Compromised Computer Procedures

ITS General Response Procedures for Compromised Computers 

Below is a summary of the steps ITS staff are to follow when responding to a compromised computer. Detailed procedures for each step are available on the ITS Collaboration Tool (CruzID Blue login required - access restricted to ITS staff). 
Note: A computer with no restricted data that has quarantined a virus is NOT considered to be compromised.

Summary:

    1. A compromised machine is reported/detected
    2. Disconnect machine from network unless IT Security has said not to
    3. Create ticket & do restricted data check
    4. Scramble/Change passwords
    5. Refer incidents involving restricted data or machines in the Data Center to IT Security
    6. Rebuild machine and harden system
    7. Do AV scan – for workstations and applicable servers
    8. Reconnect machine to network
    9. Assist client with changing passwords, if necessary
    10. User education
    11. If possible, check other systems on the same subnet for signs of compromise
    12. Resolve the original ticket
    13. Delete old data

      Also included:

      • Additional procedures for major outbreaks
      • Links to related IT Request FAQs and procedures

      Go to detailed procedures on Collab (CruzID Blue login required - access restricted to ITS staff)

      Rev. 12/18/09

Privacy Policy and Terms of Use