The E. Phillip Saunders College of Business (COB) Dean at Rochester Institute of Technology (RIT) discovers that his RIT-issued laptop has been stolen from his home. He notifies Dave Ballard, a member of the College of Business IT staff. Ballard, still acutely aware of two recent incidents in which laptops containing thousands of Social Security numbers were stolen from the RIT campus, hopes the Dean's laptop does not contain personally identifiable information. If so, the incident would need to be reported to the New York Attorney General's Office, and RIT would be required to pay for a credit monitoring service for individuals whose identity may have been compromised. The case provides an opportunity for students to examine processes that should be triggered when an information security incident occurs. The case describes incident response processes that were triggered at RIT and technologies that were used or could have been used by COB IT staff to track the laptop and protect its contents. In discussing the case, students can consider how the theft of a computing device exposes an organization to risks of inadvertent disclosure of information in different categories (such as private, confidential, internal, or public), and students can derive useful guidelines for effective information security incident response.

At the University of Oslo (UiO), CERT manager Margrete Raaum learned of a network attack on Titan, a high-performance computing cluster that supported research conducted by scientists at CERT and other research institutions across Europe. The case describes the incident response, investigation, and clarification of the information security events that took place. As soon as Raaum learned of the attack, she ordered that the system be disconnected from the Internet to contain the damage. Next, she launched an investigation,which over a few days pieced together logs from previous weeks to identify suspicious activity and locate the attack vector. Raaum hopes to soon return Titan to its prior safe condition. In order to do so, she must decide what tasks still need to be completed to validate the systems and determine if it is safe to reconnect it to the Internet. She must also consider further steps to improve her team's ability to prevent, detect, and respond to similar incidents in the future. This case is designed for an undergraduate or graduate information security (infosec) class that includes students with varied technical and business backgrounds. The case supports discussion of technical and managerial infosec issues in interorganizational systems - a topic that is currently underrepresented in major case collections.