from the network by unplugging the physical network cable (or virtual equivalent in a virtual environment) from the device. If a malicious process is running that is damaging the integrity of the system, technical staff should consider also shutting down the system.
An active attack is when evidence exists indicating a system compromise is in progress or that has already occurred. Systems undergoing active attacks require specialized investigative techniques in order to prevent the loss of evidence. The Information Security Office should be immediately contacted, as it has specialized tools designed to pull real-time information from a compromised server that assists in the determination of risk to the campus and Level 1 and Level 2 data. If a system is currently under an active attack, the Information Security Office must be contacted immediately at 278-1999 so the threat can be isolated.
Systems identified as compromised, but not undergoing an active attack still may have important information located in memory that requires special investigative techniques. As such, upon discovery of a compromised system, the Information Security Office must be notified and all activity ceased until notified otherwise by Information Security personnel. Compromised systems not containing Level 1 or Level 2 data and not providing critical infrastructure support for the campus may be reported using the Incident response form here. Unless a documented business need is approved by the Information Security Office, workstations and laptops that experience a compromise must be rebuilt/reimaged from a “known-good” image or base.
If you are reporting inappropriate or objectionable email, or SPAM email, please forward the email to firstname.lastname@example.org, and include the full headers of the email with your report.
Government Fraud, Waste, and Abuse
The California State Auditor is your confidential avenue for reporting any type of improper activities by state agencies or employees. It is your responsibility as a government employee to report any type of fraud, waste, or abuse. You may do so at http://www.bsa.ca.gov/hotline/filecomp
Back to to Sacramento State Information Security Policy Website