Go Directly to Page Content
Go Directly to Site Search
Go Directly to Site Navigation
ITS Safe Computing

Report an IT Security Incident

It is important that you report actual or suspected IT security incidents as soon as possible so that work can begin to investigate and resolve them. Incident reporting procedures differ depending on whether you are in a MiWorkspace unit:

  • MiWorkspace Units: Report IT security incidents to the ITS Service Center.

  • All Other Units: Report IT security incidents to the unit security coordinator designated by your school, college, or department or to your IT department. If you do not know who that is, report the incident to security@umich.edu.

If you are unsure where to report an incident, you can report it to either the ITS Service Center or security@umich.edu, and ITS staff will sort out the reporting and tracking. The most important thing is to report the incident.

Important: If the incident poses any immediate danger, call 911 to contact law enforcement authorities immediately.

What Is an IT Security Incident?

An IT security incident is attempted or actual

  • Unauthorized access, use, disclosure, modification, or destruction of information.
  • Interference with information technology operation.
  • Violation of explicit or implied acceptable use policy.

Examples of IT security incidents include:

  • Computer system intrusion
  • Unauthorized access to, or use of, systems, software, or data
  • Unauthorized changes to systems, software, or data
  • Loss or theft of equipment used to store or work with sensitive university data
  • Denial of service attack
  • Interference with the intended use of IT resources
  • Compromised user accounts

Reporting of IT security incidents is governed by Information Security Incident Reporting Policy (SPG 601.25).

Resources for Unit Security Coordinators

Quick Reference Guide: When an IT Security Incident Occurs (PDF). Provides a description of the full lifecycle of incident management at U-M and a summary of key actions to be taken by unit and IIA staff.

During the First 10 Minutes

Determine the severity of the incident.

In the case of a serious incident, please note that continued interaction with a compromised machine can severely affect later forensic analysis. When an incident is discovered, the unit should:

CONTAIN THE INCIDENT BY:

  • Restricting network access
  • Disabling all remote access
  • Keeping the machine out of use

 AND DO NOT:

  • Run the anti-virus software
  • Power down the machine
  • Attempt any kind of unilateral mitigation process

During the First 24 Hours

Report all serious incidents to: security@umich.edu, except:

Alert business owners and leadership, advising them to keep all details confidential until further notice.When you report an incident, please provide as much information as possible including:

  • Your name
  • Department
  • Email address
  • Telephone number
  • Description of the IT security problem
  • Date and time the problem was first noticed (if possible)
  • Any other known resources affected

IIA will contact the unit and develop a plan for further containment and mitigation.

Tips for Handling IT Security Incidents

  • Stay calm. There is an established protocol for handling incidents, and IIA is equipped to guide the process.
  • Sacrifice speed for correctness. Don’t act rashly.
  • Involve your leadership early. Remind them that all information, especially early in the investigation, should be limited to a need-to-know basis.
  • Every detail is important. Share everything you know with the IIA incident coordinator(s)

Incident Reporting for Cyber Risk Insurance Claims

IIA is the liaison to the Office of Risk Management with respect to initiating claims under the cyber risk insurance coverage that Risk Management provides to U-M units. IT security incidents that include the potential for recoverable losses must be reported as described above.