4-Step Approach
Step 1: Identify an Information Security Incident
A security incident involving electronic information or information technology includes the following, whether suspected, attempted, or actual:
- Unauthorized access, use, disclosure, modification, or destruction of electronic information
- Violation of acceptable use policies for information or technology
- Interference with the operation of college information technology resources, such as a denial of service attack
- Discovery of weaknesses in the safeguards protecting electronic information or information systems
Examples include:
- Loss or theft of laptops, desktops or other equipment used to access or store college data, including mobile phones, thumb drives and external hard drives
- Intrusion into a computer system
- Unauthorized access to sensitive information, such as Social Security numbers or restricted research data, whether intentional or accidental
- Unauthorized use of another user’s credentials or impersonating another college user
- A denial of service attack
- A compromised user account
If you are unsure whether an event is a security incident, it is best to err on the side of caution, and report the event.
Step 2: Stop, Disconnect, and Step Away
Using a compromised computer or device could worsen the security incident and negatively affect the investigation. Your actions may alert the attacker and they may take action to remove evidence or delete files.
Immediately:
- STOP: Power off your PC, laptop or other device
- DISCONNECT: If possible after powering off, disconnect the Ethernet network cable
- Then STEP AWAY from the computer. DO NOT touch it, or take any other action, until IR personnel or UPD advise the situation
Step 3: Report the Incident
Some security incidents are much more serious than others. They are more likely to cause significant harm or to have a substantial impact on the college or individuals. The following types of events should be considered serious security incidents:
- Involves restricted or other sensitive information—See Data Classification Policy
- Could result in serious harm to the college or to an individual or individuals (including significant reputational harm or identity theft)
- Involves serious legal issues (including the potential imposition of civil or criminal penalties)
- May result in serious disruption to critical University services
- Involves widespread improper disclosure or use of electronic information or information technology
- Is likely to raise substantial public interest
These serious security incidents require immediate action and should be reported immediately to both:
- The Help Center at (607) 753-2500 or via the Online Reporting Form
- University Policy at 607-753-2112
IR Information Security, in coordination with the CIO, will promptly notify other SUNY Cortland groups as necessary.
Step 4: Stay Calm, Document, and Avoid Speculating
- STAY CALM. There is an established protocol for handling incidents, and Information Security and College leadership are equipped to handle the situation.
- DO NOT DISCUSS Limit discussing information to a strict need-to-know basis.
- WRITE A DETAILED DESCRIPTION to be shared with the incident team. Include details such as: what made you suspect the incident, what you know happened thus far, information on the device and the data affected, and what actions have been taken so far.