Skip to site content

Incident Response

Incident Response

The IHS Cybersecurity Incident Response Team (CSIRT) coordinates responses to computer security incidents. The team also tracks security threats and recommends utilities and tools to protect computer systems and to find, eradicate, and recover from computer security incidents.

The CSIRT responds to all computer security incidents within IHS. When a suspicious event or incident is reported to the CSIRT, the team classifies the occurrence as an incident or event, investigates incidents, and notifies the Health and Human Services (HHS) Computer Security Incident Response Center of their findings.

What Should You Do About a Suspicious Event or Incident?

A suspicious event is an occurrence in an information system or an action by a person that might violate information security policies, privacy policies, or IHS Rules of Behavior (RoB) including events that could release personally identifiable information (PII) or protected health information (PHI).

If you become aware of a suspicious event or incident, you must immediately contact your site manager or local Information System Security Officer (ISSO) by email, phone, or in person. If you cannot reach your site manager or local ISSO, you can contact the IHS Cybersecurity Incident Response Team .

Spam and Phishing Messages

IHS employees often receive phishing and spam messages in email.

What should you do if you receive an email that you believe is phishing?

Report phishing emails by sending the original suspicious email as an attachment to the IHS Cybersecurity Incident Response Team. Next:

  • Delete the phishing email.
  • Do not respond to the phishing email.
  • Do not open any attachments in the phishing email.
  • Do not follow hyperlinks in the phishing email.
  • Contact the IHS Cybersecurity Incident Response Team if you think you have responded to, opened attachments of, or clicked on hyperlinks in a phishing email.

What should you do if you receive an email that you believe is spam?

If the email's subject is labeled "Potential Spam:" and it is in fact Spam, just delete it; reporting is generally unnecessary. However, you should report spam if it meets either of the following criteria:

  • An email is incorrectly labeled as Spam (false positive).
  • An email should be labeled as Spam but isn't (false negative).

If you receive an email that meets either of those criteria, please send it as an attachment to the IHS Cybersecurity Incident Response Team and they will review its contents.

Security Tools

To ensure your Government Furnished Equipment (GFE) has the most up-to-date security tools installed, please contact IT Support.

A bad computer node under a magnifying glass.

Useful References

  1. Area IT Service Desk
    Links to local IT support.
  2. Training Resources
    Documents, infographics, websites, and videos created by DIS to help users learn more about cybersecurity.
  3. ISSA Training Site
    A direct link to IHS's mandatory security training site.
  4. NIST Glossary Exit Disclaimer: You Are Leaving www.ihs.gov 
    A link to a glossary of terms from NIST's cybersecurity- and privacy-related publications.