Response to a Compromised Computer with Sensitive Data

1. Disconnect the computing device from the network;

• Unplug the Ethernet cable from the computer or server.      
• Turn off wireless (Wi-Fi/Bluetooth) network connectivity via the operating system’s settings (as well as the hardware switch, if the device has one).

2. Do NOT turn off or shut down the computing device. Logging off or shutting down the computing device in question could remove crucial data in identifying the source of compromise.
3. Do NOT run anti-virus or anti-malware software. Running anti-malware software or attempting to conduct your own analysis may delete information needed to resolve the issue.
4. Contact the Office of Information Security (InfoSec) at (215) 898-2172 or security@isc.upenn.edu
5. Do NOT interact with the system unless instructed by InfoSec. Avoid modifying any system files or attempt to conduct your own analysis.
6. Make a list of sensitive data items stored or handled by the computing device. 
7. Preserve any system logs or backups stored externally and prevent overwriting or “rolling off.”

Note: If the system DOES NOT contain sensitive data, reimage system according to your organization's policies. No further action from this checklist is required.

• IT Staff – An individual who handles and/or manages servers and computing assets owned by Penn or connected to Penn’s network.
• Computing Assets– Penn’s network, computing devices and electronic university data
• Computing Device - Desktop, laptop, server, tablet or a printer connected to Penn’s network