Initial Remediation Steps

Initial Remediation Steps

Please follow these steps:

  1. Stop work on the machine immediately.
  2. Do NOT disconnect the network or power cables from the machine(s) so that we can use our approved endpoint software to respond to the incident.
  3. Do NOT attempt to investigate or remediate the incident on your own. Wait for instructions from the Security Operations Center (SOC). There may be compliance requirements, a ‘bigger picture’, or other ’complications’ that you may not know about.
  4. Provide us with as much information as you can about the user(s), GT account(s), and/or endpoint(s) that are affected. Some helpful scoping information is outlined in Requested Scoping Information (below) OR in the GT Security Incident Response Plan.
  5. Do NOT send sensitive information via email.

Requested Scoping Information
Basic Information
  1. Contact information:
    1. Name
    2. Email address
    3. Phone #
  2. What’s your affiliation to Georgia Tech?
  3. Did you work with research data?
    1. If so, what types of research data?
  4. Does the machine have an Endpoint agent installed?
User Activity
  1. What is the date and time of the incident?
  2. What were you doing during the incident?
  3. Did you notice any strange things about the computer around that time?
  4. Did you notice a change in computer performance?
  5. Did you install any software or updates?
  6. Did your antivirus software complain or alert?
  7. Did you receive any strange emails, or open any unknown attachments?
  8. Did you enter credentials (username, password) on any sites?
  9. Did you receive any strange Instant Messages?
  10. Do you use the computer for non-work-related functions?
    1. If so, what function(s)?
      1. Facebook/social media?
      2. Internet Radio?
      3. Email?
      4. Online Banking?
Data Categorization
  1. What category of data exists on the host?
  2. Does the user work with sensitive or covered PII data?
    1. If yes, what types of sensitive or covered PII data?
  3. What files did the user access during the time of the incident?
  4. Does the user use university or departmental enterprise systems?
    1. If so, what level of access does the user have?
  5. Does the user have access to shared network storage?
  6. Are the shared drives automatically mounted?
  7. Who else shares the data in those folders?
  8. Did the user use encryption on files?