IT disruptions can originate almost anywhere in an organization due to the myriad of methods used by criminals to steal and disrupt UC Institutional Information and other IT Resources.  

To help protect UC, our polices require all end users and system owners to report any incidents to the appropriate unit to begin an incident investigation. Timely reporting of an incident is essential to containment, minimizing the potential work disruption and cost associated with an incident. 

Two of the most important reasons everyone at UCSF has a role in incident response are:

1. According to the National Counterintelligence and Security Center Defense Security Service (DSS), “academic solicitation” is on the rise especially from foreign nation states.  Academic solicitation is the use of students, faculty, or researchers to improperly obtain information.  The criminals take advantage of the collaborative nature of the people that work at academic institutions and exploit an academic’s, especially their own citizens, access to knowledge in nefarious ways (see PDF inserted below).
2. Criminals are increasingly using spear phishing and message-based threats as their first attack vector to obtain UCSF’s valuable research, Health Insurance Portability and Accountability Act (HIPAA) data, financial data, and personally identifiable information.

What you need to to do:

Read the document by the National Counterintelligence and Security Center Defense Security Service (DSS) linked below and familiarize yourself with the common academic solicitation scenarios.

When you think you may have witnessed something that looks suspicious or may be a crime, report it.  If it is in the form of an email, use the Phish Alarm button to report it:

For more information on where the button resides for different platforms and other additional information about Phish Alarm, please go to the Phish Alarm Service Page.

For everything else, what you need to do:

Be ready to provide specifics such as date/time of loss, type of device(s), contact information, and any specific information that you believe indicates that a device was breached, a computer security incident occurred, or a device was lost or stolen.

Incident response at UCSF calls for documenting, tracking, and helping to resolve all Information Security incidents.

If you administer UCSF devices, systems, or applications, one of your key responsibilities is to regularly monitor them for threats or unusual behavior. There is an extensive array of threats to UCSF data and systems, and monitoring data can be crucial to detecting and containing attacks.

If you suspect a system has been compromised or is being attacked, report the incident immediately to:

UCSF IT Service Desk – Available 24/7

• Phone: +1-415-514-4100
• Web: http://help.ucsf.edu
• Email: [email protected]

All lost or stolen computing devices, including smartphones, tablets, and external drives, must be immediately reported to the UCSF Police Department at:

• Phone: +1-415-476-1414 
• Web: http://police.ucsf.edu

Please take the Incident Response Quizz. Everyone who passes is entered in a drawing for one of six $50 Amazon gift cards.

Additional Information

UCSF Incident Investigation Procedures

UCOP Incident Response Standard

UCSF Security Incident Response & Investigation

UCSF 650-16 Addendum C - UCSF Incident Investigation

UCSF Best Practices for Application and Website Security

DHS See Something - Say Something