This content is viewable by Everyone


See Something, Say Something: You are the First Line of Defense

  • Author: Esther Silver

  • Date:

IT security incidents can originate almost anywhere in an organization due to the myriad of methods used by criminals to steal and disrupt UC Institutional Information and other IT Resources.  

To help protect UCSF, our policies require all end users and system owners to report any incidents to the appropriate unit to begin an incident investigation. Timely reporting of an incident is essential not only to containment but also to minimizing the potential work disruption and associated cost. 

Two of the most important reasons everyone at UCSF has a role in incident response are:

  1. According to the National Counterintelligence and Security Center Defense Security Service (DSS), “academic solicitation” is on the rise, especially from foreign nation-states.  Academic solicitation is the use of students, faculty, or researchers to improperly obtain information.  Criminals take advantage of the collaborative nature of the people that work at academic institutions to exploit access to knowledge in nefarious ways.
  2. Criminals are increasingly using spear phishing (targeting of specific individuals) and message-based threats as their first attack vector to obtain valuable research, protected health information (PHI), financial data, and personally identifiable information (PII).

What you need to do:

Read the document by the National Counterintelligence and Security Center Defense Security Service (DSS) on Academic Solicitation and familiarize yourself with the common academic solicitation scenarios.

When you think you may have witnessed something that looks suspicious or may be a crime, report it.  If it is in the form of an email, use the Phish Alarm button to report it:

For more information on Phish Alarm, please visit the Phish Alarm Service Page.

For everything else, what you need to do:

Be ready to provide specifics such as date/time of loss, type of device, contact information, and any specific information that you believe indicates that a device was breached, a computer security incident occurred, or a device was lost or stolen.

UCSF incident response procedures call for documenting, tracking, and resolution of all information security incidents.

If you administer UCSF devices, systems, or applications, one of your key responsibilities is to regularly monitor them for threats or unusual behavior. There is an extensive array of threats to UCSF data and systems, and monitoring data can be crucial to detecting and containing attacks.

If you suspect a system has been compromised or is being attacked, report the incident immediately to:

UCSF IT Service Desk – Available 24/7

All lost or stolen computing devices (including smartphones, tablets, and external drives) must be immediately reported to the UCSF Police Department at:

Please take the Incident Response Quiz. Everyone who passes is entered in a drawing for one of six $50 Amazon gift cards.

Additional Information

UCSF Incident Investigation Procedures

UCOP Incident Response Standard

UCSF Security Incident Response & Investigation

UCSF 650-16 Addendum C - UCSF Incident Investigation

UCSF Best Practices for Application and Website Security

DHS See Something - Say Something