Data Incident Response, Reporting & Investigation

Incident Response refers to those practices, technologies and/or services used to respond to suspected or known breaches of IT security safeguards. Once a suspected intrusion activity has been identified as a security-breach incident, it must be contained as soon as possible, and then eradicated so that any damage and risk exposure to the college are avoided or minimized. Information technology security incidents frequently involve deliberate, malicious acts that may be technical (e.g., creation of viruses, system hacking) or non-technical (e.g., theft, property abuse, service disruption). 

Responding to and handling incidents can be logistically complex, and may require information and assistance from sources outside the University’s Information Technology department. The University combines both proactive and reactive strategies to deal with IT security incidents. Examples of proactive activities include establishing communication mechanisms to report incidents and to disseminate incident alerts and identifying technical experts who can provide emergency assistance if needed. Examples of reactive activity include blocking or aborting computer processes, temporarily denying user access or disabling vulnerable services, and deploying patches or inoculation software.

To report a problem, call the IT Help Desk immediately and provide a complete description of the problem.  If calling is not an option, or the report takes place outside of Help Desk operating hours, email the IT Help Desk and provide as much information as possible.

The Information Technology department will mobilize the proper resources to respond to IT security incidents and reports and complaints about abuse of information technologies. They will investigate the problems reported and take appropriate action to protect the members of the community and the college’s resources. Whenever appropriate, the team may be expanded to include additional IT system or application administrators, and/or members from Senior Management, Student Affairs, Security, Human Resources or Academic Affairs, depending on the specific nature of the incident.

Each member of the Information Technology response team recognizes the often sensitive nature of both reports received and what is found during the course of an investigation. All members of the team will hold both reports and findings confidential consistent with both the letter and the spirit of the procedure described in this document, federal and state laws, and the rules of the disciplinary bodies involved.

The Information Technology department is neither an investigative nor a disciplinary entity in its primary responsibilities. However, in cases where College resources and privileges are abused or otherwise threatened, the department will take appropriate steps. IT system administrators may disable user accounts, interrupt computing processes or disable services at any time to safeguard College resources and protect College privileges. They may take these actions without prior approval if, in their best professional judgment, they need to do so to deal with immediate circumstances. These actions must be reported to, and are subject to timely review by the Chief Information Officer. The CIO may authorize extending such actions to longer terms if necessary to safeguard college resources.

The team will work as rapidly as possible to establish the nature of the incident and to develop an appropriate response that protects the University’s resources and interests while eliminating (to the degree possible) the threat of recurrence. Sometimes, to accomplish this goal, the technical staff may have to temporarily leave a system vulnerability open in order to identify the malicious person(s) behind the incident. In all cases, the team will assume that it must notify appropriate authorities and preserve evidence.

Incidents that involve the college’s technical environment sometimes lead to investigations, which include the gathering of technical evidence. Those investigations may be managed by law enforcement officers, authorized government officials, or others outside of the University community; by the University’s representative units conducting individual student-academic-issue investigations; or by College administrators in faculty or staff disciplinary investigations, depending on the nature of the incident and the role (i.e., faculty, staff or student) of the persons suspected of improper behavior. In such investigations, investigating officials may call on the IT department to provide technical information that may become evidence from computers owned and managed by the Information Technology department.