Scope

This document applies to all individuals authorized to use SDSC's IT resources. The prescribed actions and processes described in this document apply to situations involving any SDSC Host (as defined in the SDSC Security Policy) as well as any of the IT resources provided by SDSC.

Background

Incident response does not only involve IT staff and security. Users, such as yourself, play a big part too, as they are often the first to realize something "odd". However, with respect to incident response, users also have the ability to do the most damage. By attempting to investigate incidents on their own, a user may inadvertently destroy evidence or warn the intruder of our knowledge of their presence.

The procedures described in this document are designed to provide an effective means of transferring the responsibility of handling an incident or potential incident from the user to security staff with minimal loss of evidence and risk of alerting an intruder. We encourage you to make use of this process whenever you suspect an incident, not only when you know one has occurred.

Identifying a Possible Security Incident

Incidents are not always easy to spot. Sometimes you will see clear-cut evidence of a security incident, such as a warning from your antivirus software, or a host obviously acting under the control of someone else. Other times, the clues may be more subtle. Did you notice login activity on your account from hosts that you don't normally log in from? Has your computer been unusually slow or unstable lately? Do you end up at websites that do not correspond to the URL you entered? Do you get warning notifications when you haven't before? Have you observed any unexpected configuration changes?

These are just examples, and do not encompass all possible signs of an incident

Incident Response Procedure for Users

Observe a Problem

Stop What You're Doing

Hands Off!!

Inform Security

Take Notes