What to do When a Possible Incident Occurs

Share on

Did you know that if you don’t properly report an incident it could cost your department and the Institute a lot of money, as in the 5- and 6-figure amounts? There are so many local, state, and federal laws, as well as industry regulations that we must follow when reporting an incident. In addition, UTIA IT0122 – Information Security Incident Response Policy applies to any computing device, regardless of ownership, which is used to store Institute data. Please follow these procedures to ensure that you are doing the right thing.

  1. End users must stop all work on the computer and immediately contact your local or regional support personnel. (Immediately contact the Institute’s CISO if you are unable to reach your support personnel.)
  2. End users must advise if the system being used is classified as low, moderate, high, or business critical. At the very least describe the data stored on the computer.
  3. End users should not do anything to disturb the state of the computer, such as reboot.
  4. The Local/Regional IT Support Personnel will to a quick investigation of all anomalous activity to determine if a system security incident is in progress or has occurred.
  5. If there is no system security incident or the system is classified as low, the IT support person will see that the computer is scanned and cleaned of viruses and malware that are not an actual security incident.
  6. If the computer system is classified as moderate, high, or business critical, the IT support person will disconnect all network connections and immediately contact the Institute’s CISO.
  7. The Institute’s CISO will provide advice and assistance to all users.
  8. The Institute’s CISO will work with the IT support personnel to determine if an incident has occurred and how severe the incident is.
  9. The Institute’s CISO will submit a preliminary report to the UT System Administration CISO for appropriate state reporting.
  10. The Institute’s CISO will perform follow-up activity.
  11. The Institute’s CISO will maintain all documentation for all system security incidents.
  12. The Institute’s CISO will submit a detailed final report to the UT System Administration CISO for appropriate state reporting.

Please refer to UTIA IT0122P – Incident Response Plan and Reporting Procedures for the listing of reportable security incidents or potential incidents, as well as other information.