All Other Units: Report IT security incidents to the Security Unit Liaison designated by your school, college, or department or to your IT department. If you do not know who that is, report the incident to email@example.com.
If you are unsure where to report an incident, you can report it to either the ITS Service Center or firstname.lastname@example.org, and ITS staff will sort out the reporting and tracking. The most important thing is to report the incident.
U-M Health System (UMHS). Those at UMHS should report suspected or actual IT security incidents to the appropriate IT service desk:
Medical Center Information Technology (MCIT): (734) 936-8000
Medical School Information Services (MSIS): (734) 763-7770
Important: If the incident poses any immediate danger, call 911 to contact law enforcement authorities immediately.
What Is an IT Security Incident?
An IT security incident is attempted or actual
Unauthorized access, use, disclosure, modification, or destruction of information.
Interference with information technology operation.
Violation of explicit or implied acceptable use policy.
Examples of IT security incidents include:
Computer system intrusion
Unauthorized access to, or use of, systems, software, or data
Unauthorized changes to systems, software, or data
Loss or theft of equipment used to store or work with sensitive university data
Denial of service attack
Interference with the intended use of IT resources
Quick Reference Guide: When an IT Security Incident Occurs (PDF) is designed for printing and posting for your reference. Provides a description of the full lifecycle of incident management at U-M and a summary of key actions to be taken by unit and IIA staff. Includes the following key information and more:
During the First 10 Minutes. Determine the severity of the incident. In the case of a serious incident, note that continued interaction with a compromised machine can severely affect later forensic analysis. When an incident is discovered, the unit should:
Contain the incident by:
restricting network access
disabling all remote access
keeping the machine out of use
Preserve Evidence By:
Collecting and preserving volatile data, such as memory contents, process information, network activity, etc.
And Do Not:
Running anti-virus software
powering down the machine
or attempting any kind of unilateral mitigation procedure
During the First 24 Hours. Report all serious incidents to: email@example.com. Also alert business owners and leadership, advising them to keep all details confidential until further notice.When you report an incident, please provide as much information as possible including:
Description of the IT security problem
Date and time the problem was first noticed (if possible)
Any other known resources affected
IIA will contact the unit and develop a plan for further containment and mitigation.
Tips for Handling IT Security Incidents:
Stay calm. There is an established protocol for handling incidents, and IIA is equipped to guide the process.
Sacrifice speed for correctness. Don’t act rashly.
Involve your leadership early. Remind them that all information, especially early in the investigation, should be limited to a need-to-know basis.
Every detail is important. Share everything you know with the IIA incident coordinator(s)
The IT Security Incident Operating Level Agreement (PDF) (U-M login required) describes the university's Computer Security Incident Response Team (CSIRT) and defines the roles and responsibilities of central offices for their participation in the U-M incident response processes for serious incidents.
Incident Reporting for Cyber Risk Insurance Claims
IIA is the liaison to the Office of Risk Management with respect to initiating claims under the cyber risk insurance coverage that Risk Management provides to U-M units. IT security incidents that include the potential for recoverable losses must be reported as described above.