Guidelines for Handling A Computer System Incident
Don't Panic. Call the IT Soultions Center: 806-743-1234.The Help Desk staff will guide you through the next steps to take, which includes the following:
Assessment. Do not shut down the machine, as you may lose important information.If the machine is being used to attack others, or if the attacker is actively using or damaging the machine, you may need to disconnect it from the network.If this does not appear to be the case, leave the system intact for the moment.
System Scan. Work with the IT Help Desk and run an emergency system security scan.This information will help you assess the damage.(The machine must be up and on the network in order to run a scan.)
Gathering all relevant information. This may include, but is not limited to, system logs, directory listings, electronic mail files, screen prints of error messages, and database activity logs.
Take notes. Record all relevant information, including things you observed, actions you took, dates and times, etc.It is best to log your activities as they occur.
Changing account passwords. All system accounts that were involved with the incident may require new passwords as determined by the Security Manager.Never share your password with anyone.Choose a password in accordance with the password requirements and change it every ninety (90) days.
The security team will determine the correct course of action. The decision may be to clean up and move on. It is also an option to attempt to catch the culprit.The appropriateness of each course of action varies with the severity of the incident (amount of damage, legal implications, cost of recovery, etc).