Information Security Incidents Form

4-Step Approach

Step 1: Identify an Information Security Incident

A security incident involving electronic information or information technology includes the following, whether suspected, attempted, or actual:

• Unauthorized access, use, disclosure, modification, or destruction of electronic information
• Violation of acceptable use policies for information or technology
• Interference with the operation of college information technology resources, such as a denial of service attack
• Discovery of weaknesses in the safeguards protecting electronic information or information systems

Examples include:

• Loss or theft of laptops, desktops or other equipment used to access or store college data, including mobile phones, thumb drives and external hard drives
• Intrusion into a computer system
• Unauthorized access to sensitive information, such as Social Security numbers or restricted research data, whether intentional or accidental
• Unauthorized use of another user’s credentials or impersonating another college user
• A denial of service attack
• A compromised user account

If you are unsure whether an event is a security incident, it is best to err on the side of caution, and report the event.

Step 2: Stop, Disconnect, and Step Away

Using a compromised computer or device could worsen the security incident and negatively affect the investigation. Your actions may alert the attacker and they may take action to remove evidence or delete files.

Immediately:

• Stop: Power off your PC, laptop or other device
• Disconnect: If possible after powering off, disconnect the Ethernet network cable
• Then step away from the computer. Do not touch it, or take any other action, until IR personnel or UPD advise the situation 

Step 3: Report the Incident

Some security incidents are much more serious than others. They are more likely to cause significant harm or to have a substantial impact on the college or individuals. The following types of events should be considered serious security incidents:

• Involves restricted or other sensitive information—See Data Classification Policy
• Could result in serious harm to the college or to an individual or individuals (including significant reputational harm or identity theft)
• Involves serious legal issues (including the potential imposition of civil or criminal penalties)
• May result in serious disruption to critical University services
• Involves widespread improper disclosure or use of electronic information or information technology
• Is likely to raise substantial public interest 

These serious security incidents require immediate action and should be reported immediately to both:

1. The Help Center at 607-753-2500 or via the Online Reporting Form
2. University Policy at 607-753-2112

IR Information Security, in coordination with the CIO, will promptly notify other SUNY Cortland groups as necessary.

Step 4: Stay Calm, Document, and Avoid Speculating

• Stay calm. There is an established protocol for handling incidents, and Information Security and College leadership are equipped to handle the situation.

• Do not discuss. Limit discussing information to a strict need-to-know basis.

• Do not speculate. This is critical to ensure that only accurate information is disseminated, rather than suppositions or guesses as to what happened or the impact. The facts of the situation are often not clear until a thorough investigation and analysis have been completed.

  After an investigation, senior management will determine whether an event is an incident, and whether the incident is a breach.

• Write a detailed description to be shared with the incident team. Include details such as: what made you suspect the incident, what you know happened thus far, information on the device and the data affected, and what actions have been taken so far.