Incident Response

1. In case of a security event or incident, contact ASU Cybersecurity

Arizona State University takes every security event and incident seriously. Reporting a suspected event or incident early on is necessary for proper evaluation and identification. Depending on the severity of the issue or situation, a variety of different groups may be involved in solving and remediating the risk of the issue. ASU Cybersecurity takes the initial steps in helping the reporting party identify the issue, risk and severity of the situation.

To report an event or incident, contact the Experience Center at 1-855-278-5080.

For events that do not require an immediate response, email infosec@asu.edu or visit our contact page.

2. Assessment & Classification of the Issue: Event or Incident

When a potential problem has been identified, ASU Cybersecurity will analyze the situation and attempt to confirm whether it is the result of a security incident. ASU Cybersecurity will also determine the severity of the incident.

Examples of incidents include the exposure or compromise of sensitive information, a large scale attack or intrusion into a system or group of systems, a malicious attack on an ASU hosted server or affecting service negatively or inappropriate usage of ASU resources.

3. Event Follow Up

In the case where the situation is not a significant security threat or is not as large an issue as originally thought, ASU Cybersecurity will classify the reported issue as an event. ASU Cybersecurity will also provide information and instructions for the reporting group to follow.

A security issue may be classified as an event if upon initial review it is determined that there is little or no risk to the University community or University assets.

4. Determine Incident Severity & Contact Required Groups

Should the situation be classified as an incident by ASU Cybersecurity, a severity level (Low, Medium or High) will be confirmed by the Chief Information Security Officer (CISO) and/or the Chief Information Officer (CIO).

ASU Cybersecurity will then meet with an Incident Response Team, which will include appropriate representatives as determined by the nature and severity of the incident. The Chief Financial Officer (CFO) and Provost will be notified during high severity incidents.

5. Incident Containment & Eradication

While contacting the required groups, ASU Cybersecurity will also coordinate with the appropriate network and systems operational teams as well as representatives from the affected department(s). In coordination with ASU Cybersecurity, the networking teams will stop and isolate malicious traffic on the network while department representatives isolate infected systems for forensic analysis.

ASU Cybersecurity may notify relevant parties including the Dean, Office of General Counsel, VP, and administrator of the system, but such notification is not a prerequisite to actions necessary to protect University resources or preserve evidence. In cases when it is necessary to support an active investigation or to preserve evidence, ASU Cybersecurity may also take physical possession of any system believed to be involved in the event.

6. System Restoration

System restoration will be handled primarily by the affected department, with ASU Cybersecurity providing suggestions for safer compliance procedures. Cybersecurity will also help identify needed patches and update methodologies so that future incidents and events are less likely to occur.

7. Management Follow Up

During the follow up portion of the incident, ASU Cybersecurity seeks to help the affected department by answering any questions left from the incident, rectifying any standing issues related to the issue, and ensuring that any and all relevant policies and best practices are clearly defined.

ASU complies with federal and state requirements to notify individuals if their personal and/or private information has been compromised.