Report Security Incident Checklist

Tags incident

Overview

This guide is for the user or owner of a OU computer which has been involved in a cyber incident (for example, a malware infection or unauthorized access).    

First Response Checklist

As you work through the following steps, record your observations and actions, and what time they occurred.

  1. Disconnect the device from the network if it is not a critical service.  
    • If it has a wired connection, unplug the network cable.
    • For wireless devices, turn off the wireless adaptor if that's possible, or disconnect from the wireless network.
  2. Preserve state.  If at all possible, don't touch anything else.
    • Do not log off or power down the device.
    • Do not use the computer; use a different computer until you hear from IT Security.
    • Do not log into a compromised device for any reason.
    • Do not try to conduct your own investigation.
  3. Preserve evidence.
    • If you have logs in a central location, save them immediately.
    • Do not log into a compromised device to retrieve logs.
  4. Report security incident at https://ou.edu/ouit/cybersecurityincident.  In the description of the incident, include the following details:
    • How was the incident discovered and when?
    • What programs were open?
    • What where you doing immediately before the incident?
    • Which network was the user connected to when the incident transpired?
    • Did you notice anything else that may be important or unusual?
    • Provide a detailed list of who did what and when:
      • Did you fail over a server?
      • Did you reset a password or disable an account?
      • Did you power off or log into or out of a computer?
      • What time did any of those actions occur?
      • What time were logs saved, and from where?
    • Was a device used to access confidential data involved in this incident?
    • Are there indications that confidential data was accessed?
Print Article

Related Articles (1)

This Cybersecurity Incident Response Plan establishes the procedures for identifying, reporting, and responding to a cybersecurity event. It establishes the basic language to discuss such events, identifies roles and responsibilities involved in responding to and recovering from these events, and provides a playbook for handling these events from the time an event is detected to the post incident report and event closing.

Related Services / Offerings (1)