Incident Response

As described by U-M Standard Practice Guide 601.25, in the event you suspect an Information Security incident, you are required to report it within 24 hours. To report such incidents, simply email us at lsa.security@umich.edu. The membership in this email group is limited to trained LSA data security professionals.

In the case of serious incidents, defined as an incident which involves sensitive data, involves local admin or root compromise of the system, is a widespread threat, is an active persistent attack, is a severe disruption of mission-critical services, or is likely to raise public interest, our team collaborates with the U-M Information and Infrastructure Assurance team (IIA) on triage, containment, and communication with the appropriate stakeholders. As much information as possible is catalogued in the IT Security Incidents FootPrints project regarding each incident with the exception of actual sensitive data. Sensitive data is defined as information whose unauthorized disclosure may have serious adverse effect on the university's reputation, resources, services, or individuals. It includes information protected under federal or state regulations or subject to proprietary, ethical, or privacy considerations. In responding to serious IT Security incidents, our team may also work with the U-M Police Department (UMPD, formerly the Department of Public Safety), U-M User Advocate, U-M Institutional Review Board, Office of the Vice Provost for Research or the Office of General Council, or any combination of these groups.

LSA.Security has a Standard Operating Procedure for responding to IT Security incidents. Team members function as IT Security Coordinator for handling serious incidents and manage communicating between the appropriate group(s) and LSA faculty, staff, and students. The team can also accept reported phish and spam reports although, officially, these reports should be reported directly to the User Advocate (dmca-notices-useradvocate@umich.edu). The team maintains Departmental IT Staff off-hours contact information for better communication during serious incident handling outside of business hours. Ultimately, the goal of this effort is to provide appropriate and timely IT Security Incident response and containment. The resulting trend analysis information security also provides accurate metrics to empower LSA Leadership and the IIA group with the knowledge to appropriately protect information assets, safeguard the integrity of institutional processes, and ensure compliance with state and federal regulations.

Reporting IT Security Events

To report an incident or a suspected incident, simply send an email to lsa.security@umich.edu. If you aren't sure you have an actual incident, just send us an email and we'll help determine that.

When reporting an incident, please provide the following information:

  • Date/Time of incident
  • A description of the event (details please)
  • ID of the hosts (name and IP address)
  • Method of intrusion
  • What physical access controls are in place

Please do not include sensitive data in the Incident Report.

The LSA Incident Tracking website allows you to manually enter information about a security incident directly into our database, in case you prefer that.

The Incident Notification Template (PDF) is for Unit Leadership use in informing those affected of data breach.