Request Forms
- » Account Request
- » Alumni Account Request
- » Calendar Request
- » Access Request
- » Disk Quota Increase
- » Exiting Employee
- » Request Forms and Processes
(ITS Staff only)
Online: Request Help
Phone: (707) 826-HELP (4357)
Email: help@humboldt [dot] edu
In Person: Library 120 • Hours
System Status
Compromised Systems Procedure
If the security of one computer on an HSU network is compromised, the integrity of every piece of information stored on that network is at risk.
Deliberately hacking into a computer is not a joke or a prank. It is a felony and as such is regarded extremely seriously by HSU, the CSU system, and law enforcement. California law requires that the trail of evidence be preserved as far as is practicable and that HSU take additional action where the security of personally-identifiable or other confidential information has been compromised.
Instances of potentially-compromised systems must always be referred to the Campus Information Security Officer at (707) 826-3815 or the University Police Department at (707) 826-5555 for implementation of HSU's Compromised Host Procedure.
Only qualified IT staff are permitted to handle machines suspected of being compromised.
IT staff should not take any steps to examine the machine until they have determined to the best of their ability whether Level 1 protected data is present on the system.
Start by asking the user or their supervisor if it is likely Level 1 data is present on the machine.
- If they indicate that it is likely that the system contains Level 1 data, have everyone take their hands off the system. You must contact the Information Security Office immediately at (707) 826-3815 or (707) 826 5000.
- If they indicate there is little or no likelihood that Level 1 data is on the system, follow the Compromised Information Security Procedure below.
Compromised Information Security Procedure
Step 1 - Disconnect the system from the network
Step 2 - Use the appropriate security tools to examine the system and determine whether or not it has been compromised.
- If the system is positively identified as being infected by a virus or other malware, proceed to the next step.
- If you can't find evidence of infection or compromise, inform the ISO and stop your investigation.
Step 3 - Attempt to identify the threat by consulting the Sophos website.
- If the compromise is identified as severe - usually either a trojan or a rootkit - proceed to the next step.
- If the compromise is NOT identified as severe and you are able to clean the threat, do so and report your results to the Information Security Office at security@humboldt.edu.
Step 4 - In the case of a severe threat to the security of a system, run a formal scan for Level 1 data.
- If you find Level 1 data, stop and contact Information Security immediately.
- If you do not find Level 1 or Level 2 data, proceed with the disinfection as outlined above. If appropriate or as advised by Information Security, wipe the drive, re-install clean copies of the operating system and applications, and report your results to Information Security.
Do not attempt to access any of the information security tools referenced on this page without the assistance of qualified IT staff and/or the Campus Information Security Officer.
If you suspect that a machine for which you are responsible has been hacked, contact your ITC or the Technology Help Desk immediately.
If you are 100% sure that no protected information is stored on the affected machine, do the following:
- Turn off the machine and disconnect it from the network. Do not back up or copy any files on the system or make any attempt to use the machine or mitigate the attack. Turn it off and disconnect it.
- Contact your ITC and/or the Technology Help Desk AND the Campus Information Security Officer (x3815) immediately if you suspect a machine for which you are responsible is the subject of an intrusion attempt. If the ISO is not available, report that you are calling because of an information security incident, and your call will be routed to someone who can address the issue immediately. Arrangements will first be made for ITS and UPD staff to inspect the machine. Make absolutely no use of a compromised machine without the approval of the ISO.
- Make no public statements about the incident. All questions must be referred to the ISO during any investigation. After the investigation, specific referral directions will be issued by the ISO.
If the presence of Level 1 data is identified at any point during the investigation, all work by campus IT Support and anyone NOT a member of the Campus Incident Response Team (CIRT) technical team designated by the Information Security Office must immediately stop.
- Why is it such a big deal if someone hacks an HSU computer?
- I think my laptop's been hacked. Can you help me?
- How can my computer have been compromised? I keep everything up-to-date.
- Does every security incident involve a forensic investigation?
- What tools does HSU recommend for investigating security breaches?
The Information Security Office is located in Van Matre Hall 201, phone (707) 826-3815.
Please refer to HSU/CSU information security policies for compromised system coverage.
