If anincident has the ability to spread to additional systems (e.g., involves credentials with administrative access to multiple computing devices, the threat is determined to be a worm, etc.), then personnelshouldassist in containment, including,but not limited to,providing forensicimages(memory and disk) andbaseline information as deemed necessaryby the Information Security Office.
After providing requested information to theInformation Security Office, personnel shouldattempt to remove the threat from (clean) the affected system or re-image the affected system and restore the system to service.
If eradication is unsuccessful, orthe incident recursafter re-imaging, personnelshouldnotify the Information Security Office and await further instructions.
The Information Security Office will communicate resolution and lessons learned to management,personnel, and/or end users, as appropriate.
Who does the standard apply to?
The standard primarily applies to administrators of RIT-owned or leased computing devices.
The standard also applies to users of personally-owned or leased devices should the incident involve RIT resources.
What is an incident?
Incidents include the following types of events:
Physical loss of a computing device (including storage devices)
Detection of unauthorized users accessing a computing device
Discovery of malware on a computing device
Discovery of critical vulnerabilities or improper configuration that could result in a breach of information
What do I have to do?
If the incident involves the loss or theft of a device containing Private, Confidential or Operationally Critical information, you should immediately file a report with Public Safety.
If the device contains Private, Confidential or Operationally Critical information, contact your support organization immediately.
If the device does not contain Private, Confidential or Operationally Critical information, you can attempt to resolve the issue on your own.
Users supported by Systems Administrators
Contact the ITS HelpDesk if you cannot resolve the problem on your own. If they discover high risk threats, they will engage the Computer Incident Handling process.
Report any suspicious computer activity to your support organization. Anything from a drastic slowdown in computer performance to something as simple as the cursor moving around on its own constitutes suspicious activity.
Report a Computer Incident If you suspect a cybersecurity incident, immediately report it by calling the RIT Service Center at 585-475-5000, or on the web at help.rit.edu. When reporting by phone after hours, there is a prompt to speak to the on-call person in an emergency. Follow the cybersecurity incident handling instructions as described on the Information Security Office website.