• Do not power anything off.
  • Do not remove anything from the network yet if at all possible.
  • Do not mess with any of the affected things if at all possible.
  • Before you do anything, Security needs to work towards understanding, containing, mitigating, and ultimately recovering the incident. Messing with the system can complicate or disrupt campus’ ability to do those things, so please take two steps back and breathe.


Call Cybersecurity Operations Center (CSOC) 24-hour critical response: (217) 265-0000 (option 3)

Other important security incident or event, or notification?

How do I know if I have a security incident?

Security Incident:

A security incident is defined as a compromise of a computer or other electronic system by malicious or unintended activity. Included in this definition is the unintentional disclosure of sensitive data to an unauthorized party. This could be a result of physical theft, deliberate attack, or accidental disclosure through system management errors.

Sensitive Data:

Sensitive data is an ever growing list of personal identifiers. Essentially, any data object (word, code, ID number, etc.) that can be used to identify a person or access any secure accounts can be considered sensitive data. Social Security numbers, credit card numbers, passwords, University ID numbers (UINs), and mother’s maiden names are typical examples of sensitive data. Some types of health and medical data, financial data, academic data, and employment data are also considered sensitive or confidential.

Who should contact Critical Incident Response? 

Anyone who uses computing equipment owned by the University of Illinois at Springfield (UIS) and/or anyone who uses computing equipment that contains or processes sensitive data stewarded by UIS.

What is their purpose?

Critical incident response is a function of the Cybersecurity Operations Center, whose goal is to mitigate critical risks and impacts to the university. It exists as a fundamental part of Security's charge, obligations, provisions, and directives presented to it under the University’s Information Security Policy, “Acceptable Use of Information Technology Resources”.

What timelines are standard?

  • Event triage within 24 hours of notice or detection.
  • Low severity events will be picked up no more than 96 hours from the time of triage.
  • Medium severity events will be picked up and worked no more than 48 hours from the time of triage.
  • High severity events will be picked up and worked no more than 4 hours from the time of triage.
  • Critical severity events will be picked up and worked no more than 1 hour from the time of triage.
  • Mitigation of critical events enacted on a prioritized “ASAP” premise.
  • As-needed emergent engagement with leadership enacted when administrative process is required due to standing requirements, commitments, laws, policies, or procedures.

Possible Impacts

Critical Event Response's main purpose is to mitigate and investigate critical cybersecurity conditions, incidents, and events. Since such events are commonly unplanned, this function can impact critical university operations adversely and without prior notice.