IT - Respond to Data Security Incidents — Information for IT Administrators

Any data security incident involving a University-owned or personal device containing sensitive University data is serious. Responding to data security incidents promptly and efficiently helps protect the University's assets (e.g., data, computers, networks) and ensures compliance with state and federal law, and University policy.

IT Administrators can use this page to learn more about the steps they need to take if they suspect an incident involving a device in their department.

Incident Report

All data security incidents involving University-owned or personal devices containing sensitive University data are serious, and may require an Incident Report (see below for more details about responses to specific data security incidents).

If a data security incident requires an incident report, email security@umass.edu the following information:

Incident history (date, time, symptoms, how you first responded)
Identity Finder and malware scan results (if available)
Host name
IP Address
MAC Address
Building and room number
Your email address and campus telephone number

General incident response procedures

IT Administrators who suspect a data security incident in their department or who were notified of a potential incident need to complete the following steps:
Note: This is a general overview of the incident response process. Depending on the complexity of the incident, additional steps may be required.

Preliminary analysis (Optional): If this is a malware infection, perform a preliminary analysis using the Malware Incident Response Checklist. Note: Be sure to minimize any system changes. Do not power off, run anti-virus software, or attempt to back up data.
Incident history: Gather the incident details, including symptoms and how you first responded.
Incident Report: Contact security@umass.edu if UMass Amherst IT first notified you of the incident, sensitive data was stored on the compromised device, or you cannot rule out the presence of sensitive data on this device. A report is required even when encryption is available on the affected device.

If the incident is confirmed:

Forensic analysis: UMass Amherst IT will perform an in-depth forensic analysis of the compromised device (if the device is available).
Legal Counsel review: The University Legal Counsel will review the incident to determine the University's legal obligations.
User notification: The University is required to notify the individuals whose personal information may have been compromised as a result of this incident. Not all incidents will result in a notice obligation.

Malware incident response

Computers compromised by malware are the most common data security incident on campus. Departments can choose to handle portions of an incident internally (using the Malware Incident Response Checklist) or contact UMass Amherst IT at security@umass.edu as soon as possible.

Computing devices accessed without authorization (non-malware)

If a computing device that contains sensitive University data is accessed without permission via stolen or compromised credentials, credentials lost to phishing scams, and other attempts to access a device without authorization (e.g., former employees, etc.):

1. Submit an Incident Report to security@umass.edu.

At a minimum, include the nature of the incident (e.g., response to a phishing scam), the approximate date and time when the incident occurred, your email address, and campus phone number.

Lost or stolen computing devices

If a computing device, including departmental laptops, USB drives, cell phones, other devices that may contain sensitive data or personal computing devices with sensitive University data, is lost or stolen:

1. Contact the UMass Amherst Police Department.

Report the lost or stolen device at 413-545-2121. UMPD may be able to locate your item(s) faster if you have registered them.

2. Contact Procurement.

For University-owned devices, report the incident to the University Procurement Department at 413-545-0361.

3. Fill out the Lost or Stolen Computing Device form.

You will be asked to provide information on the nature of the incident (e.g., lost computer), the approximate date and time when the device was lost or stolen (or when it was discovered to be missing), your email address, and campus phone number.

4. Change your passwords.

Be sure to change your IT Account password in SPIRE, and any other password that may have been exposed.

5. (Mobile device only) Contact your mobile device service provider for a remote wipe.

Contact the mobile device service provider and request that the contents of your device be wiped remotely.