Incident Response

Security Incident Response Methodology

As a University System of Georgia (USG) participant, we follow the best practices outlined in NIST 800-61 (Computer Security Incident Handling Guide) to adhere to the guidelines set forth in Section 5 of the USG Handbook. The incident response lifecycle consists of six phases: preparation, detection, analysis, containment, eradication, and post-incident activity. The figure below illustrates the general lifecycle of these phases; however, many of the phases occur in parallel.

Incident Response Life Cycle

Source: National Institute of Standards and Technology (NIST) Special Publication 800-61

Our Security Incident Response Plan can be referenced in further detail here: GT Security Incident Response Plan.

For more information regarding the Security Incident Response Plan and associated procedures, please contact the Security Operations Center (SOC) at 404.385.CYBR (2927) or soc@gatech.edu.


Our Role

Georgia Tech Cyber Security acts on behalf of the Institute’s community and asks for cooperation and assistance from all members of the community. This includes students, faculty, staff and any individual using computers and technology devices connected to the Georgia Tech network.

Overall, we follow the NIST 800-61: Computer Security Incident Handling Guide to detect incidents, minimize loss and destruction, mitigate the weaknesses that were exploited, and restore IT services.


Reporting an Incident

If a Georgia Tech IT Resource user suspects or has observed an event that would satisfy the definition of a security incident, they should report the suspicion immediately to the system administrator or unit technical lead. Please reference the Reporting an Incident page to determine your best contact based on your affiliation.

  • Security Incident - A security incident is an event, as determined by Georgia Tech Cyber Security, that violates an applicable law or Institute policy including the violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. An incident could also be established based on the potential for harm to the confidentiality, integrity, or availability of Georgia Tech IT resources.