The link to the quiz is at the end of the article. Take it and you could win one of six of our monthly $50 Amazon Gift Cards!

IT security incidents can originate almost anywhere in our organization due to the myriad methods attackers can use to steal UC Institutional Information or disrupt IT Resources.   It is important to know that most cyberattacks now start with a phishing attack within an email message. According to the Cybersecurity and Infrastructure Security Agency (CISA), it is estimated that over 90% of attacks begin with phishing. *

To help protect UCSF, our policies require end users and system owners to report any suspicious security events to the appropriate unit as a potential security incident requiring an investigation. Timely reporting of suspicious events is essential to contain a potential threat and minimize any potential work disruption and associated costs. 

What you need to do:

When you think you may have encountered something that looks suspicious or might be a crime, report it.  If it is an email, always use the Phish Alarm button to report it.

You cannot over-report! UCSF IT Security analytics can quickly determine what type of email it is, in most cases, and get back to you. If it is a real phish, we can quickly block it from harming you or others. Also, this information feeds the tool’s knowledge base, which helps to more accurately analyze other phishing and stop them from doing harm. However, as with any logic-based system, an error or misinterpretation is always possible. So, if you receive a "clean” response from Phish Alarm but you feel this classification is incorrect, please challenge the outcome by opening a ticket with our IT Service Desk.  In addition, because the Phish Alarm is not available from shared service accounts, if something does appear to be a phish in one of those accounts, please also open a ticket with our IT Service Desk. For more information on Phish Alarm, please visit the Phish Alarm Service Page.

Reporting Non-phishing IT security issues, what you need to do:

Be ready to provide specifics such as date/time of loss, type of device, contact information, and any specific information that you believe indicates that a device was breached, a computer security incident occurred, or a device was lost or stolen.

UCSF incident response procedures call for documenting, tracking, and resolving all information security incidents.

If you administer UCSF devices, systems, or applications, one of your key responsibilities is to regularly monitor them for threats or unusual behavior. There is an extensive array of threats to UCSF data and systems, and monitoring the system performance and the security of the data within can be crucial to detecting and containing attacks.

If a system is suspected (or confirmed) of having been compromised or attacked, report it immediately to the UCSF IT Service Desk - Available 24/7 - at:

Phone: 415-514-4100

Web: http://help.ucsf.edu

Email: [email protected]

All lost or stolen computing devices (including smartphones, tablets, and external drives) must be immediately reported to the UCSF Police at:

Phone: 415-476-1414 

Web: http://police.ucsf.edu

Please take the Incident Response Quiz. Everyone who passes is entered in a drawing for one of six $50 Amazon gift cards.

Additional Information from Outside of UCSF:

UCOP Incident Response Standard

DHS See Something - Say Something

*CISA Shields Up: Guidance for Families

National Counterintelligence and Security Center Defense Security Service (DSS) on Academic Solicitation