Go Directly to Page Content
Go Directly to Site Search
Go Directly to Site Navigation
ITS Safe Computing

Report an IT Security Incident

It is important that you report actual or suspected IT security incidents as soon as possible so that work can begin to investigate and resolve them.

Where to Report Incidents

Incident reporting procedures differ depending on whether you are in a MiWorkspace unit:

  • MiWorkspace Units: Report IT security incidents to the ITS Service Center.

  • All Other Units: Report IT security incidents to the Security Unit Liaison designated by your school, college, or department or to your IT department. If you do not know who that is, report the incident to security@umich.edu.

If you are unsure where to report an incident, you can report it to either the ITS Service Center or security@umich.edu, and ITS staff will sort out the reporting and tracking. The most important thing is to report the incident.

U-M Health System (UMHS). Those at UMHS should report suspected or actual IT security incidents to the appropriate IT service desk:

  • Medical Center Information Technology (MCIT): (734) 936-8000
  • Medical School Information Services (MSIS): (734) 763-7770

Important: If the incident poses any immediate danger, call 911 to contact law enforcement authorities immediately.

What Is an IT Security Incident?

An IT security incident is attempted or actual

  • Unauthorized access, use, disclosure, modification, or destruction of information.
  • Interference with information technology operation.
  • Violation of explicit or implied responsible use policy.

Examples of IT security incidents include:

  • Computer system intrusion
  • Unauthorized access to, or use of, systems, software, or data
  • Unauthorized changes to systems, software, or data
  • Loss or theft of equipment used to store or work with sensitive university data
  • Denial of service attack
  • Interference with the intended use of IT resources
  • Compromised user accounts

Reporting of IT security incidents is governed by Information Security Incident Reporting (SPG 601.25).

Resources for Unit Security Staff

Quick Reference Guide

Quick Reference Guide: When an IT Security Incident Occurs (PDF). Designed for printing and posting for your reference. Provides a description of the full lifecycle of incident management at U-M and a summary of key actions to be taken by unit and IIA staff. Includes the following key information and more:

  • During the First 10 Minutes. Determine the severity of the incident. In the case of a serious incident, note that continued interaction with a compromised machine can severely affect later forensic analysis. When an incident is discovered, the unit should:
    • Contain the incident by:
      • Restricting network access
      • Disabling all remote access
      • Keeping the machine out of use
    • Preserve Evidence By:
      • Collecting and preserving volatile data, such as memory contents, process information, network activity, etc.
    • And Do Not:
      • Run anti-virus software
      • Power down the machine
      • Attempt any kind of unilateral mitigation procedure
  • During the First 24 Hours. Report all serious incidents to: security@umich.edu. Also alert business owners and leadership, advising them to keep all details confidential until further notice.When you report an incident, please provide as much information as possible including:
    • Your name
    • Department
    • Email address
    • Telephone number
    • Description of the IT security problem
    • Date and time the problem was first noticed (if possible)
    • Any other known resources affected
    IIA will contact the unit and develop a plan for further containment and mitigation.
  • Tips for Handling IT Security Incidents:
    • Stay calm. There is an established protocol for handling incidents, and IIA is equipped to guide the process.
    • Sacrifice speed for correctness. Don’t act rashly.
    • Involve your leadership early. Remind them that all information, especially early in the investigation, should be limited to a need-to-know basis.
    • Every detail is important. Share everything you know with the IIA incident coordinator(s)

Guidelines for Units

IT Security Incident Management Guidelines for University Units (U-M login required) provides detailed information about incident response roles and responsibilities for units and IIA. This guidance is intended for staff in U-M units who have information security responsibilities.

Operating Level Agreement (OLA)

The IT Security Incident Operating Level Agreement (PDF) (U-M login required) describes the university's Computer Security Incident Response Team (CSIRT) and defines the roles and responsibilities of central offices for their participation in the U-M incident response processes for serious incidents.

Incident Reporting for Cyber Risk Insurance Claims

IIA is the liaison to the Office of Risk Management with respect to initiating claims under the cyber risk insurance coverage that Risk Management provides to U-M units. IT security incidents that include the potential for recoverable losses must be reported as described above.

Last modified August 05, 2016