As described by U-M Standard Practice Guide 601.25, in the event you suspect an Information Security incident, you are required to report it within 24 hours. LSA has created an email group that you can simply send email to report such incidents (firstname.lastname@example.org). The membership in this email group is limited to trained LSA data security professionals. In the case of serious incidents, this team collaborates with the U-M Information and Infrastructure Assurance team (IIA) on triage, containment, and communication with the appropriate stakeholders. As much information as possible is catalogued in the IT Security Incidents footprints project regarding each incident with the exception of actual sensitive data. In responding to serious IT Security incidents, this team may also work with the U-M Police Department (UMPD, formerly the Department of Public Safety), U-M User Advocate, U-M Institutional Review Board, Office of the Vice Provost for Research or the Office of General Council — or any combination of these groups. LSA.Security has a Standard Operating Procedure for responding to IT Security incidents. Team members function as IT Security Coordinator for handling serious incidents and manage communicating between the appropriate group/s and LSA faculty, staff and students. The team can also accept reported phish/spam reports although, officially, these reports should now be reported to User Advocate (email@example.com). The team maintains Departmental IT Staff off-hours contact information for better communication during serious incident handling outside of business hours. Ultimately, the goal of this effort is to provide appropriate and timely IT Security Incident response and containment. The resulting trend analysis information security also provides accurate metrics to empower LSA Leadership and the IIA group with the knowledge to appropriately protect information assets, safeguard the integrity of institutional processes, and ensure compliance with state and federal regulations.
Sensitive data is defined as information whose unauthorized disclosure may have serious adverse effect on the University's reputation, resources, services, or individuals. It includes information protected under federal or state regulations or subject to proprietary, ethical, or privacy considerations.
A serious incident is defined as an incident which involves sensitive data, involves local admin or root compromise of the system, is a widespread threat, is an active persistent attack, is a severe disruption of mission-critical services, or is likely to raise public interest.
Reporting IT Security Events
To report an incident or a suspected incident, simply send an email to firstname.lastname@example.org. If you aren't sure you have an actual incident, just send us an email and we'll help determine that.
When reporting an incident, please provide the following information:
- Date/Time of incident
- A description of the event (details please)
- ID of the hosts (name and IP address)
- Method of intrusion
- What physical access controls are in place
Please do not include sensitive data in the Incident Report.
The LSA Incident Tracking website allows you to manually enter information about a security incident directly into our database, in case you prefer that.
The Incident Notification Template (PDF) is for Unit Leadership use in informing those affected of data breach.
- Incident Notification Template (PDF), for Unit Leadership use in informing those affected by a data breach
- LSA Information Security Incident Response Procedure
- LSA Security's Standard Operating Procedure