Reporting an IT Security Incident or Vulnerability
This Practice Directive outlines the types of common information security incidents and where they should be reported at SF State.
SF State Practice Directive on Reporting an IT (Computing or Information) Security Incident or Vulnerability at San Francisco State University
The following outlines the types of common information security incidents and where they should be reported. It is also the process for reporting significant, unmitigated or zero-day vulnerabilities that present the potential for large scale data loss or operational disruption.
If you believe the incident or unmitigated vulnerability presents the risk of large scale data loss, campus disruption, occurs off-hours, or otherwise is an event requiring urgency, please report it to the University Police Dispatch Line at (415) 338-7200 immediately, and follow-up with an email to the aliases indicated below:
Types of Incidents & Where to Send Incident Information
|Type of Incident or Vulnerability||Action|
|Submit report to firstname.lastname@example.org, please see What your Email should contain for more info.|
|Submit report to email@example.com, please see What Your Email Should Contain for more info.|
|Reports must be sent to the formally registered addresses for SF State on file with the Patent and Trademark Office (PTO.) The form of notice must be consistent with the form suggested by the United States Digital Millennium Copyright Act (the text of which can be found at the U.S. Copyright Office Web Site, http://www.copyright.gov). To file a notice of infringement with us, you must provide a written communication, by fax or regular mail to the SF State Mailing Address -- not by email.|
||Report to the University Police Department or via their 24 hour dispatch line at (415) 338-7200, or at the University Police Department Office located North State Drive on the SF State campus. A University Police Department report will be generated and a copy should be retained for personal records, Property Survey Requests, and audits. If the asset was an SF State asset you will also need to complete an SF State Computer Security User Incident Report regarding the possible loss of sensitive data.|
||Report to University Police Department online or via their 24 hour dispatch line at (415) 338-7200, or at the University Police Department Office located at North State Drive on the SF State campus.|
Your email to the above aliases should contain information to aid an investigation and potential resolution. To see a full list of information required please see What Your Email Should Contain.
In most cases, the information you provide will be used to confidentially investigate a claim or report. In some instances, however, the information must be provided to campus management such as the campus President or the Chancellor's Office under CSU Policy. For instance
- If a breach of Level 1 data has occurred, the campus President must notify the Chancellor; the CIO must notify the Assistant Vice Chancellor for Information Technology Services; and the campus ISO must notify the Senior Director of Systemwide Information Security Management.
- If a breach of Level 2 data has occurred; the campus ISO must notify the Senior Director of Systemwide Information Security Management.
Additionally, data loss incidents regarding student and FERPA restricted data are typically forwarded to the campus Registrar for resolution and communication to student(s) as required.
Some incidents, such as theft and cyberstalking are also reported to the University Police.
Information Security Office
Information Technology Services
1600 Holloway Ave
San Francisco, CA 94132
Important Additional Links
Your email to the appropriate alias should contain information to aid an investigation and potential resolution. In general, the information you provide will be used to confidentially investigate a claim or report. In some instances, however, the information must be provided to campus management such as the campus President or the Chancellor's Office under CSU Policy. Some incidents, such as theft and cyberstalking, are also reported to the University Police.
- Description of event including time, date, circumstance, and mention of any federal or state law or campus Practice Directive you think is being violated.
- Information on the potential number of individuals impacted.
- Assessment of the personal or sensitive data potentially lost, stolen or accessed and/or an attestation that none could have been accessed. Sensitive and Personal Identifiable Information (PII) is described at the following links:
- If the device was lost, stolen or accessed by an unauthorized entity, an SF State Computer Security User Incident Report is required regarding the circumstances of loss and protective mechanisms that were in place to prevent loss of sensitive data (for example, encryption) or verification that the device was never used to process or store any sensitive data. Please download a copy of the .doc, complete the letter, sign it and attach as a .pdf to your email, or send separately via campus mail to ISO, Admin 118A, Department of Information Technology. The .doc version of the file can be found here: SF State Computer Security User Incident Report
- Include relevant information such as copies of logs and sample emails within the message (not as an attachment) or arrange to supply them via some other secure method to the ISO (i.e. a copy on physical magnetic media such as a CD or DVD.)
- Date and time of incident
- For incidents of spam and phishing, please include full headers
- Protocol used (if known)
- IP address(es)
- MAC address
- System Name
- Operating System
- Physical location of system
- Suspect name or SFSU ID or email
- Your contact information (name, email, phone, representing firm/department)
Responsibility for implementing this Practice Directive will rest with Information Technology Services (ITS) and Information Technology (IT) departments across campus. Submit any apparent violation of Reporting an IT Security Incident or Vulnerability Practice Directive to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to firstname.lastname@example.org.
Noncompliance with applicable policies and/or practices may result in suspension of network access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.