Reporting an IT Security Incident


All IT Security Incidents should be reported

Information about IT Security Incident Severity

If an incident involves any of the following, it is to be considered a SERIOUS incident:

  • Reasonable expectation of sensitive data acquisition by an unauthorized person, per definition in SPG 601.12 or otherwise protected data (e.g. SS#, credit card info, bank account info, protected health info, security-related data, data or software covered by ITAR, any data where disclosure will cause harm to an individual, group, or the institution)
  • Legal issues and violations that may require DPS involvement, such as
  • Child sexually abusive material (child porn)
  • Soliciting a minor for immoral purposes (internet predators)
  • Larceny or theft of any amount
  • Computer access crime (key loggers, successful hacking, malicious compromised account)
  • Embezzlement, harassment/threats, hidden webcams, stalking, fraud, etc.
  • Impacts UM mission critical services
  • IT resources are being actively attacked
  • Widespread impact (over 10% of unit or greater than 100 hosts across campus)
  • Public interest in this incident is likely

Incident Severity – SERIOUS

An incident with a severity of SERIOUS meets ONE or more of the following criteria:

  • Involves sensitive data
  • Potential criminal activity
  • Impacts UM critical services
  • Resources under active attack
  • Involves > 100 hosts or > 10% dept.

Incident Severity – MEDIUM

An incident with a severity of MEDIUM meets ONE or more of the following criteria:

  • Involves data that is not sensitive, but is not public (i.e. University confidential)
  • Potential to impact UM critical services or impacts CoE (incl. dept.) critical services
  • Potential for active attack
  • Involves 10-100 hosts (or 3% – 10% of department if department has less than 100 hosts)
  • Potential for public interest

Incident Severity – LOW

An incident with a severity of LOW meets ALL of the following criteria:

  • No sensitive data
  • No criminal activity
  • Not impacting critical resources
  • Fewer than 10 hosts
  • No public interest
  • Example: Virus (non credential stealing) infects a single host that is not used to process or view sensitive information

What is an ‘information security incident’ and how is incident severity determined?

The University of Michigan Standard Practice Guide includes SPG 601.25, which defines the requirements for information security incident reporting at the University of Michigan. SPG 601.25 defines an information security incident as follows:

An information security incident is defined as an attempted or successful unauthorized access, use, disclosure, modification or destruction of information; interference with information technology operation; or violation of explicit or implied acceptable usage policy (as defined in SPG 601.7). Examples of information security incidents include (but are not limited to):

1. Computer security intrusion

2. Unauthorized use of systems or data

3. Unauthorized change to computer or software

4. Loss or theft of equipment used to store private or potentially sensitive information

5. Denial of service attack

6. Interference with the intended use of information technology resource

7. Compromised user account

SPG 601.27 continues by describing what constitutes a serious incident:

A serious incident is an incident that may pose a threat to University resources, stakeholders, and/or services. Specifically, an incident is designated as serious if it meets one or more of the following criteria:

1. Involves potential unauthorized disclosure of sensitive information (as defined below)

2. Involves serious legal issues

3. May cause severe disruption to critical services

4. Involves active threats

5. Is widespread

6. Is likely to raise public interest

Sensitive information is defined in SPG 601.12 as information whose unauthorized disclosure may have serious adverse effect on the University’s reputation, resources, services, or individuals. Information protected under federal or state regulations or due to proprietary, ethical, or privacy considerations will typically be classified as sensitive. Sensitive information includes personally identifiable information such as protected health information (PHI), social security number, credit card numbers, and any other information designated as sensitive by the University Data Stewards.