How to Handle and Report Security Incidents

Report a Security Incident

It is important that you report an actual or suspected IT security incident as soon as possible so we can begin to investigate and resolve the incident.

Report the incident to your departmental IT contact.  If you do not have an IT contact or know who that is, report the incident to soc@umd.edu

If you are unsure where to report an incident, report it to soc@umd.edu and the Division of IT's Security Operations Center will sort out reporting and tracking.  The most important thing is to report the incident.

Important: If the incident poses any immediate danger call 911 or 301-405-3333 to contact law enforcement authorities immediately.

What is an IT Security Incident?

An IT security incident is attempted or actual:

  • Unauthorized access, use, disclosure, modification, or destruction of   information.
  • Interference with information technology operation.
  • Violation of explicit or implied acceptable use policy.

Examples of IT security incidents include:

  • Computer system intrusion
  • Unauthorized access to, or use of, systems, software, or data
  • Unauthorized changes to systems, software, or data
  • Loss or theft of equipment used to store or work with sensitive university data
  • Denial of service attack
  • Interference with the intended use of IT resources
  • Compromised user accounts

Resources for IT professionals:

During the first 10 minutes

Determine the severity of the incident.  In the case of a serious incident please note that continued interaction with a compromised machine could severely impact later forensic analysis.  When a significant incident is discovered you should contain the incident by

Restricting network access (pull the network cable from the computer)

Keep the machine out of use

Do not run anti-virus software, power down the machine, or attempt any kind of mitigation.

During the first 24 hours

Report all incidents to: soc@umd.edu

Alert business owners and leadership, advising them to keep all details confidential until further notice. When you report an incident, please provide as much information as possible including:

  • Your name
  • Department
  • Email address
  • Telephone number
  • Description of the IT security problem
  • Date and time the problem was first noticed (if possible)
  • Any other known resources affected

The Division of IT’s Security Operation Center will contact the unit and develop a plan for further containment and mitigation.

Tips for Handling IT Security Incidents

  • Stay calm. There is an established protocol for handling incidents, and Division of IT’s Security Operation Center is equipped to guide the process.
  • Sacrifice speed for correctness. Don’t act rashly.
  • Involve your leadership early. Remind them that all information, especially early in the investigation, should be limited to a need-to-know basis.
  • Every detail is important. Share everything you know with the SOC’s incident coordinator(s)