Incident Response


Incident Response

Guidelines for Reporting Information Security Incidents

This document describes how to identify and report security incidents relating to information systems at UCCS.

What is a Computer Security Incident?

An Information Security Incident is an accidental or deliberate event that causes:

  • unauthorized entry into a computer system
  • unauthorized access, modification or deletion of data
  • disruption of computer or network service
  • loss of data or computer resources

Many information security incidents represent minimal risk and are quickly resolved by campus response teams. Some incidents, however, may place people at risk of identity theft, financial loss, or other harmful consequences. These incidents may also pose significant risk to University services, resources, funding, and external relationships.

Who Needs to Be Told About the Incident?

Contact the UCCS Information Security Office at:  ISO Contact Information.

The Information Security Incident Response Team(ISIRT) will respond.
The responsibilities of the ISIRT

  1. The ISIRT detects and investigates security events to determine whether an incident has occurred, the extent, cause and damage of the reported incident(s).
  2. The ISIRT directs the recovery, containment and remediation of security incidents and may authorize and expedite changes to information systems necessary to do so. The ISIRT coordinates response with external parties when existing agreements place responsibility for incident investigations on the external party. An After-Action Report will be created by the Information Security Officer (ISO) and disseminated to the appropriate leadership across campus and the CU system if appropriate.
  3. During the conduct of security incident investigations, the ISIRT is authorized to monitor relevant UCCS IT resources and retrieve communications and other relevant records of specific users of UCCS IT resources, including login session data and the content of individual communications without notice or further approval and in compliance with the IT Security Program – APS 6005.
  4. Any external disclosure of information regarding information security incidents must be reviewed and approved by the ISO or CIO in consultation with Compliance Office, Office of General Counsel, University Communications, and other university stakeholders as appropriate.
  5. The ISIRT coordinates with law enforcement, government agencies, peer ISIRTs and relevant Information Sharing and Analysis Centers (ISACs) in the identification and investigation of security incidents. The ISIRT is authorized to share external threat and incident information with these organizations that does not identify any member of UCCS.

Reporting an Incident to the Information Security Office

If you suspect that a campus incident is likely to have occurred, information about the incident must be immediately reported to the Information Security Office or to persons designated in the ISO Contact Information page.  The following information should be included in the report of a computer security incident:

  1.  Name, email and phone number of person reporting the incident.
  2.  Brief summary of the incident, including:
    • Symptoms of problem.
    • Date and time detected.
    • Computer or University service involved.
    • Department responsible for the computer or service.
    • Location of the computer or service (building and room number).
    • Type of data on the computer or service involved.
  3.  Potential impacts to individuals, campus operations/resources, etc., if known.
  4.  Any other information that may be helpful in investigating the incident .

To Report a Suspected Email Phishing Message

How to Report a suspected Phishing message

Information Security