Report an IT Security Event
It is important that actual or suspected security events are reported as early as possible.
A security event is one that has the potential to impact the confidentiality, integrity, and/or the availability of sensitive information, or negatively impact the business functionality of the medical center network infrastructure. This includes, but is not limited to:
- Installation of malicious software onto your computer
- Exposure of your network login credentials
- Loss of mobile devices containing sensitive information
- Sending unencrypted emails, faxes, and text messages containing sensitive information
Examples of how these events can occur:
- Browsing the Internet when a pop-up message states the video you want to view needs to update your player
- You answer an email or phone call and subsequently provide your login name and password
- You take a picture of sensitive data on your phone so you can email it to the recipient, who needs it as soon as possible
- You lose your Android phone which contained some emails with sensitive data
Some warning signs that you may have fallen victim to a security event:
- You get feedback of emails you never sent
- You log into your computer and either see files you never created or missing files
- Your email account is being logged into from an unknown location
Contact your CITG immediately for any of the following (not comprehensive):
- Loss of mobile device used for work
- Unable to log into your computer
- Unexplained emails
- Any messages on your computer that don’t appear normal
- Anything that you believe could impact the business
If you don’t have access to your CITG, contact CUIMC Security Office directly at email@example.com
For loss or theft of mobile devices, also contact either Public Safety for campus locations, or the local police if it occurred off-campus.
For password compromise, contact 5-HELP to reset any passwords
For suspicious emails, forward the message as an attachment to firstname.lastname@example.org
If you had clicked any link within a suspicious email, please advise accordingly.
If contacted by one of your users, please gather as much information as possible about the event.
Submit a ServiceNOW ticket and direct it to ISO.
For lost/stolen devices, ISO will require the following:
- Device model
- Serial number
- Owner (personal or organization)
- Purchase date
- Encryption status – please include proof of encryption (date completed, BitLocker key, etc.)
- Assist user with sending a remote wipe command to the device and include screenshot of status
- If a computer compromise is suspected
- Ransomware – IMMEDIATELY disconnect computer from network and call ISO
- For other malware-related issues, remove from the network and reimage
If ISO assigned a ServiceNOW or Crowdstrike ticket, please follow any instructions within the ticket. Once completed, DO NOT CLOSE THE TICKET, but reassign it back to ISO with your remediation actions provided in the ticket.