Respond to Data Security Incidents: IT Admins

Any data security incident involving a University-owned or personal device containing sensitive University data is serious. Responding to data security incidents promptly and efficiently helps protect the University's assets (e.g., data, computers, networks) and ensures compliance with state and federal law, and University policy.

IT Administrators can use this page to learn more about the steps they need to take if they suspect an incident involving a device in their department.

1. Incident Report

All data security incidents involving University-owned or personal devices containing sensitive University data are serious, and may require an Incident Report (see below for more details about responses to specific data security incidents).

If a data security incident requires an incident report, email it.security@umassd.edu the following information:

• Incident history (date, time, symptoms, how you first responded)
• Spirion (formerly IdentityFinder) and malware scan results (if available)
• Host name
• IP Address
• MAC Address
• Building and room number
• Your email address and campus telephone number

2. General Incident Response Procedures

IT Administrators who suspect a data security incident in their department or who were notified of a potential incident need to complete the following steps:

Note: This is a general overview of the incident response process. Depending on the complexity of the incident, additional steps may be required.

Step 1:
Preliminary Analysis (Optional): If this is a malware infection, perform a preliminary analysis using the Malware Incident Response Checklist. Note: Be sure to minimize any system changes. Do not power off, run anti-virus software, or attempt to back up data.

Step 2:
Incident History: Gather the incident details, including symptoms and how you first responded.

Step3:
Incident Report: Contact it.security@umassd.edu if UMass Dartmouth CITS first notified you of the incident, sensitive data was stored on the compromised device, or you cannot rule out the presence of sensitive data on this device. A report is required even when encryption is available on the affected device.

If the incident is confirmed:

Step 1:
Forensic Analysis: UMass Dartmouth CITS will perform an in-depth forensic analysis of the compromised device (if the device is available).

Step 2:
Legal Counsel Review: The University Legal Counsel will review the incident to determine the University's legal obligations.

Step 3:
User Notification: The University is required to notify the individuals whose personal information may have been compromised as a result of this incident. Not all incidents will result in a notice obligation.

3. Malware Incident Response

Computers compromised by malware are the most common data security incident on campus. Departments can choose to handle portions of an incident internally or contact UMass Dartmouth CITS at it.security@umassd.edu as soon as possible.

4. Computing Devices Accessed without Authorization (Non-Malware)

If a computing device that contains sensitive University data is accessed without permission via stolen or compromised credentials, credentials lost to phishing scams, and other attempts to access a device without authorization (e.g., former employees, etc.):

Submit an Incident Report to it.security@umassd.edu.
At a minimum, include the nature of the incident (e.g., response to a phishing scam), the approximate date and time when the incident occurred, your email address, and campus phone number.

5. Lost or Stolen Computing Devices

If a computing device, which includes departmental laptops, USB drives, cell phones, or other devices that may contain sensitive data, or personal computing devices with sensitive University data, is lost or stolen:

1. Contact the UMass Dartmouth Police Department.
   Report the lost or stolen device at 508.999.9191 .
   
   
2. Contact Procurement.
   For University-owned devices, report the incident to the University Procurement Department at 508.999.8055 .
   
   
3. Fill out the Lost or Stolen University-Owned Computing Device form.
   You will be asked to provide information on the nature of the incident (e.g., lost computer), the approximate date and time when the device was lost or stolen (or when it was discovered to be missing), your email address, and campus phone number.
   
   
4. Change your passwords.
   Be sure to change your UMassD Logon account password, and any other password that may have been exposed.
   
   
5. Mobile device only: Contact your mobile device service provider for a remote wipe.
   Contact the mobile device service provider and request that the contents of your device be wiped remotely. For University-owned mobile devices, contact CITS at 508.999.8900 for a remote wipe.
   
   

6. Related Documents

• ITS-001: Acceptable Use of Information Technology Resources Policy
• ITS-006: Information Security Policy
• ITS-008: Information Security Incident Response
• Data Security Incidents: Prevention and Response Procedures
• Respond to Data Security Incidents - Information for Faculty & Staff
• Respond to Data Security Incidents caused by Malware - Checklist for IT Administrators
• Security Checklist for University-Owned Computers

The UMass campuses strive to maintain consistent IT policies. The Information Security Policy and related documents have been adopted with permission from UMass Amherst.