Compromised Computer Procedures

ITS General Response Procedures for Compromised Computers 

Below is a summary of the steps ITS staff are to follow when responding to a compromised computer. Detailed procedures for each step are available in IT Request tech-only Knowledge Base (KB) article KB0015998 (login required).
Note: A computer with no restricted data that has quarantined a virus is NOT considered to be compromised.

Summary:

1. A compromised machine is reported/detected
2. Disconnect machine from network unless IT Security has said not to
3. Create ticket & do restricted data check
4. Scramble/Change passwords
5. Refer incidents involving restricted data or machines in the Data Center to IT Security
6. Rebuild machine and harden system
7. Do AV scan – for workstations and applicable servers
8. Reconnect machine to network
9. Assist client with changing passwords, if necessary
10. User education
11. If possible, check other systems on the same subnet for signs of compromise
12. Resolve the original ticket
13. Delete old data

Also included:

• Additional procedures for major outbreaks
• Links to related IT Request KBs and procedures

Reviewed Aug 2015