Education & Training

PENN STATE INFORMATION SECURITY

What to Do in Case of a Security Incident

Use the guidelines below to determine what steps to take when a security incident occurs – whether it involves a personal or University owned device, a Penn State network or server, confidential or sensitive information, a Penn State user or admin account, infection with malicious software such as a virus, ransomware, spyware, or trojan, or unauthorized access of any kind.

WHEN TO REPORT THE INCIDENT IMMEDIATELY BY PHONE

CALL INFORMATION SECURITY (IS) IMMEDIATELY at (814) 863-7804 to report the incident if you suspect that it may involve one or more of the following:

  • Unauthorized access to sensitive data – data classified as Level 3 (High) or Level 4 (Restricted) as defined in the Information Classification Decision Tool,
  • Unauthorized access to data stored in a secure enclave,
  • Intellectual property owned by a Penn State funding partner,
  • The potential for severe financial, reputational, legal or regulatory impact,
  • Widespread or critical system disruption, and/or
  • An attack that appears targeted, sophisticated, or based on inside information.

Refer to the Security Response Quick Guide for additional guidance and action items – including what NOT to do.

WHEN TO REPORT THE INCIDENT BY EMAIL

Email security@psu.edu to report the incident if it does not meet the above criteria, but involves any of the following:

  • Unauthorized access to data that is not classified as Level 3 or Level 4 in the Information Classification Decision Tool (including alteration, deletion, and loss of access to such data),
  • Intellectual property owned by Penn State that does not meet the criteria for urgent reporting,
  • A University-owned device,
  • Disrupted availability of Penn State resources (including denial of service),
  • Unauthorized use of your Penn State account
  • A personal device that contains University data,
  • A personal device that was used to log into a system that contains confidential Penn State data, or
  • A personal device that was used to log into any Penn State resource with a privileged account such as an admin account.

Refer to the Security Response Quick Guide for additional guidance and action items – including what NOT to do for a security incident.

IF YOU BELIEVE SOMEONE HAS GAINED ACCESS TO YOUR PENN STATE USERID AND PASSWORD

Take the following actions immediately (in addition to reporting by email to: security-tier1@psu.edu)

  1. Change your Penn State password immediately:  Visit Forgot Your Password on the Penn State Account management website and follow the prompts. For more detailed instructions, refer to the knowledge article Reset My Penn State Account Password (I Forgot It).  
    Note:  The system partially displays the email address to which the password reset email will be sent. If you don’t recognize the email address (or don’t receive a password reset email), contact the IT Service Desk immediately for assistance.
  2. Change your password on other accounts: If you used the same password for other accounts, change each one, using a unique password for each account.  Never use the same password for more than one account or re-use previous passwords.
  3. Verify that your forwarding email address has not been changed in Office 365. See the knowledge article Manage Email Forwarding using Outlook on the Web to learn how.
  4. Confirm that your account information has not been updated:  Log in to psu.edu to confirm that information such as your recovery email address, street address, phone number, and two-factor authentication devices have not been updated by the person who accessed your account.  Consider logging in to LionPATH and/or Workday as well to check for unauthorized changes.
  5. Learn how to keep your account safe going forward:  Visit Protect your devices, your data, and your account on this website
  6. Remember to contact security-tier1@psu.edu. It is important for Information Security to know, to review risk regarding what the attacker has done and whether the attacker has accessed other accounts. 

WHAT TO DO WHEN REPORTING IS NOT REQUIRED

If the incident is limited to your own personal device or a personal account (for example, your gmail or FaceBook account) AND does not meet any of the criteria listed above, it is not necessary to report the incident to Information Security.

Click each topic below to expand it.

don't modify this so accordion stays closed

If you discover that someone has gained access to your personal account(s) and password(s)

  1. Change your password for that account immediately: Often your password is under the security settings of your account. If you need help getting your password changed, reach out to customer service. 
  2. Change your password on other accounts:  If you used the same password for other accounts, change each one, using a unique password for each account.  Never use the same password for more than one account or re-use previous passwords.
  3. Verify that your forwarding email address and other account information has not been changed:  Log into your account settings page to confirm that information such as your recovery email address, street address, phone number and two-factor authentication devices have not been updated by the person who accessed your account. 
  4. If you believe that any financial sites have been breached, contact your financial institution: Inform them of the potential breach, and ask how to best protect and monitor your account and credit.
  5. Learn how to keep your account safe going forward:  Visit Protect your devices, your data, and your account on this website.

If your personal device has been infected with a virus, ransomware, spyware, or other malicious software

  1. Don’t panic!
  2. Isolate your device to avoid passing along the infection. Disconnect your device from any external storage devices (USB Drive, External Hard Drive), network connections (wired or Wi-Fi internet and local area network connections).
  3. Use another device to search the web for information on resolving the issue, enlist the help of a technically savvy friend, or engage professional help to determine next steps.
    Note that Penn State recommends reformatting a device rather than attempting to remove the malware.
  4. If you need additional help, contact the IT Service Desk at (814) 865-HELP (4357) to learn about technical support available through Penn State Knowledge Commons.
  5. Learn how to avoid future attacks: See Protect your devices, data and account for steps you can take.