Response to a Compromised Computer with Sensitive Data

This procedure is triggered when an IT staff member at Penn suspects a computing device with sensitive data compromise. The IT staff may:

• Suspect unauthorized access to a computing device or an application.
• Receipt of notification of a compromise or a suspected compromise.
• Notice abnormal behavior of the computing device in question, e.g. too slow, crashes frequently.
• Detect malware through anti-virus software running on a server.

1. Disconnect the computing device from the network;

• Unplug the Ethernet cable from the computer or server.      
• Turn off wireless (Wi-Fi/Bluetooth) network connectivity via the operating system’s settings (as well as the hardware switch, if the device has one).

2. Do NOTturn off or shut down the computing device. Logging off or shutting down the computing device in question could remove crucial data in identifying the source of compromise.

3. Do NOT run anti-virus or anti-malware software. Running anti-malware software or attempting to conduct your own analysis may delete information needed to resolve the issue.

4. Contact the Office of Information Security (InfoSec) at (215) 898-2172 or security@isc.upenn.edu

5. Do NOT interact with the system unless instructed by InfoSec. Avoid modifying any system files or attempt to conduct your own analysis.

6. Make a list of sensitive data items stored or handled by the computing device. 

7. Preserve any system logs or backups stored externally and prevent overwriting or “rolling off.”

Note: If the system DOES NOT contain sensitive data, reimage system according to your organization's policies. No further action from this checklist is required.

• IT Staff – An individual who handles and/or manages servers and computing assets owned by Penn or connected to Penn’s network.
• Computing Assets– Penn’s network, computing devices and electronic university data
• Computing Device - Desktop, laptop, server, tablet or a printer connected to Penn’s network