Procedure in the event of an security incident

  1. Disconnect the computer from the network as soon as possible. Do not log in remotely or as administrator!
  2. Notifications
    1. Notification to IV security officer (see list of IV security officers [de])
    2. If the problem cannot be corrected or the IVV is not available: Notification to UniMS-CERT (see below)
  3. Clarify the cause of the incident.
  4. Change all passwords of the affected persons.
  5. Identify other possibly infected computers.
  6. Provide infected computers with a new operating system image. Reliable clean-up is often not possible.
  7. If necessary, restore data.
  8. Depending on the severity of the incident: Closing meeting. What can be improved?

IT Security Incident Reporting

Important Information

Please report any incident via email to

To report possible phishing or spam messages related to the university the special address can be used.

Incident reports should contain the following information to ensure fast investigation and remediation:

  • Incident date and time (including time zone)
  • Source IPs, ports and protocols (where applicable)
  • Destination IPs, ports and protocols (where applicable)
  • Incident description and further details

Preferable the report should also include related log files in a common format, e.g. Syslog or Common Event Format (CEF). When forwarding suspicious email messages, e.g. spam or phishing, please make sure to forward them as attachments so that all email headers are included.

In case of reporting discovered vulnerabilities we ask that common responsible disclosure guidelines will be followed:

  • No abuse of said vulnerability
  • End-to-end encryption when transmitting sensitive data
  • No disclosure of the vulnerability to other parties until the problem is resolve

All reports will be treated confidentially.

We sadly cannot offer any bounties or rewards for found and reported vulnerabilities.

Email Encryption

Emails containing sensitive data should be (endt-to-end) encrypted with one of the following methods:

Phone Inquiries

Inquiries via phone can only be answered to legitimate persons within University of Münster. Please contact the responsible CERT members or the Hotline (Tel. 31900). When inquiring via email, please use you university's email address and mention, if available, the UniMS-CERT case number. The UniMS-CERT's hours of operation are generally restricted to regular business hours (Mo-Fr 08:00-17:00, except holidays).