OUHSC Information Technology Department


OU Norman IT
OU Tulsa IT
Home  |  Online Help  |  Policies  |  Tier Ones

Information Security Incident Response and Reporting Procedures

All suspected information security incidents must be reported promptly to the appropriate university office or party.

What to Report

  • Any event in which access to University data might have been gained by an unauthorized person
  • Any event in which a device containing University information has (or might have been) lost, stolen or infected with malicious software (viruses, Trojans, etc.)
  • Any event in which an account belonging to a person that has access to the data might have been compromised or the password shared with unauthorized person (responding to phishing emails, someone shoulder surfing and writing down your password, etc.)
  • Any attempt to physically enter or break into a secure area where University data is or might be stored
  • Any other event in which University data has been or might have been lost or stolen
  • Any event in which University information system policies, standards, or practices are violated

 

Timeline for Reporting and Response to Cybersecurity Incidents

When a Cybersecurity Incident is identified, it is the responsibility of the identifying person to report a Cybersecurity Incident to the OUHSC Service Desk. Service Desk will create an incident in ServiceNow and assign task to IT Security for incident response. 

If a computer involved in the incident interacts with regulated/sensitive data such as ePHI, PCI, PII, FERPA, etc.

  • PLEASE DO NOT ADD, MODIFY, OR DELETE ANY DATA ON THE SPECIFIED COMPUTER  

  • DO NOT POWER THE COMPUTER OFF UNTIL ADVISED OTHERWISE

  • DO NOT WIPE HARD DRIVE UNTIL INSTRUCTED TO DO SO BY IT SECURITY

 

****IT Security may need to collect the computer/hard drive to perform forensic evaluation of the malware and may retain the hard drive until the investigation concludes****

 

 

Within 2 hours of identification of an incident Tier Ones:

  • First, DO NOT TURN OFF OR UNPLUG POWER TO THE COMPUTER.
  • Second, unplug the network cable from the back of the computer and turn off any wireless internet connection.
  • Report IT security incidents to the appropriate OUHSC campus IT Service Desk. The Service Desk will help you assess the problem and determine how to proceed.

  • The following details will need to be collected upon report of a cybersecurity incident:

    • The name of the reporting person(s)
    • Date/time of the report
    • Contact information for the reporting person(s)
    • The nature of the cybersecurity incident
    • Unique identifiers for the Information Systems involved in the cybersecurity incident
    • Location or source of cybersecurity incident
  • If the incident has potentially serious consequences and requires immediate attention, individuals can report the security incident by calling IT Security at 405-271-2476.

 

Within 8 hours of incident reported to IT Security

 

Following the report, individuals must comply with directions provided by IT Support staff or IT Security to repair the system, restore service, and preserve evidence of the incident.

  • In the event of an incident involving malware, IT Security will instruct the Tier One to complete the following procedures
    • The IS Administrator will conduct a Virus/ Malware Scan and attach scan results to the ServiceNow ticket
    • IT Security reviews the results of the Virus Scan(s) and will conduct an Impact Analysis
    • Next steps will be provided by IT Security depending upon the results of the Impact Analysis based upon the findings

 

****IT Security may need to collect the computer/hard drive to perform forensic evaluation of the malware and may retain the hard drive until conclusion of the investigation****

 

If you have any questions concerning the above procedures, please contact IT Security at (405)271-2476 or ITSecurity@ouhsc.edu

Copyright © 2006 The Board of Regents of the University of Oklahoma, All Rights Reserved.- Disclaimer | Copyright