Network Security Incident Response Process

To better protect the security and stability of Emory's networked information resources, it is necessary to implement the following policy regarding central reporting and response to suspected network security incidents.

Network security incidents include, but are not limited to:

  1. Hacks and attempted hacks or other types of network intrusions

  2. Evidence of theft or compromise of data

  3. Evidence of port scanning

  4. Virus/worm events

  5. Spam that fraudulently misrepresents the identity or nature of the sender, such as phishing (i.e., fraudulent attempts to obtain personal information

All suspected security incidents should be reported to the IT Security Team via email to or by submitting an IT Support Request.

Security Incident Response Process

The IT Security Team is responsible for logging security incidents, initiating trouble tickets in ServiceNow, and coordinating response efforts with the IT Service Desk, Academic Technology Services, Residence Life, local support providers and system administrators.

The IT Security Team is also responsible for communications with and involvement of the General Counsel's Office as necessary or appropriate to the investigation of a security incident, which also may include coordination with local and federal law enforcement agencies.

For all network security incidents, the Security Team will coordinate the following steps:

  1. Verify that the report is not a duplicate by reviewing past incidents.

  2. Open a Remedy ticket, which will include the relevant portion of the original complaint and/or logs.

  3. Request that Library & Information Technology Services (LITS) disable any affected port and note the physical location (building, room number, slot/port, and MAC address) or the Security Team will block utilizing the Intrusion Prevention Service tool (IPS).

    IP addresses located in ResNet are to be disabled by blocking the IP address at the ResNet IPS.

  4. Users whose ports have been disabled must contact their local support provider or the IT Service Desk at 404-727-7777 regarding port status.

  5. The IT  Service Desk will check the disabled port page in Remedy and match the user to the ticket and assist with resolution of the security issue.

  6. Once the issue has been resolved (in some cases a complete reinstall of the operating system, installation of anti-virus software and/or updates, loading system patches and upgrades, etc. will be necessary), the local support provider will notify the IT  Service Desk and the Security Team to request that the port be re-enabled.

  7. Security will remove the IPS block, or notify LITS to re-enable the port.

  8. Ports will be re-enabled and Remedy tickets will be closed.

Unit Responsibilities Regarding Security Incident Response

IT Security Team

  1. Responsible for coordinating action and logging all security incidents.

  2. Serves as primary contact for all security incidents.

a. During regular business hours (8:00 am to 5:00 pm), contact should be via either phone (desk or cell) or email.

b. During off hours (5:00 pm to 8:00 am), contact should be made via cell phone in the following order:

  1. Alan White: phone (404-727-4956); cell (404-606-2394); email:

  2. Andy Efting: phone (404-712-2213); cell (404-606-2395); email:

  3. Christopher Camacho: phone (404-727-5423); email:

If all of these individuals are unreachable, the following party should be contacted:

Paul Petersen: phone (404-727-7686); cell (404-274-0643); email:

Technical Operations Center

  1. Responsible for gathering the MAC address and physical location (building, room number, and slot/port) of the offending machine in non-ResNet networks

  2. Responsible for disabling the port(s) and/or access of the user(s) involved in the incident in non-ResNet networks.

Should be contacted 24 hours a day by phone at 404-727-7667.

Local Support Providers/Academic Technology Services

1. Responsible for contacting the offending user(s) and cleaning the user's machine.
2. Responsible for notifying the Security Team that the machine has been cleaned and can be re-enabled.

General Counsel's Office

Contact: Steve Sencer; phone: 404-727-2016, email: