Security Incident Response

Preamble

It is the responsibility of the President, Provost, Vice Presidents, Deans and Directors, IT Managers, Departmental Security Personnel, to properly respond in a consistent manner, with appropriate leadership and technical resources, to an incident that threatens the availability, confidentiality, and integrity of information resources. The Information Security Office and the Security Incident Response Team (SIRT) is available to facilitate and provide guidance with any computer security incidents that affects university IT resources or threatens the availability, confidentiality, and integrity of university information. All security incidents involving restricted personal or confidential information, as defined by the Data Classification and Protection Policy, 4-008, on the University policy site, must be reported immediately to SIRT at sirt@ucf.edu, or through the UCF IT Support Center at (407) 823-5117.

What is an incident?

An incident can be defined as any act that violates UCF Information Security policies and/or the Computer Security Standards and Guidelines. The types of activity below are common violations and should be reported to the UCF SIRT:

  • Unauthorized attempts (either failed or successful) to gain access to a system or data
  • Unwanted disruption or denial of service
  • Unauthorized use of a system for processing or storing data
  • Inappropriate usage according to the IT Security Policy or University Acceptable Use Policy
  • Theft or loss of University computing equipment

How can I tell if I am being affected by a computer or network intrusion?

Check the Possible Signs of a Security Incident.

What is not an incident?

Spam is not considered an incident as the high volume of spam e-mails makes it impossible to investigate.   Only when the spam contains criminal content will it be considered an incident.  

How can I report an incident?

If you would like to report an incident that meets the criteria for a violation please contact the UCF IT Support Center
 and send an e-mail to sirt@ucf.edu. Please do not submit personally identifiable information via e-mail.

General Reporting Procedures

  • If you are experiencing suspicious activity while using a computer, please contact your local systems administrator or the UCF IT Support Center to rule out any local computer or network problems.
  • If you need to report an incident such as network scanning, probing, or system compromises, please contact the UCF IT Support Center and send an e-mail to  sirt@ucf.edu and include the following information in your e-mail:
    • Your name and contact information
    • Include system logs in the body of the message. Do not send it as an attachment. System logs must contain time stamps synchronized to an NTP server. Check Security Tips for IT.
    • Send full e-mail headers if the incident is in regards to an inappropriate e-mail
    • Should you feel personally threatened by any message delivered to you or action performed upon your property over the UCF network, please contact the UCF police immediately at (407) 823-5555.

General Guidelines and Procedures for Security & System Administrators

STOP! When encountering an anomaly on your critical systems don’t be tempted to immediately correct the issue by restarting the system, make configuration changes to quickly remedy the incident, or restore the system to a known good state.   Don’t do anything until you have decided what your goal is knowing that you might lose evidence. Making any changes could lose valuable information related to a potential compromise, such as the perpetrator, the avenue of attack, and any data that was affected.   In any event, the UCF SIRT should be notified to coordinate the response.

To assist you in the first stage of response some procedures were developed to assist in the information gathering:

Investigation

Once the initial response is performed and the incident is classified and contained, further investigation may be required to determine the cause.   The SIRT team may perform the investigation using forensic tools to acquire the evidence and then analyze it in a secure environment.

All actions taken should be fully documented using the following form and submitted to SIRT.

Report incidents by signing into ServiceNow and submitting an Information Security Office “Security Incident Reporting Form” ticket.

Recovery

Recovering from an incident occurs when the investigation process is complete and the machine can be returned to normal operation.   Lessons learned will be identified and any implementation to protect from any future incidents of the same kind will be taken.   A final report to communicate findings with University IT Security Office, IT staff, and other affected parties will need to be developed and shared.

Information Security Breach Notification Guidelines

Breach of restricted personal or confidential information requires special handling. Refer to the Standard Operating Procedure and Guidelines (ISO SOP 605) for an appropriate response. Information Security Breach Reporting Form must be used to report security breach to SIRT.

Request for Computer Forensic Examination

Computer forensics is the analysis of data from a computer system in response to a security incident. A computer forensic examination may be needed when it is suspected that a computer was misused, violating UCF’s acceptable use policies or used to commit a crime. To learn more and to request a computer forensic examination, please click here.

Reporting an Incident to other organizations